Filtering network packets on hardware nodes running OpenVZ does not differ from doing so on a typical Linux server. You can use the standard iptables
tool to control how network packets enter, move through, and exit the network stack within the OpenVZ kernel.
When you enable connection tracking for virtual machines and containers (e.g., for NAT), consider disabling it for the hardware node itself. This way the node will still be reachable in case of a DoS attack. To disable connection tracking for the hardware node itself:
-
specify
options nf_conntrack ip_conntrack_disable_ve0=1
in the file/etc/modprobe.d/vz.conf
or/etc/modprobe.d/openvz.conf
, -
reload the
nf_conntrack
module or restart the hardware node.
For your reference, below are several resources you can consult to get detailed information on using iptables
on Linux servers:
-
Red Hat Enterprise Linux 7 Security Guide contains a section focusing on packet filtering basics and explaining various options available for
iptables
. -
iptables Tutorial 1.2.2 explains in great detail how
iptables
is structured and works.