Virtuozzo / OpenVZ Config Tasks

Only complete the following tasks if the system you are installing CSF to is within Virtuozzo or OpenVZ.

Enabling Iptables Modules

Before enabling iptables on a VPS you need to make sure that the iptables modules are enabled on the hardware node. Edit the /etc/sysconfig/iptables-config file on the hardware node and change the IPTABLES_MODULES parameter to the following:

IPTABLES_MODULES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp ipt_REDIRECT ipt_owner ipt_recent xt_connlimit"

The changes will be applied after you load all required modules and restart Virtuozzo / OpenVZ service (all VEs will be restarted):

service vz stop
service iptables restart
service vz start

Raising Iptables Limits

IP Block and country lists can create a lot of iptables rules and will make you hit your maximum rules very easily.

You will probably need to increase numiptent parameter in /proc/user_beancounters using vzctl utility. This parameter limits amount of iptables rules which a specific container is allowed to create (CID — container ID. You can find the value for each node by using the command vzlist -a):

vzctl set CID --numiptent 10000 --save

You can view your maximum allowed number of iptables rules by searching for the numiptent variable inside the container:

grep numiptent /proc/user_beancounters

Note: Virtuozzo is not the ideal VPS because it does not support ipset for high performance firewall blocking. Most of the larger VPS providers like OVH, Digital Ocean, and Linode have long switched away from using Virtuozzo and now use KVM which fully supports ipset. Even Virtuozzo themselves have switched over to using KVM in Virtuozzo 7.