English
Chinese
French
German
Italian
Japanese
Russian
Spanish
Subscriptions
RSS feedsResolution
The installation of APF requires some additional steps to be taken on the hardware node.1. First of all, you should define which iptables modules are available for VEs.
Edit /etc/sysconfig/iptables-config file on a Virtuozzo hardware node:
IPTABLES_MODULES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp"Edit /etc/sysconfig/vz file on a Virtuozzo hardware node:
IPTABLES="ipt_REJECT
ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp"Please note - iptables modules list in IPTABLES and IPTABLES_MODULES parameters in /etc/sysconfig/vz and /etc/sysconfig/iptables-config files should be placed in one single line, no linebreaks is allowed in this parameter.
Restart Virtuozzo. All VEs will be restarted.
# service vz restart2. Increase 'numiptent' parameter for the VE you need to install APF into. This parameter limits the amount of iptables rules available for a VE. Default APF configuration requires ~200 rules. Lets set it to 200 in the example below for VE #101:
# vzctl set 101 --numiptent 200 --save3. Install APF inside the VE. Edit /etc/apf/conf.apf inside VE, set the following parameters:
IFACE_IN="venet0"
IFACE_OUT="venet0"
SET_MONOKERN="1"4. Start APF inside the VE:
# /etc/init.d/apf startKeywords: APF firewall iptables modules ip_tables numiptent rules