How to use UFW in OpenVZ templates

I was looking at iptables / UFW in openvz templates and was able to work through some of the problems with UFW.

In this blog I will outline how to get ufw working.

The issues with UFW and OpenVZ guests are:

1. Openvz has limited options for iptables, and UFW scripts fail when these options are called.

See this link for a discussion (and some hints).

2. The other problem with ufw is that it attempts to load kernel modules via modprobe and change sysctl settings. Since you can not load kernel modules in an openvz guest ufw fails. Because sysctl does not work, we get error messages.

3. Issues with logging. By default Ubuntu (and many distros) use rsyslog, which does not work well in OpenVZ guests.

4. Fix the ufw init script (otherwise we receive errors).

5. ipv6 is not fully functional in openvz guests.

6. Some things are still broken … The ufw scripts for Applications remain broken, specify by port instead (see below).

“Fix” iptables

UFW throws cryptic error messages:


# ufw enable
ERROR: problem running ufw-init

# /lib/ufw/ufw-init restart
iptables-restore: line 66 failed
iptables-restore: line 30 failed

Problem running '/etc/ufw/before.rules'
Problem running '/etc/ufw/after.rules'

These cryptic error messages are telling us which lines in which config files are failing.

Edit the ufw config files and comment out iptables modules incompatible with ufw.

Edit /etc/ufw/after.rules

# don’t log noisy broadcast
#-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input

Edit /etc/ufw/ufw/before.rules

# if LOCAL, RETURN
#-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

# if MULTICAST, RETURN
#-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

# if BROADCAST, RETURN
#-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

“Fix” modprobe

Not really a fix, a work around … we can not really “fix” modprobe, so we will return a success code when modprobe is called by ufw.

rm -f /sbin/modprobe
ln -s /bin/true /sbin/modprobe

“Fix” sysctl

Similar to modprobe, sysctl does not work inside openvz templates (you would set these parameters on the host, but they do not apply per container).


# echo 0 > /proc/sys/net/ipv6/conf/all/accept_redirects
-bash: /proc/sys/net/ipv6/conf/all/accept_redirects: Permission denied
# sysctl -w net.ipv6.conf.all.accept_redirects="1"
error: permission denied on key 'net.ipv6.conf.all.accept_redirects'

Same fix as modprobe:

rm -f /sbin/sysctl
ln -s /bin/true /sbin/sysctl

Fix logging

This fix actually works …

apt-get -y purge rsyslog
apt-get install -y syslog-ng

UFW will now log to /var/log/messages and /var/log/kern.log (but not /var/log/ufw.log )

Edit ufw init

Edit /etc/init/ufw.conf and add the following lines at the end of the file:

start on startup
#console output

ipv6

ipv6 is not fully functional in openvz guests and can cause problems with ufw.

If you are having problem with ufw and ipv6 the only solution I am aware of is to disable ipv6.

This is the cryptic error message I receive when I enable ipv6 in ufw.

w# ufw enable
ERROR: Could not load logging rules

To disable ipv6, edit /etc/default/ufw and change IPV6 to “no” (without quotes)

# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to ‘disable’ and then ‘enable’ the firewall for
# the changes to take affect.
IPV6=no

Still broken

The ufw application scripts add iptables rules that are incompatible with iptables in an openZV guest and thus remain broken.

You will need to work around this by specifying ports rather then applications.

Thus use :

ufw allow 80/tcp
ufw allow 443/tcp

But not:

#This does NOT work
ufw allow Apache

#This does NOT work either
ufw allow "Apache Full"

This entry was posted in Linux. Bookmark the permalink.

39 Responses to How to use UFW in OpenVZ templates

  1. Pingback: Webmaster Crap » Blog Archive » Shadows of epiphany » Blog Archive » How to use UFW in OpenVZ …

  2. Pingback: Shadows of epiphany » Blog Archive » How to use UFW in OpenVZ … | Linux Affinity

  3. Simon says:

    # ufw enable
    ERROR: Could not load logging rules

    I have IPv6 turned off, have done each of these steps, and still get this error message. Phooey.

