Menu

cann't start on openvz guest

Help
Piotr Rogoża
2011-06-18
2012-12-07

  • Piotr Rogoża

    Piotr Rogoża - 2011-06-18

    Hello
    I try  to run vuurmuur on openvz guest. In error.log I have: 

    06/17/2011 17:38:57 : PID 691   : vuurmuur      : Error (-1): Opening proc entry '/proc/sys/net/ipv4/tcp_syncookies' failed: No such file or directory (in: set_proc_entry).
06/17/2011 17:38:57 : PID 691   : vuurmuur      : Error (-1): set_proc_entry failed (in: create_rule, prot_proc_sys).
06/17/2011 17:38:57 : PID 691   : vuurmuur      : Error (-1): command '/sbin/iptables-restore  --counters --noflush < /tmp/vuurmuur-SjKVBV 2>> /tmp/vuurmuur-load-result-uOYx3G' failed.
06/17/2011 17:38:57 : PID 691   : vuurmuur      : Error (-1): loading the ruleset failed (in: ruleset_load_ruleset:1186).
06/17/2011 17:38:57 : PID 691   : vuurmuur      : Error (-1): rulesetfile will be stored as '/tmp/vuurmuur-SjKVBV.failed' (in: load_ruleset:1708).
06/17/2011 17:38:57 : PID 691   : vuurmuur      : Error (-1): loading ruleset result: 'iptables-restore: line 170 failed'.
06/17/2011 17:38:57 : PID 691   : vuurmuur      : Error (-1): creating rules failed.

    And vuurmuur.log: 

    06/18/2011 19:41:36 : PID 3310  : vuurmuur      : Error (-1): Opening proc entry '/proc/sys/net/ipv4/tcp_syncookies' failed: No such file or directory (in: set_proc_entry).
06/18/2011 19:41:36 : PID 3310  : vuurmuur      : Error (-1): set_proc_entry failed (in: create_rule, prot_proc_sys).
06/18/2011 19:41:36 : PID 3310  : vuurmuur      : Info: Setting '1' to proc entry '/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts' succesfull.
06/18/2011 19:41:36 : PID 3310  : vuurmuur      : Info: not creating rule: 'from'-interface 'venet0' is dynamic and down.
06/18/2011 19:41:36 : PID 3310  : vuurmuur      : Info: Setting '0' to proc entry '/proc/sys/net/ipv4/ip_forward' succesfull.
06/18/2011 19:41:36 : PID 3310  : vuurmuur      : Info: Creating rules finished.
06/18/2011 19:41:51 : PID 3310  : vuurmuur      : Error (-1): command '/sbin/iptables-restore  --counters --noflush < /tmp/vuurmuur-mPn4ti 2>> /tmp/vuurmuur-load-result-E7TQNq' failed.
06/18/2011 19:41:51 : PID 3310  : vuurmuur      : Error (-1): loading the ruleset failed (in: ruleset_load_ruleset:1186).
06/18/2011 19:41:51 : PID 3310  : vuurmuur      : Error (-1): rulesetfile will be stored as '/tmp/vuurmuur-mPn4ti.failed' (in: load_ruleset:1708).
06/18/2011 19:41:51 : PID 3310  : vuurmuur      : Error (-1): loading ruleset result: 'iptables-restore: line 170 failed'.
06/18/2011 19:41:52 : PID 3310  : vuurmuur      : Error (-1): creating rules failed.

    Of course /proc/sys/net/ipv4/tcp_syncookies doesn't exist on openvz guest and I have disabled syn-flood protection.

    When I run manualy script(generates by vuurmuur -b) I receive: 

    iptables v1.4.2: Couldn't load target `ESTRELNFQUEUE':/lib/xtables/libipt_ESTRELNFQUEUE.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.2: Couldn't load target `ESTRELNFQUEUE':/lib/xtables/libipt_ESTRELNFQUEUE.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.2: Couldn't load target `ESTRELNFQUEUE':/lib/xtables/libipt_ESTRELNFQUEUE.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
iptables: Memory allocation problem
iptables v1.4.2: Couldn't load target `NEWQUEUE':/lib/xtables/libipt_NEWQUEUE.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.2: Couldn't load target `NEWQUEUE':/lib/xtables/libipt_NEWQUEUE.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.2: Couldn't load target `NEWQUEUE':/lib/xtables/libipt_NEWQUEUE.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
iptables: Memory allocation problem

    etc.

