Enable IPTables Modules on OpenVZ

Posted by in Tutorials

This applies to OpenVZ on RHEL based Linux systems.

This would also be known as the guide on how to make CSF work properly on an OpenVZ container. There are guides all over the internet about how to do this. As of a while back, these are almost all incorrect and will result in failure, as well as significant confusion.

You see, with the release of vzctl 4.7 the iptables value in container configuration (–iptables flag to vzctl) became useless. To make matters worse, VZ still accepts the flag and the variable in container configuration without producing any errors. As a result, you have either driven yourself insane trying to make CSF work, or your clients have driven you insane in the process. Fear not, friend, I can help.

Step 1.

Open /etc/modprobe.d/openvz.conf and look for this line:

options nf_conntrack ip_conntrack_disable_ve0=1

Change this to:

options nf_conntrack ip_conntrack_disable_ve0=0


Step 2.

Enable netfilter on the container. In my example, the container ID is 100. Replace this with the container ID that fits your situation.

vzctl set 101 –netfilter full –save

Step 3.

Restart the container.

vzctl restart 101

That’s it. Enjoy!