    I’m using the contributed OpenVZ template ubuntu-10.04-minimal_10.04_amd64.tar.gz from http://wiki.openvz.org/Download/template/precreated

  4. Pingback: How to allow outbound traffic with UFW?

  5. Pingback: OpenVZ, Ubuntu 10.04, and UFW « In Loki We Trust

  6. Dan Connor says:

    Is basically nuking modprobe system-wide really a good idea? What unintended consequences might arise from doing so?

  7. bodhi.zazen says:

    I do not think modprobe works within openvz templates (as you are running the kernel from the host node and the templates have no kernel).

  8. Sebastian says:

    Thank you, instructions work like a charm! Life (or lots of work) saver!

  9. Pingback: SSH freeze when UFW is enabled - Admins Goodies

  10. Pingback: OpenVZ Limitations « KaΩkrati

  11. Thanks for this. It was a lifesaver. I’ve converted all of your steps to a bash script that can be run once (as root), and thought I’d share it here for anybody else who might want it:


    #!/bin/bash
    sed '/A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input/s/^/#/' /etc/ufw/after.rules > ~/temp
    cp temp /etc/ufw/after.rules
    sed '/-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN/s/^/#/' /etc/ufw/before.rules > ~/temp
    cp temp /etc/ufw/before.rules
    sed '/-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN/s/^/#/' /etc/ufw/before.rules > ~/temp
    cp temp /etc/ufw/before.rules
    sed '/-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN/s/^/#/' /etc/ufw/before.rules > ~/temp
    cp temp /etc/ufw/before.rules
    rm -f /sbin/modprobe
    ln -s /bin/true /sbin/modprobe
    rm -f /sbin/sysctl
    ln -s /bin/true /sbin/sysctl
    apt-get -y purge rsyslog
    apt-get install -y syslog-ng
    echo start on startup >> /etc/init/ufw.conf
    echo #console output >> /etc/init/ufw.conf
    sed '/IPV6=yes/s/yes/no/' /etc/default/ufw > ~/temp
    cp temp /etc/default/ufw
    rm ~/temp

  12. bodhi.zazen says:

    Nice script, thank you Colm O’Connor

  13. syahzul says:

    thank you very much bodhi.zazen and Colm O’Connor

  14. This worked for me. Thank you! :)

  15. Pingback: OpenVZ and UFW » Vidyut's Learnings in code

  16. Saulius M says:

    be advised, **ck up my ubuntu 12.04 server

  17. bodhi.zazen says:

    @Saulius M – What did you break ?

  18. John says:

    This borked my box – it no longer allows incoming ssh connections. Disabling ufw allows them in again. Investigating. On Ubuntu 10.04.4 LTS

  19. Joakim says:

    Thanks for the instructions!

    UFW now starts without errors, but I get the same treatment as John..

    ufw default deny
    ufw allow 22/tcp
    ufw enable

    Can’t connect with SSH.

    ufw disable

    Can connect with SSH.

    I’m about to give up on UFW on this box (Debian 6) :/

  20. Joakim says:

    Oh, and the “Edit ufw init” step didn’t work at all – UFW wouldn’t start. Ubuntu specific..?

  21. bodhi.zazen says:

    @Joakim – hard to tell from what you posted. To debug firewall rules, you need to post the entire set of rules. Are you using OpenVZ ?

  22. Alx says:

    Ubuntu 12.04 32bit OpenVZ tempate makes ufw disable all connections instead of fixing the problem. Probably having the same problem as @John, @Joakim any idea what might be causing this?

    rule is like this (ssh):
    ### tuple ### allow any 22 0.0.0.0/0 any 0.0.0.0/0 in
    -A ufw-user-input -p tcp –dport 22 -j ACCEPT
    -A ufw-user-input -p udp –dport 22 -j ACCEPT

    do not see any problem here?

  23. bodhi.zazen says:

    @Alx – ssh does not use udp, so you do not need the “-A ufw-user-input -p udp –dport 22 -j ACCEPT”

    Without seeing all the UFW/iptables rules hard to know, my guess would be a denial earlier in your rules.