    Version of vuurmuur 0.7 and debian 6. At now I testing vuurmuur 0.8beta2.

     

  • Victor Julien

    Victor Julien - 2011-06-20

    Can you do:

    vuurmuur -b > test.sh
    bash -x test.sh &> log

    Then post/send the contents of "log"?

    Thanks!

     

  • Piotr Rogoża

    Piotr Rogoża - 2011-06-21

    In Rules of vuurmuur I have only:
    allow outgoing trafic,
    allow incoming ssh trafic 

    + /sbin/iptables --flush
+ /sbin/iptables -t nat --flush
+ /sbin/iptables -t mangle --flush
+ /sbin/iptables -t mangle -N PRE-VRMR-PREROUTING
+ /sbin/iptables -t mangle -A PREROUTING -j PRE-VRMR-PREROUTING
+ /sbin/iptables -t mangle -N PRE-VRMR-INPUT
+ /sbin/iptables -t mangle -A INPUT -j PRE-VRMR-INPUT
+ /sbin/iptables -t mangle -N PRE-VRMR-FORWARD
+ /sbin/iptables -t mangle -A FORWARD -j PRE-VRMR-FORWARD
+ /sbin/iptables -t mangle -N PRE-VRMR-POSTROUTING
+ /sbin/iptables -t mangle -A POSTROUTING -j PRE-VRMR-POSTROUTING
+ /sbin/iptables -t mangle -N PRE-VRMR-OUTPUT
+ /sbin/iptables -t mangle -A OUTPUT -j PRE-VRMR-OUTPUT
+ /sbin/iptables -t filter -N PRE-VRMR-INPUT
+ /sbin/iptables -t filter -A INPUT -j PRE-VRMR-INPUT
+ /sbin/iptables -t filter -N PRE-VRMR-FORWARD
+ /sbin/iptables -t filter -A FORWARD -j PRE-VRMR-FORWARD
+ /sbin/iptables -t filter -N PRE-VRMR-OUTPUT
+ /sbin/iptables -t filter -A OUTPUT -j PRE-VRMR-OUTPUT
+ /sbin/iptables -t nat -N PRE-VRMR-PREROUTING
+ /sbin/iptables -t nat -A PREROUTING -j PRE-VRMR-PREROUTING
+ /sbin/iptables -t nat -N PRE-VRMR-POSTROUTING
+ /sbin/iptables -t nat -A POSTROUTING -j PRE-VRMR-POSTROUTING
+ /sbin/iptables -t nat -N PRE-VRMR-OUTPUT
+ /sbin/iptables -t nat -A OUTPUT -j PRE-VRMR-OUTPUT
+ /sbin/iptables -t mangle -N SHAPEIN
+ /sbin/iptables -t mangle -A INPUT -j SHAPEIN
+ /sbin/iptables -t mangle -N SHAPEOUT
+ /sbin/iptables -t mangle -A OUTPUT -j SHAPEOUT
+ /sbin/iptables -t mangle -N SHAPEFW
+ /sbin/iptables -t mangle -A FORWARD -j SHAPEFW
+ /sbin/iptables -t filter -A INPUT -i lo -j ACCEPT
+ /sbin/iptables -t filter -A OUTPUT -o lo -j ACCEPT
+ /sbin/iptables --policy INPUT DROP
+ /sbin/iptables --policy OUTPUT DROP
+ /sbin/iptables --policy FORWARD DROP
+ /sbin/iptables -t filter -A INPUT -p tcp -m tcp --tcp-flags ALL NONE -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP probe ALL ' --log-level debug --log-tcp-options
+ /sbin/iptables -t filter -A OUTPUT -p tcp -m tcp --tcp-flags ALL NONE -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP probe ALL ' --log-level debug --log-tcp-options
+ /sbin/iptables -t filter -A FORWARD -p tcp -m tcp --tcp-flags ALL NONE -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP probe ALL ' --log-level debug --log-tcp-options
+ /sbin/iptables -t filter -A INPUT -p tcp -m tcp --tcp-flags ALL NONE -j DROP
+ /sbin/iptables -t filter -A OUTPUT -p tcp -m tcp --tcp-flags ALL NONE -j DROP
+ /sbin/iptables -t filter -A FORWARD -p tcp -m tcp --tcp-flags ALL NONE -j DROP
+ /sbin/iptables -t filter -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP probe SYN-FIN ' --log-level debug --log-tcp-options
+ /sbin/iptables -t filter -A OUTPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP probe SYN-FIN ' --log-level debug --log-tcp-options
+ /sbin/iptables -t filter -A FORWARD -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP probe SYN-FIN ' --log-level debug --log-tcp-options
+ /sbin/iptables -t filter -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
+ /sbin/iptables -t filter -A OUTPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
+ /sbin/iptables -t filter -A FORWARD -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
+ /sbin/iptables -t filter -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP probe SYN-RST ' --log-level debug --log-tcp-options
+ /sbin/iptables -t filter -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP probe SYN-RST ' --log-level debug --log-tcp-options
+ /sbin/iptables -t filter -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP probe SYN-RST ' --log-level debug --log-tcp-options
+ /sbin/iptables -t filter -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
+ /sbin/iptables -t filter -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
