inceptionhosting does not work iptables
I use vps as a proxy. in the iptables settings is blocking some sites. before the openVZ update, everything worked well on the old version. but it’s not working now.
I am using this command:
iptables -A OUTPUT -m string --string "vk.com" --algo kmp --to 65535 -p all -j REJECT
everything worked on the old version but now displays an error message:
iptables: No chain/target/match by that name.
How to fix it?
My Node: Mininode1b (NETHERLANDS)
My IP: 192.168.1.101
Tagged:
Comments
I think you need to write this in a shell:
touch /option.netfilter
It will take up to 30 minutes, your server will restart.
When it has been done, the file option.netfilter will be renamed to netfilter.enabled
You can view a similar process, once logged in into the clientarea:
https://clients.inceptionhosting.com/index.php?rp=/knowledgebase/26/Enable-FUSE-or-NFS.html
I checked, it does not work. the result is the same - there is an error.
maybe something else is needed?
I've never done --string matches. Does the rest of the config work if you remove those? If you just do a simple iptables --list what do you see?
all words in a line are required; you cannot delete a single word (cannot delete parameter -m string).
for iptables --list I see other rules, they work. only the module does not work -m string
before the update everything worked, now it doesn’t work
Ah, so iptables as a whole does work. Just the string matching doesn't. ( Edited: because I didn't read the whole post )
Just so the question has been asked, this is the same OS just migrated over to the new OVZ7 node or were you re-provisioned?
all the same, nothing has changed. just changed OpenVZ and I did a system update (apt update; apt upgrade).
Presumably module not loaded in the kernel. It’s not quite basic one either. One that’s quite taxing as well. Perhaps @AnthonySmith will oblige and load, otherwise you shouldn’t have any hard feelings here.
Clouvider Limited - VPS in 6 datacenters - Intel Xeon/AMD Epyc with NVMe and 10G uplink! | Dedicated Servers
That used to be xt_string but I haven't played with OVZ7 much.. nor used strings fro this.
My pronouns are like/subscribe.
I will have a look into what is missing tomorrow.
https://inceptionhosting.com
Please do not use the PM system here for Inception Hosting support issues.
Ok had a look, it is still xt_string which is loaded on the host node.
Did some reading, not much new info available but it looks like this used to be a common issue on vz6 too, unloading xt_string and then reloading it via probing for ipt_string was the suggested solution.
I have now done that and can see that xt_string is present.
I would suggest that you stop your container completely via solusvm then start it via solusvm.
check again and throw a -v after iptables in the command and paste the results if it is still failing, it is quite possible the module is not the issue here.
https://inceptionhosting.com
Please do not use the PM system here for Inception Hosting support issues.
through the solusvm menu I turned on and off VPS.
I see the module "string" in the file /proc/net/ip_tables_matches
but the firewall is not working:
# iptables -v -A OUTPUT -m string --string "vk.com" --algo kmp --to 65535 -p all -j REJECT
REJECT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 STRING match "vk.com" ALGO name kmp TO 65535 reject-with icmp-port-unreachable
iptables: No chain/target/match by that name.
Not sure what to tell you, the module is loaded and available, I will take another look though.
https://inceptionhosting.com
Please do not use the PM system here for Inception Hosting support issues.
Is that iptable real iptable, or nftable emulating it? Default is nft translation layer, right?
I have not used anywhere nftable, use only iptable. maybe OVZ7 replaces, but I'm not sure
you may need to update openvz, there are no problems with the latest version. I don't have the last one. can you update openvz?
https://bugs.openvz.org/browse/OVZ-7171
There you go then, options right now:
Use a CentOS 7 container or wait for the next update/reboot.
https://inceptionhosting.com
Please do not use the PM system here for Inception Hosting support issues.
OK. tell me when the planned next upgrade?
There are none planned right now.
https://inceptionhosting.com
Please do not use the PM system here for Inception Hosting support issues.
tell me at least approximate dates (six months or a year).
about that, maybe sooner.
https://inceptionhosting.com
Please do not use the PM system here for Inception Hosting support issues.
I'd just pay $5/mo for KernelCare and let it roll.
My pronouns are like/subscribe.
Just curious: is KernelCare available for the OpenVZ kernel?
"A single swap file or partition may be up to 128 MB in size. [...] [I]f you need 256 MB of swap, you can create two 128-MB swap partitions." (M. Welsh & L. Kaufman, Running Linux, 2e, 1996, p. 49)
Yes INDEED it is, APPARENTLY.
Free NAT KVM | Free NAT LXC
Why "apparently"? Do you have a reference? (It's a sincere question.)
"A single swap file or partition may be up to 128 MB in size. [...] [I]f you need 256 MB of swap, you can create two 128-MB swap partitions." (M. Welsh & L. Kaufman, Running Linux, 2e, 1996, p. 49)
Indeed it is, even for legacy OpenVZ6:
You can see a full list of supported kernels here: https://patches.kernelcare.com/
Daniel15 | https://d.sb/. List of all my VPSes: https://d.sb/servers
dnstools.ws - DNS lookups, pings, and traceroutes from 30 locations worldwide.
@sonic, @Daniel
Thanks. Yes, I was aware of OVZ6 support. I was interested in whether KernelCare supports the OVZ7 kernel. Perhaps I should have clarified this, but the topic of this thread is OVZ7.
I'm still wondering, though: I can't seem to find the OVZ7 kernel on https://patches.kernelcare.com/#All Kernels/ . But perhaps I'm missing something.
"A single swap file or partition may be up to 128 MB in size. [...] [I]f you need 256 MB of swap, you can create two 128-MB swap partitions." (M. Welsh & L. Kaufman, Running Linux, 2e, 1996, p. 49)
3 points.
That said, frankly OpenVZ 7 is not that stable generally yet, I mean it’s ok but it’s about at the stage of 80% that both VZ5 and VZ6 were at this stage in their life, so a reboot may be inevitable way sooner, the updates (with no guarantee of a fix) have been applied in advance should that happen.
https://inceptionhosting.com
Please do not use the PM system here for Inception Hosting support issues.
I will wait for the update and reboot of the new kernel. it can wait. there is a problem, but it is not very big.
the problem can be closed I am waiting for an update.