<div dir="ltr">You just need to make sure that iptables is running on the host in some way or another.If you run lsmod on it you should see these modules:<div><br></div><div>xt_multiport 12597 2 </div><div>iptable_filter 12810 2 </div>
<div>ip_tables 27473 1 iptable_filter</div><div>x_tables 29891 3 xt_multiport,iptable_filter,ip_tables</div><div><br></div><div> If it's not there it's not loaded and can't share with the containers. I have the hosts on a separate and much more secure network so I didn't think about a firewall. <div>
<br></div><div>The easiest thing is to install fail2ban on the host. It just watches ssh or whatever services you define for brute force attacks by using iptables. It's useful and sets iptables rules. Alternately setup a firewall on the host or load the iptables modules in /etc/modules at boot on the host. </div>
</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jan 15, 2014 at 3:25 AM, Gandhi, Ibha (HP Software) <span dir="ltr"><<a href="mailto:ibhag@hp.com" target="_blank">ibhag@hp.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Hi John,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Even I am facing similar issue, container throws this error:<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">ubuntu@root-local-machine-2:~$ iptables -L<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">FATAL: Could not load /lib/modules/3.11.0-12-generic/modules.dep: No such file or directory<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">iptables v1.4.12: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Perhaps iptables or your kernel needs to be upgraded.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">It’ll be great if you can share what changes you made in init scripts.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Thanks,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">- Ibha<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> <a href="mailto:lxc-users-bounces@lists.linuxcontainers.org" target="_blank">lxc-users-bounces@lists.linuxcontainers.org</a> [mailto:<a href="mailto:lxc-users-bounces@lists.linuxcontainers.org" target="_blank">lxc-users-bounces@lists.linuxcontainers.org</a>]
<b>On Behalf Of </b>John Baker<br>
<b>Sent:</b> Wednesday, January 15, 2014 2:09 AM<br>
<b>To:</b> LXC users mailing-list<br>
<b>Subject:</b> Re: [lxc-users] iptabes kernel modules not loading in containers<u></u><u></u></span></p><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">Yes, that was it thanks. <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On Tue, Jan 14, 2014 at 3:31 PM, Stéphane Graber <<a href="mailto:stgraber@ubuntu.com" target="_blank">stgraber@ubuntu.com</a>> wrote:<u></u><u></u></p>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">On Tue, Jan 14, 2014 at 03:00:32PM -0500, John Baker wrote:<br>
> Hi,<br>
><br>
> I'm using lxc in 12.04.4 LTS and seem to have a chronic issue with the<br>
> iptables modfule not loading inside a container. I have found that it does<br>
> sometimes work and my coworker never seems to have problems with it in the<br>
> servers he runs. But it happens all the time on mine and I can't see<br>
> anything at all that we do differently. Sometimes it will start running<br>
> inside a container and then mysteriously have stopped next time I check in.<br>
> I can't find any error messages pertaining to it besides the one I get when<br>
> I try to load rules or view the set loaded.<br>
><br>
> The only fix I have been able to come up with is to manually<br>
> copy /lib/modules/<kernel ver.>-generic/modules.dep and net directory from<br>
> the host into the container. Then it seems willing to load iptables modules<br>
> consistently but always breaks when the kernel is updated on the host and<br>
> has to be redone.<br>
><br>
> Any ideas on what I might be missing? Is there a cgroup I should include<br>
> for sharing iptables modules?<u></u><u></u></p>
</div>
</div>
<p class="MsoNormal">Kernel modules aren't loaded per-container but globally for the whole host.<br>
<br>
It's not recommended (and usually blocked by either dropping the<br>
capability or by having apparmor prevent it) to load modules from within<br>
a container. Instead you should make sure all your kernel modules are<br>
loaded from the host before you start your containers.<br>
<br>
I suspect the difference between your server and your colleague's is<br>
that he has some init scripts or something else calling iptables before<br>
he starts his containers which will load any modules required by his<br>
container.<br>
<span style="color:#888888"><br>
<span>--</span><br>
<span>Stéphane Graber</span><br>
<span>Ubuntu developer</span><br>
<span><a href="http://www.ubuntu.com" target="_blank">http://www.ubuntu.com</a></span><br>
</span><br>
_______________________________________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org" target="_blank">lxc-users@lists.linuxcontainers.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><u></u><u></u></p>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p class="MsoNormal">-- <u></u><u></u></p>
<div>
<p class="MsoNormal">John Baker<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Network Administrator<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Marlboro College<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Phone: 451-7551 Cell: 490-0066<u></u><u></u></p>
</div>
</div>
</div></div></div>
</div>
<br>_______________________________________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div>John Baker</div><div>
Network Administrator</div><div>Marlboro College</div><div>Phone: 451-7551 Cell: 490-0066</div>
</div>