+ /sbin/iptables -t filter -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
+ /sbin/iptables -t filter -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP probe FIN-RST ' --log-level debug --log-tcp-options
+ /sbin/iptables -t filter -A OUTPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP probe FIN-RST ' --log-level debug --log-tcp-options
+ /sbin/iptables -t filter -A FORWARD -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP probe FIN-RST ' --log-level debug --log-tcp-options
+ /sbin/iptables -t filter -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
+ /sbin/iptables -t filter -A OUTPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
+ /sbin/iptables -t filter -A FORWARD -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
+ /sbin/iptables -t filter -A INPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP probe FIN ' --log-level debug --log-tcp-options
+ /sbin/iptables -t filter -A OUTPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP probe FIN ' --log-level debug --log-tcp-options
+ /sbin/iptables -t filter -A FORWARD -p tcp -m tcp --tcp-flags ACK,FIN FIN -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP probe FIN ' --log-level debug --log-tcp-options
+ /sbin/iptables -t filter -A INPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN -j DROP
+ /sbin/iptables -t filter -A OUTPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN -j DROP
+ /sbin/iptables -t filter -A FORWARD -p tcp -m tcp --tcp-flags ACK,FIN FIN -j DROP
+ /sbin/iptables -t filter -A INPUT -p tcp -m tcp --tcp-flags ACK,PSH PSH -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP probe PSH ' --log-level debug --log-tcp-options
+ /sbin/iptables -t filter -A OUTPUT -p tcp -m tcp --tcp-flags ACK,PSH PSH -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP probe PSH ' --log-level debug --log-tcp-options
+ /sbin/iptables -t filter -A FORWARD -p tcp -m tcp --tcp-flags ACK,PSH PSH -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP probe PSH ' --log-level debug --log-tcp-options
+ /sbin/iptables -t filter -A INPUT -p tcp -m tcp --tcp-flags ACK,PSH PSH -j DROP
+ /sbin/iptables -t filter -A OUTPUT -p tcp -m tcp --tcp-flags ACK,PSH PSH -j DROP
+ /sbin/iptables -t filter -A FORWARD -p tcp -m tcp --tcp-flags ACK,PSH PSH -j DROP
+ /sbin/iptables -t filter -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP probe URG ' --log-level debug --log-tcp-options
+ /sbin/iptables -t filter -A OUTPUT -p tcp -m tcp --tcp-flags ACK,URG URG -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP probe URG ' --log-level debug --log-tcp-options
+ /sbin/iptables -t filter -A FORWARD -p tcp -m tcp --tcp-flags ACK,URG URG -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP probe URG ' --log-level debug --log-tcp-options
+ /sbin/iptables -t filter -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
+ /sbin/iptables -t filter -A OUTPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
+ /sbin/iptables -t filter -A FORWARD -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
+ /sbin/iptables -t filter -A INPUT -p tcp -m tcp '!' --syn -m state --state NEW -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP no SYN ' --log-level debug --log-tcp-options
+ /sbin/iptables -t filter -A OUTPUT -p tcp -m tcp '!' --syn -m state --state NEW -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP no SYN ' --log-level debug --log-tcp-options
+ /sbin/iptables -t filter -A FORWARD -p tcp -m tcp '!' --syn -m state --state NEW -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP no SYN ' --log-level debug --log-tcp-options
+ /sbin/iptables -t filter -A INPUT -p tcp -m tcp '!' --syn -m state --state NEW -j DROP
+ /sbin/iptables -t filter -A OUTPUT -p tcp -m tcp '!' --syn -m state --state NEW -j DROP
+ /sbin/iptables -t filter -A FORWARD -p tcp -m tcp '!' --syn -m state --state NEW -j DROP
+ /sbin/iptables -t filter -A INPUT -f -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP FRAG ' --log-level debug --log-tcp-options
+ /sbin/iptables -t filter -A OUTPUT -f -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP FRAG ' --log-level debug --log-tcp-options
+ /sbin/iptables -t filter -A FORWARD -f -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP FRAG ' --log-level debug --log-tcp-options