  24. Alx says:

    Because i am not sure this work and use a fresh install i only have these rules in /lib/ufw/user.rules: http://pastebin.com/n13uE4P1 (just the ssh port open, web and bind is probably not needed… or is it?)
    but i belive you need difrent information, if you can tell me which files i will send them.

  25. bodhi.zazen says:

    Not sure how you are using ufw. If you disable your firewall, can you ssh in ? If so, see:

    http://blog.bodhizazen.net/linux/firewall-ubuntu-servers/

    If it is not working, you may need to file a bug report.

  26. michal says:

    thanks so much for this, saved me a frustrating few hours of debug of this

  27. bodhi.zazen says:

    @michal – you are most welcome

  28. Ken says:

    For those having issues with ssh, here is what I did to fix it in Ubuntu 12.04. After commenting out the lines mentioned in /etc/ufw/ufw/before.rules, everything began being blocked. After further inspection, the very next line in that file drops all non-local packets, if we haven’t returned from one of those commented out lines. “-A ufw-not-local -j DROP”. After commenting out that drop line as well, everything started working. Also, in Ubuntu I did not need to install rsyslog.

  29. bodhi.zazen says:

    @Ken Thank you for the update, much appreciated.

  30. Phil says:

    I’ve also had success using apf in a OpenVZ container. It did not require any modifications.
    I have not figured out how to have pptpd working with apf though.

  31. Pingback: Firewall in Proxmox OpenVZ Container | Auch dieser Tag geht vorbei.

  32. I’ll immediately seize your rss as I can not to find your email subscription link or e-newsletter service. Do you have any? Please allow me realize in order that I could subscribe. Thanks.

  33. Pingback: How to allow outbound traffic with UFW? - Just just easy answers

  34. Alex says:

    This is how I make UFW work in OpenVZ container (Ubuntu):

    1. run the following command
    #apt-get update
    #apt-get -y purge rsyslog
    #apt-get install -y syslog-ng
    #rm -f /sbin/sysctl
    #ln -s /bin/true /sbin/sysctl
    #rm -f /sbin/modprobe
    #ln -s /bin/true /sbin/modprobe

    2. install ufw
    #apt-get install ufw

    3. Edit /etc/init/ufw.conf and add the following lines at the end of the file:

    start on startup

    4. Disable IPV6, IPT_SYSCTL, IPT_MODULES in /etc/default/ufw ) by adding “#”:
    #IPV6=no
    #IPT_SYSCTL=/etc/ufw/sysctl.conf
    #IPT_MODULES=”nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns”

    5. Start UFW
    #ufw enable
    You will see some error messages, please ignore them. Go to the next step.

    6. Reset UFW – very important step
    #ufw reset
    choose “Y”

    7. Enable UFW
    #ufw enable
    You will see some error messages, ignore them.

    8. Add rules for UFW
    #ufw default deny
    #ufw allow from *.*.*.*

    9. Enable UFW
    #ufw disable
    #ufw enable
    You will see error messages again here, ignore them.
    #ufw enable
    Now there should be no error messages any more. But the logging error message may still appear, if you don’t like it, run “ufw logging off”.

    Check the status of UFW
    #ufw status

    Enjoy!

  35. Pingback: Command-line firewall management still sucks » Geek and Artist

  36. Pingback: 解决Centos6系统下修改sysctl.conf报错 | 沐熙工作室

  37. Darryl Shpak says:

    Thanks a ton! Ping and DNS were broken in my OpenVZ VPS until I disabled the before.rules and after.rules lines that you describe – saved me a big headache!

  38. manu says:

    I spent some time making IPv6 work. Seems you need to comment out the following lines in /etc/ufw/before6.rules

    #-A ufw6-before-input -m rt –rt-type 0 -j DROP
    #-A ufw6-before-forward -m rt –rt-type 0 -j DROP
    #-A ufw6-before-output -m rt –rt-type 0 -j DROP
    #-A ufw6-before-input -m state –state INVALID -j ufw6-logging-deny

    Hope this helps someone. Simply disabling ipv6 is not an option in 2014.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>