I was looking at iptables / UFW in openvz templates and was able to work through some of the problems with UFW.
In this blog I will outline how to get ufw working.
The issues with UFW and OpenVZ guests are:
1. Openvz has limited options for iptables, and UFW scripts fail when these options are called.
See this link for a discussion (and some hints).
2. The other problem with ufw is that it attempts to load kernel modules via modprobe and change sysctl settings. Since you can not load kernel modules in an openvz guest ufw fails. Because sysctl does not work, we get error messages.
3. Issues with logging. By default Ubuntu (and many distros) use rsyslog, which does not work well in OpenVZ guests.
4. Fix the ufw init script (otherwise we receive errors).
5. ipv6 is not fully functional in openvz guests.
6. Some things are still broken … The ufw scripts for Applications remain broken, specify by port instead (see below).
UFW throws cryptic error messages:
# ufw enable
ERROR: problem running ufw-init
# /lib/ufw/ufw-init restart
iptables-restore: line 66 failed
iptables-restore: line 30 failed
Problem running '/etc/ufw/before.rules'
Problem running '/etc/ufw/after.rules'
These cryptic error messages are telling us which lines in which config files are failing.
Edit the ufw config files and comment out iptables modules incompatible with ufw.
# don’t log noisy broadcast
#-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
# if LOCAL, RETURN
#-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
# if MULTICAST, RETURN
#-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
# if BROADCAST, RETURN
#-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
Not really a fix, a work around … we can not really “fix” modprobe, so we will return a success code when modprobe is called by ufw.
rm -f /sbin/modprobe
ln -s /bin/true /sbin/modprobe
Similar to modprobe, sysctl does not work inside openvz templates (you would set these parameters on the host, but they do not apply per container).
# echo 0 > /proc/sys/net/ipv6/conf/all/accept_redirects
-bash: /proc/sys/net/ipv6/conf/all/accept_redirects: Permission denied
# sysctl -w net.ipv6.conf.all.accept_redirects="1"
error: permission denied on key 'net.ipv6.conf.all.accept_redirects'
Same fix as modprobe:
rm -f /sbin/sysctl
ln -s /bin/true /sbin/sysctl
This fix actually works …
apt-get -y purge rsyslog
apt-get install -y syslog-ng
UFW will now log to /var/log/messages and /var/log/kern.log (but not /var/log/ufw.log )
Edit ufw init
Edit /etc/init/ufw.conf and add the following lines at the end of the file:
start on startup
ipv6 is not fully functional in openvz guests and can cause problems with ufw.
If you are having problem with ufw and ipv6 the only solution I am aware of is to disable ipv6.
This is the cryptic error message I receive when I enable ipv6 in ufw.
w# ufw enable
ERROR: Could not load logging rules
To disable ipv6, edit /etc/default/ufw and change IPV6 to “no” (without quotes)
# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to ‘disable’ and then ‘enable’ the firewall for
# the changes to take affect.
The ufw application scripts add iptables rules that are incompatible with iptables in an openZV guest and thus remain broken.
You will need to work around this by specifying ports rather then applications.
Thus use :
ufw allow 80/tcp
ufw allow 443/tcp
#This does NOT work
ufw allow Apache
#This does NOT work either
ufw allow "Apache Full"