iptables

Redirect ports inside OpenVZ containers

For port redirection to work inside OpenVZ containers, ipt_REDIRECT kernel module needs to be loaded in the host. Edit "/etc/sysconfig/vz" and add it to the IPTABLES list.

IPTABLES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_owner ipt_length ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp ipt_recent ipt_REDIRECT"

This should then allow to redirect ports. So if you need to proxy existing apache via nginx or lighttpd and you do not want to switch apaches' default port 80, then the below rules will do the appropriate redirection to port 81 where nginx/lighttpd server is listening, serving static content and proxying to apache for dynamic content:

# Redirect external web traffic to port 81
iptables -t nat -A PREROUTING -s ! 127.0.0.1 -p tcp --dport 80 -j REDIRECT --to-ports 81

# Redirect internal port 80 to 81
iptables -t nat -A OUTPUT -s 0/0 -d 192.168.10.2 -p tcp --dport 80 -j REDIRECT --to-ports 81

Where 192.168.10.2 is the internal IP resolver of domain/host.

APF on CentOS-5 OpenVZ Containers

  1. Increase the NUMIPTENT values in VE conf file to 1000 on the host:
    NUMIPTENT="1000:1000";
  2. Edit "/etc/sysconfig/vz" on the host:
    IPTABLES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_owner ipt_length ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp ipt_recent"
  3. Make sure the above modules are loaded on the host, so it would help if you have APF on the host as well.
  4. Restart the VE
    # vzctl restart <VEID>
  5. It is normal to get ipt_recent error as below:
    Warning: Unknown iptable module: ipt_recent, skipped

    You can verify the modules loaded via:

    # vzctl exec <VEID> grep ipt_recent /proc/net/ip_tables_matches

    Note: ipt_recent is required for passive ftp to work, else... will need to specify passive ftp ports in ftp conf file and open those ports via apf as well.

  6. Here is a typical apf config on a VE with CentOS-5 running ISPConfig.

    DEVEL_MODE="0"
    IFACE_IN="venet0"
    IFACE_OUT="venet0"
    IFACE_TRUSTED=""r />SET_MONOKERN="1"r />IG_TCP_CPORTS="21,22,25,53,80,81,110,143,443" />IG_UDP_CPORTS="53"
    EGF="1"
    EG_TCP_CPORTS="21,25,80,443,43"
    EG_UDP_CPORTS="20,21,53"

Comment