[PVE-User] iptables -L -t nat not working inside VE

Pongracz Istvan pongracz.istvan at gmail.com
Tue Jan 6 13:16:27 CET 2009

Hi All,

I try to use iptables rules inside the container but it seems, nat table
is not accessible inside the container:
# iptables -L -t nat
FATAL: Could not load /lib/modules/2.6.24-1-pve/modules.dep: No such
file or directory
iptables v1.3.6: can't initialize iptables table `nat': Table does not
exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

I googled around this morning but I did not find solution for this

I used the following systems as VE for testing this problem:
   - lenny i386
   - etch i386
   - etch amd64

I found that, if I try to load ip_conntrack on the HN by modprobe
ip_conntrack, nothing happens.
This module does not appear on the list (lsmod).
There is nothing in the dmesg log.

Sometimes I got this dmesg error, I think that time, when '-m state '
exists in the iptables parameters:
'can't load conntrack support for proto=2'

I have this line in my vz.conf to enable modules for VEs:

IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter
iptable_mangle ipt_TCPMSS ipt_tcpmss \ 
          ipt_ttl ipt_length ip_conntrack ip_conntrack_ftp
ip_conntrack_irc ipt_LOG ipt_conntrack ipt_helper \
          ipt_state iptable_nat ip_nat_ftp ip_nat_irc ipt_TOS  "

Normal iptables rules are working but NAT and related parameters.
On the hardware node there is a well working shorewall firewall, if it
does matter....

Does anybody know this behaviour and the solution, if there is any

Thanks in advance,

BSA. Mert megérdemlitek.
Open Source. Mert megérdemlem.
BSA. They value it.
Open Source. The value. It.

More information about the pve-user mailing list