OpenVZ Iptables: Allow Traffic To Pass Via venet0 To All VPS

How do I configure IPTABLES to pass all traffic to my VPS (container) under hardware node?

venet0 is recommend networking for security and performance under OpenVZ Virtualization. Protecting hardware node is important from unauthorized access. venet0 is used to communicate between VPS and the LAN / Internet.

Hardware Node - eth0
|           |           |
vps1      vps2           vps3

Allow All Traffic To VPS

Following iptables rules allows to pass all traffic between hardware node and all vps / containers. Services running on hardware node such as ssh, http, webmin can only accessed within our LAN and not over the Internet.

# Explains how to setup iptables on the hardware node to allow selective access, 
# but allow all traffic into the containers (VPS) so they may define their own iptables rules and 
# therefore manage their own firewall.
# Author: Vivek Gite < >
# See tutorial :
# This script is under GPL v2.0 or above.
# --------------------------------------------------------------------------------------------------
### ******************************************************************************* ###
### Part 1 - Protect Hardware Node						    ###
### ******************************************************************************* ###
### HW Node Main IP ranges ###
### Path to other scripts ###
[ -f /root/fw/blocked.ip.txt ] && BADIPS=$(egrep -v -E "^#|^$" /root/fw/blocked.ip.txt)
### Interfaces ###
PUB_IF="eth0"   # public interface
LO_IF="lo"      # loopback
### start firewall ###
echo "Starting Firewall..."
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
# Enable ip_conntrack
$MOP ip_conntrack
# DROP and close everything all incomming traffic
# Unlimited lo access
# Allow Full Outgoing connection but no incomming stuff by default
# Drop bad stuff
# get all bad spam / scrap ips
if [ -f /root/fw/blocked.ip.txt ];
	$IPT -N spamlist
	for ipblock in $BADIPS
		 $IPT -A spamlist -i ${PUB_IF} -s $ipblock -j LOG --log-prefix "SPAM List Block"
		 $IPT -A spamlist -i ${PUB_IF} -s $ipblock -j DROP
	$IPT -I INPUT -j spamlist
	$IPT -I OUTPUT -j spamlist
	$IPT -I FORWARD -j spamlist
$IPT -N spooflist
for ipblock in $SPOOFIP
 $IPT -A spooflist -i ${PUB_IF} -s $ipblock -j LOG --log-prefix "SPOOF List Block"
 $IPT -A spooflist -i ${PUB_IF} -s $ipblock -j DROP
$IPT -I INPUT -j spooflist
$IPT -I OUTPUT -j spooflist
$IPT -I FORWARD -j spooflist
# Stop sync
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP
# Stop Fragments
$IPT -A INPUT -i ${PUB_IF} -f -j DROP
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP
# Stop NULL packets
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "NULL Packets"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Stop XMAS
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "XMAS Packets"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# Stop FIN packet scans
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "Fin Packets Scan"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# Get rid of broadcast
$IPT  -A INPUT -i ${PUB_IF} -m pkttype --pkt-type broadcast -j DROP
$IPT  -A INPUT -i ${PUB_IF} -m pkttype --pkt-type multicast -j DROP
$IPT  -A INPUT -i ${PUB_IF} -m state --state INVALID -j DROP
# allow SSH, HTTP, HTTPD and webmin ONlY from $ADMIN_RANGES
$IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp --destination-port 22 -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp --destination-port 10000 -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp --destination-port 80 -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp --destination-port 443 -j ACCEPT
# Allow incomming ICMP ping pong stuff
$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -m limit --limit 30/sec  -j ACCEPT
$IPT -A INPUT -i ${PUB_IF}  -p icmp -m icmp --icmp-type 3 -m limit --limit 30/sec -j ACCEPT
$IPT -A INPUT -i ${PUB_IF}  -p icmp -m icmp --icmp-type 5 -m limit --limit 30/sec -j ACCEPT
$IPT -A INPUT -i ${PUB_IF}  -p icmp -m icmp --icmp-type 11 -m limit --limit 30/sec -j ACCEPT
### ******************************************************************************* ###
### Part 1 - Protect Hardware Node END						    ###
### ******************************************************************************* ###
### ******************************************************************************* ###
### Part 2 - ALL VPS Specifc Config						    ###
### ******************************************************************************* ###
# Allow all ports for all VPS i.e. full access
# user can set their own firewall inside vps
### ******************************************************************************* ###
### Part 2 - ALL VPS Specifc Config END						    ###
### ******************************************************************************* ###
# drop and log everything else
$IPT -A INPUT -m limit --limit 5/m --limit-burst 7 -j LOG
$IPT -A INPUT -j REJECT --reject-with icmp-port-unreachable
exit 0

Install this script at /root/fw/firewall:
# chmod +x /root/fw/firewall
Call it from /etc/rc.local
# echo '/root/fw/firewall' >> /etc/rc.local

This entry is 4 of 5 in the RHEL / CentOS Linux OpenVZ Virtualization Tutorial series. Keep reading the rest of the series:
  1. How To Setup OpenVZ under RHEL / CentOS Linux
  2. CentOS Linux Install OpenVZ Virtualization Software
  3. How To Create OpenVZ Virtual Machines (VPS)
  4. OpenVZ Iptables: Allow Traffic To Pass Via venet0 To All VPS
  5. OpenVZ Virtual Machine (VPS) Management

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 7 comments so far... add one

CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
7 comments… add one
  • Scott Dowdle Aug 8, 2009 @ 19:18

    Oh, one more tiny thing… the preferred term now is container rather than VPS or VE… although you will still see VPS and VE used in some of the older documentation.

  • Scott Dowdle Aug 8, 2009 @ 19:21

    But wait, there is more… there is a HOWTO on the CentOS wiki. I wrote it:

  • HD Jan 3, 2010 @ 9:25

    I am getting an error at line 71 of the script
    here is the error:
    line 71: syntax error near unexpected token ‘done’
    line 71: ‘done’

    Please help

  • Matthew V May 23, 2010 @ 3:58

    Change line 71 from ‘done’ to ‘fi’

    It should be noted that a default policy of reject is bad news if your server is being accessed remotely. If you flush your rules or mess up the ADMIN_RANGES then you will be completely locked out. I created the following test script to make sure that doesn’t happen:


    shutdown -r +5 &

    while true; do
    read -p “Cancel Shutdown?” yn
    case $yn in
    [Yy]* ) shutdown -c; break;;
    * ) exit 0;;

    The script will automatically reboot the server if you don’t press ‘y’ within 5 minutes.

    • Matthew V May 23, 2010 @ 4:03

      Also don’t link rc.local directly to your script or it will lock you out upon reboot. Instead copy the script over when satisfied or add cp -a /etc/fw/firewall /etc/fw/firewall.rc after the reboot -c

  • pppplus Mar 20, 2011 @ 13:03

    Hi, and thanks for sharing your firewall.
    One question :
    # allow SSH, HTTP, HTTPD and webmin ONlY from $ADMIN_RANGES
    $IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp –destination-port 22 -j ACCEPT
    $IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp –destination-port 10000 -j ACCEPT
    $IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp –destination-port 80 -j ACCEPT
    $IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp –destination-port 443 -j ACCEPT

    If I understand well, all trafic from IP in ADMIN_RANGES are allowed.
    But how can I do, if I have not static IP ?
    How can I do, I want to be possible to connect in SSH and port 80 from everywhere.

  • Francis Lee Mondia Oct 12, 2012 @ 3:23


    Will this work on debian (proxmox box) also?

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Problem posting comment? Email me @