+ /sbin/iptables -t filter -A INPUT -f -j DROP
+ /sbin/iptables -t filter -A OUTPUT -f -j DROP
+ /sbin/iptables -t filter -A FORWARD -f -j DROP
+ /sbin/iptables -N SYNLIMIT
+ /sbin/iptables --flush SYNLIMIT
+ /sbin/iptables -t filter -A SYNLIMIT -m limit --limit 15/s --limit-burst 30 -j RETURN
+ /sbin/iptables -t filter -A SYNLIMIT -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP SYNLIMIT reach. ' --log-level debug --log-tcp-options
+ /sbin/iptables -t filter -A SYNLIMIT -j DROP
+ /sbin/iptables -N UDPLIMIT
+ /sbin/iptables --flush UDPLIMIT
+ /sbin/iptables -t filter -A UDPLIMIT -m limit --limit 10/s --limit-burst 60 -j RETURN
+ /sbin/iptables -t filter -A UDPLIMIT -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP UDPLIMIT reach. ' --log-level debug --log-tcp-options
+ /sbin/iptables -t filter -A UDPLIMIT -j DROP
+ /sbin/iptables -N NEWACCEPT
+ /sbin/iptables -t filter -A NEWACCEPT -p tcp -m tcp --syn -j SYNLIMIT
+ /sbin/iptables -t filter -A NEWACCEPT -p udp -m state --state NEW -j UDPLIMIT
+ /sbin/iptables -t filter -A NEWACCEPT -j ACCEPT
+ /sbin/iptables -N NEWQUEUE
+ /sbin/iptables -t filter -A NEWQUEUE -p tcp -m tcp --syn -j SYNLIMIT
iptables: No chain/target/match by that name.
+ /sbin/iptables -t filter -A NEWQUEUE -p udp -m state --state NEW -j UDPLIMIT
iptables: No chain/target/match by that name.
+ /sbin/iptables -t filter -A NEWQUEUE -j QUEUE
iptables: No chain/target/match by that name.
+ /sbin/iptables -N NEWNFQUEUE
+ /sbin/iptables -N ESTRELNFQUEUE
+ /sbin/iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -m connmark '!' --mark 0 -j ESTRELNFQUEUE
iptables v1.4.8: Couldn't load target `ESTRELNFQUEUE':/lib/xtables/libipt_ESTRELNFQUEUE.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
+ /sbin/iptables -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -m connmark '!' --mark 0 -j ESTRELNFQUEUE
iptables v1.4.8: Couldn't load target `ESTRELNFQUEUE':/lib/xtables/libipt_ESTRELNFQUEUE.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
+ /sbin/iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -m connmark '!' --mark 0 -j ESTRELNFQUEUE
iptables v1.4.8: Couldn't load target `ESTRELNFQUEUE':/lib/xtables/libipt_ESTRELNFQUEUE.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
+ /sbin/iptables -t filter -A INPUT -m mark --mark 0x0/0xff000000 -m state --state ESTABLISHED -j ACCEPT
+ /sbin/iptables -t filter -A OUTPUT -m mark --mark 0x0/0xff000000 -m state --state ESTABLISHED -j ACCEPT
iptables: Memory allocation problem.
+ /sbin/iptables -t filter -A FORWARD -m mark --mark 0x0/0xff000000 -m state --state ESTABLISHED -j ACCEPT
iptables: Memory allocation problem.
+ /sbin/iptables -t filter -A INPUT -m mark --mark 0x0/0xff000000 -m state --state RELATED -j NEWACCEPT
iptables: Memory allocation problem.
+ /sbin/iptables -t filter -A OUTPUT -m mark --mark 0x0/0xff000000 -m state --state RELATED -j NEWACCEPT
iptables: Memory allocation problem.
+ /sbin/iptables -t filter -A FORWARD -m mark --mark 0x0/0xff000000 -m state --state RELATED -j NEWACCEPT
iptables: Memory allocation problem.
+ /sbin/iptables -t filter -A INPUT -m mark --mark 0x1000000/0xff000000 -m state --state ESTABLISHED -j QUEUE
iptables: Memory allocation problem.
+ /sbin/iptables -t filter -A OUTPUT -m mark --mark 0x1000000/0xff000000 -m state --state ESTABLISHED -j QUEUE
iptables: Memory allocation problem.
+ /sbin/iptables -t filter -A FORWARD -m mark --mark 0x1000000/0xff000000 -m state --state ESTABLISHED -j QUEUE
iptables: Memory allocation problem.
+ /sbin/iptables -t filter -A INPUT -m mark --mark 0x1000000/0xff000000 -m state --state RELATED -j NEWQUEUE
iptables v1.4.8: Couldn't load target `NEWQUEUE':/lib/xtables/libipt_NEWQUEUE.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
+ /sbin/iptables -t filter -A OUTPUT -m mark --mark 0x1000000/0xff000000 -m state --state RELATED -j NEWQUEUE
iptables v1.4.8: Couldn't load target `NEWQUEUE':/lib/xtables/libipt_NEWQUEUE.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
+ /sbin/iptables -t filter -A FORWARD -m mark --mark 0x1000000/0xff000000 -m state --state RELATED -j NEWQUEUE
iptables v1.4.8: Couldn't load target `NEWQUEUE':/lib/xtables/libipt_NEWQUEUE.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
