2
edits
Changes
m
→Setting up a firewall that allows per-container configuration
This setup configures iptables on the HN to disallow access to all hosts, including the containers. However, it allows all traffic into the containers so they may define their own iptables rules and therefore manage their own firewall.
<codepre>This content is missing. You are invited to fill it in, if you get to it before I do. :)iptables -P FORWARD ACCEPTiptables -F FORWARD</codepre> This will remove all rules for the FORWARD chain so all packets can pass back and forth between containers and the outside world.
If you want to use a firewall inside a container, please load these modules BEFORE starting the container:
If you do not, you will get an error like this: "iptables: No chain/target/match by that name"
If you want to use stateful firewall rules (and you should!) you will also need to make sure that 'ipt_state' is in the 'IPTABLES' option in your vz.conf file:
<pre>
IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state"
</pre>
== See also ==
