OpenVZ has a simulated networking stack and doesn’t allow iptables rule in the container unless you enable it from the host node. In order to use iptables in OpenVZ container, below are the steps:
1. First of all, you need to have a VPS with a OpenVZ or Virtuozzo and fully installed OS inside the container.
1. Then you have to enable iptables modules for a VZ container from the host node. You can do it by adding the required modules in the container configuration file which usually resides in /etc/vz/conf directory.
Open the configuration file using your favorite text editor: `nano /etc/vz/conf/VEID.conf` Add the following line to your OpenVZ Container’s configuration file `IPTABLES=“ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length”` Here, “VEID” is the Virtual Environment ID of your container. Replace it with your actual VEID.1. Once you have added these lines, you have to save and close the configuration file and restart your VZ container.
`vzctl restart VEID`1. Now, log in to your container. You should be able to run iptables inside the VZ container like this:
`iptables -A INPUT -p tcp —dport ssh -j ACCEPT`Remember, the host node (Hypervisor) must have the required modules loaded in the kernel. If the modules are not loaded in the host node, the iptables feature will not work in the container.
Also, as a best practice you should not enable all iptables modules for a container, instead only enable required iptables modules. This would provide more security to the host node and other containers.