+ /sbin/iptables -t filter -A INPUT -m state --state INVALID -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP in INVALID ' --log-level debug --log-tcp-options
iptables: Memory allocation problem.
+ /sbin/iptables -t filter -A INPUT -m state --state INVALID -j DROP
iptables: Memory allocation problem.
+ /sbin/iptables -t filter -A OUTPUT -m state --state INVALID -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP out INVALID ' --log-level debug --log-tcp-options
iptables: Memory allocation problem.
+ /sbin/iptables -t filter -A OUTPUT -m state --state INVALID -j DROP
iptables: Memory allocation problem.
+ /sbin/iptables -t filter -A FORWARD -m state --state INVALID -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix 'vrmr: DROP fw INVALID ' --log-level debug --log-tcp-options
iptables: Memory allocation problem.
+ /sbin/iptables -t filter -A FORWARD -m state --state INVALID -j DROP
iptables: Memory allocation problem.
+ /sbin/iptables -N BLOCKLIST
+ /sbin/iptables -t filter -A INPUT -j BLOCKLIST
iptables v1.4.8: Couldn't load target `BLOCKLIST':/lib/xtables/libipt_BLOCKLIST.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
+ /sbin/iptables -t filter -A OUTPUT -j BLOCKLIST
iptables v1.4.8: Couldn't load target `BLOCKLIST':/lib/xtables/libipt_BLOCKLIST.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
+ /sbin/iptables -t filter -A FORWARD -j BLOCKLIST
iptables v1.4.8: Couldn't load target `BLOCKLIST':/lib/xtables/libipt_BLOCKLIST.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
+ /sbin/iptables -N BLOCK
+ /sbin/iptables -t filter -A BLOCK -j DROP
iptables: No chain/target/match by that name.
+ /sbin/iptables -N TCPRESET
+ /sbin/iptables -t filter -A TCPRESET -p tcp -m tcp -j REJECT --reject-with tcp-reset
iptables: No chain/target/match by that name.
+ /sbin/iptables -t filter -A TCPRESET -j REJECT
iptables: No chain/target/match by that name.
+ /sbin/iptables -N ANTISPOOF
+ /sbin/iptables -t filter -A INPUT -j ANTISPOOF
iptables v1.4.8: Couldn't load target `ANTISPOOF':/lib/xtables/libipt_ANTISPOOF.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
+ /sbin/iptables -t filter -A OUTPUT -j ANTISPOOF
iptables v1.4.8: Couldn't load target `ANTISPOOF':/lib/xtables/libipt_ANTISPOOF.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
+ /sbin/iptables -t filter -A FORWARD -j ANTISPOOF
iptables v1.4.8: Couldn't load target `ANTISPOOF':/lib/xtables/libipt_ANTISPOOF.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
+ /sbin/iptables -t filter -A NEWNFQUEUE -p tcp -m tcp --syn -j SYNLIMIT
iptables: No chain/target/match by that name.
+ /sbin/iptables -t filter -A NEWNFQUEUE -p udp -m state --state NEW,RELATED -j UDPLIMIT
iptables: No chain/target/match by that name.
+ /sbin/iptables -t filter -A BLOCKLIST -s 255.255.255.255/255.255.255.255 -j BLOCK
iptables v1.4.8: Couldn't load target `BLOCK':/lib/xtables/libipt_BLOCK.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
+ /sbin/iptables -t filter -A BLOCKLIST -d 255.255.255.255/255.255.255.255 -j BLOCK
iptables v1.4.8: Couldn't load target `BLOCK':/lib/xtables/libipt_BLOCK.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
+ echo 0
./test.sh: line 222: /proc/sys/net/ipv4/tcp_syncookies: Nie ma takiego pliku ani katalogu
+ echo 1
+ /sbin/iptables -t filter -A OUTPUT -d 0.0.0.0/0.0.0.0 -m state --state NEW -j NEWACCEPT
iptables: Memory allocation problem.
+ /sbin/iptables -t filter -A INPUT -p tcp -m tcp --syn -s 0.0.0.0/0.0.0.0 --sport 1024:65535 --dport 22 -m state --state NEW -j NEWACCEPT
iptables: Memory allocation problem.
+ /sbin/iptables -t filter -A INPUT -m limit --limit 20/s --limit-burst 40 -j LOG --log-prefix 'vrmr: DROP in policy ' --log-level debug --log-tcp-options
iptables: Memory allocation problem.
+ /sbin/iptables -t filter -A OUTPUT -m limit --limit 20/s --limit-burst 40 -j LOG --log-prefix 'vrmr: DROP out policy ' --log-level debug --log-tcp-options
iptables: Memory allocation problem.
+ /sbin/iptables -t filter -A FORWARD -m limit --limit 20/s --limit-burst 40 -j LOG --log-prefix 'vrmr: DROP fw policy ' --log-level debug --log-tcp-options
iptables: Memory allocation problem.
+ echo 0

