Fli
10-10-2017, 02:18 PM
Hello,
it seems that HyperVM OpenVZ VPS IPs are added/placed on the top of iptables FORWARD chain.
I discovered this after inserting new iptables rule on the top of the FORWARD chain, because after some hours, this rule was somewhere in the middle of the FORWARD chain between VPS rules.
My aim
I wanted to keep my custom rule on the TOP of the iptables FORWARD chain so it is the first rule processed by netfilter.
How to do it
I think HyperVM files are in /usr/local/lxlabs, so i searched for "-I FORWARD" in this path files: grep -Ril "\-I FORWARD" /usr/local/lxlabs and found:
/usr/local/lxlabs/hypervm/httpdocs/lib/vps/driver/vpstraffic__openvzlib.php
Inside is:
static function iptables_create(){
$list = self::get_vps_ipadress();
if (!$list) {
return;
}
foreach($list as $l) {
if (!$l) {
continue;
}
if(self::isIPV6($l)){
exec("ip6tables -I FORWARD 1 -s $l ");
exec("ip6tables -I FORWARD 1 -d $l ");
}
else{
exec("iptables -I FORWARD 1 -s $l ");
exec("iptables -I FORWARD 1 -d $l ");
}
}
}
so i changed highlighted lines to this:
exec("iptables -A FORWARD -s $l ");
exec("iptables -A FORWARD -d $l ");
So rules will be appended on the bottom of the iptable instead of inserted on the first line..
it seems that HyperVM OpenVZ VPS IPs are added/placed on the top of iptables FORWARD chain.
I discovered this after inserting new iptables rule on the top of the FORWARD chain, because after some hours, this rule was somewhere in the middle of the FORWARD chain between VPS rules.
My aim
I wanted to keep my custom rule on the TOP of the iptables FORWARD chain so it is the first rule processed by netfilter.
How to do it
I think HyperVM files are in /usr/local/lxlabs, so i searched for "-I FORWARD" in this path files: grep -Ril "\-I FORWARD" /usr/local/lxlabs and found:
/usr/local/lxlabs/hypervm/httpdocs/lib/vps/driver/vpstraffic__openvzlib.php
Inside is:
static function iptables_create(){
$list = self::get_vps_ipadress();
if (!$list) {
return;
}
foreach($list as $l) {
if (!$l) {
continue;
}
if(self::isIPV6($l)){
exec("ip6tables -I FORWARD 1 -s $l ");
exec("ip6tables -I FORWARD 1 -d $l ");
}
else{
exec("iptables -I FORWARD 1 -s $l ");
exec("iptables -I FORWARD 1 -d $l ");
}
}
}
so i changed highlighted lines to this:
exec("iptables -A FORWARD -s $l ");
exec("iptables -A FORWARD -d $l ");
So rules will be appended on the bottom of the iptable instead of inserted on the first line..