    I have disabled all anti-spoofing options. This is only for testing.

     

  • Piotr Rogoża

    Piotr Rogoża - 2011-06-21

    Sorry for this:

    ./test.sh: line 222: /proc/sys/net/ipv4/tcp_syncookies: Nie ma takiego pliku ani katalogu

    it should be: 

    ./test.sh: line 222: /proc/sys/net/ipv4/tcp_syncookies: No such file or directory
     

  • Victor Julien

    Victor Julien - 2011-06-21

    To be honest I think the problems is in your iptables installation. You get errors on valid iptables rules like here:

    + /sbin/iptables -N SYNLIMIT

    + /sbin/iptables -N NEWQUEUE
    + /sbin/iptables -t filter -A NEWQUEUE -p tcp -m tcp -syn -j SYNLIMIT
    iptables: No chain/target/match by that name.

    Even more worrying is an error like this:

    + /sbin/iptables -t filter -A FORWARD -m mark -mark 0x0/0xff000000 -m state -state RELATED -j NEWACCEPT
    iptables: Memory allocation problem.

    Vuurmuur depends on iptables working properly.

    Did you patch and recompile the kernel for openvz? If so you may also need to rebuild the iptables toolset.

     

  • Piotr Rogoża

    Piotr Rogoża - 2011-06-21

    This is standard kernel for debian: 2.6.26-2-openvz-686
    At now I can't change the kernel to newer version but I can rebuild or upgrade iptables toolset.
    On the host system(hardware node) I use  vuurmuur also and there works well.
    Version of iptables on guest: 1.4.8-3.

    In free time I test it on another machine, maybe similarly configured.

     

Log in to post a comment.