A few weeks ago I created a lxc container running Ubuntu Xenial, installed LAMP and VSFTP and migrated my wordpress website to it. All ran smoothly.
However, after my Turris Omnia updated to 3.5.1 I observed very slow response times. Ultimately I discovered that update 3.5.1 is not very nice to the firewall (ufw) that I installed in the Ubuntu container in order to block brute force attacks.
For the folks at Turris: it is very easy to reproduce the error. Create a LXC container based on Ubuntu Xenial, install UFW (apt-get install ufw), add some rule (e.g. ufw allow 80/tcp) and start UFW (ufw enable).
Unfortunetaly, update 3.5.2 that was installed this afternoon did not solve the problem. Enabling the ufw firewall in my lxc container gives the result:
root@LXC_NAME:~# sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
ERROR: problem running ufw-init
modprobe: ERROR: ../libkmod/libkmod.c:586 kmod_search_moddep() could not open moddep file '/lib/modules/4.4.39-80079e1c1e5f9ca7ad734044462a761a-4/modules.dep.bin'
modprobe: FATAL: Module nf_conntrack_ftp not found in directory /lib/modules/4.4.39-80079e1c1e5f9ca7ad734044462a761a-4
modprobe: ERROR: ../libkmod/libkmod.c:586 kmod_search_moddep() could not open moddep file '/lib/modules/4.4.39-80079e1c1e5f9ca7ad734044462a761a-4/modules.dep.bin'
modprobe: FATAL: Module nf_nat_ftp not found in directory /lib/modules/4.4.39-80079e1c1e5f9ca7ad734044462a761a-4
modprobe: ERROR: ../libkmod/libkmod.c:586 kmod_search_moddep() could not open moddep file '/lib/modules/4.4.39-80079e1c1e5f9ca7ad734044462a761a-4/modules.dep.bin'
modprobe: FATAL: Module nf_conntrack_netbios_ns not found in directory /lib/modules/4.4.39-80079e1c1e5f9ca7ad734044462a761a-4
iptables-restore: line 77 failed
iptables-restore: line 30 failed
ip6tables-restore: line 138 failed
Problem running '/etc/ufw/before.rules'
Problem running '/etc/ufw/after.rules'
Problem running '/etc/ufw/before6.rules'
root@LXC_NAME:~#I stumbled across the same error messages.
As LXC containers share the kernel with the host system it is not possible to load kernel modules from LXC containers. Thus you have to ensure that all necessary kernel modules are installed in Turris OS and are loaded before you start the LXC container.
The following command may provide some hints if somethings missing:
/usr/share/ufw/check-requirements | grep FAIL
Then you just have to disable automatic module loading by UFW. Edit the file /etc/default/ufw and replace the line:
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"
with
IPT_MODULES=""
Afterwards ufw should start as expected.
Stephan
PS: Solution worked for me on Turris OS 3.8.2 and Debian 8 in LXC
1 Like
Thanks for the information, Stephan.
However, I am in no need for UFW anymore. Nevertheless, thanks.
Marc
Using IPT_MODULES="" solves the modprobe errors but I still have these errors:
# ufw enable
ERROR: problem running ufw-init
iptables-restore: line 77 failed
iptables-restore: line 30 failed
ip6tables-restore: line 138 failed
Problem running '/etc/ufw/before.rules'
Problem running '/etc/ufw/after.rules'
Problem running '/etc/ufw/before6.rules'
The problematic lines are the last of each file (the COMMIT instruction).
# /usr/share/ufw/check-requirements
Has python: pass (binary: python3, version: 3.6.5, py3)
Has iptables: pass
Has ip6tables: pass
Has /proc/net/dev: pass
Has /proc/net/if_inet6: pass
This script will now attempt to create various rules using the iptables
and ip6tables commands. This may result in module autoloading (eg, for
IPv6).
Proceed with checks (Y/n)? y
== IPv4 ==
Creating 'ufw-check-requirements'... done
Inserting RETURN at top of 'ufw-check-requirements'... done
TCP: pass
UDP: pass
destination port: pass
source port: pass
ACCEPT: pass
DROP: pass
REJECT: pass
LOG: pass
hashlimit: FAIL
error was: iptables: No chain/target/match by that name.
limit: pass
ctstate (NEW): pass
ctstate (RELATED): pass
ctstate (ESTABLISHED): pass
ctstate (INVALID): pass
ctstate (new, recent set): pass
ctstate (new, recent update): pass
ctstate (new, limit): pass
interface (input): pass
interface (output): pass
multiport: pass
comment: pass
addrtype (LOCAL): FAIL
error was: iptables: No chain/target/match by that name.
addrtype (MULTICAST): FAIL
error was: iptables: No chain/target/match by that name.
addrtype (BROADCAST): FAIL
error was: iptables: No chain/target/match by that name.
icmp (destination-unreachable): pass
icmp (source-quench): pass
icmp (time-exceeded): pass
icmp (parameter-problem): pass
icmp (echo-request): pass
== IPv6 ==
Creating 'ufw-check-requirements6'... done
Inserting RETURN at top of 'ufw-check-requirements6'... done
TCP: pass
UDP: pass
destination port: pass
source port: pass
ACCEPT: pass
DROP: pass
REJECT: pass
LOG: pass
hashlimit: FAIL
error was: ip6tables: No chain/target/match by that name.
limit: pass
ctstate (NEW): pass
ctstate (RELATED): pass
ctstate (ESTABLISHED): pass
ctstate (INVALID): pass
ctstate (new, recent set): pass
ctstate (new, recent update): pass
ctstate (new, limit): pass
interface (input): pass
interface (output): pass
multiport: pass
comment: pass
icmpv6 (destination-unreachable): pass
icmpv6 (packet-too-big): pass
icmpv6 (time-exceeded): pass
icmpv6 (parameter-problem): pass
icmpv6 (echo-request): pass
icmpv6 with hl (neighbor-solicitation): pass
icmpv6 with hl (neighbor-advertisement): pass
icmpv6 with hl (router-solicitation): pass
icmpv6 with hl (router-advertisement): pass
ipv6 rt: FAIL
error was: ip6tables: No chain/target/match by that name.
FAIL: check your kernel and that you have iptables >= 1.4.0
LXC container: Ubuntu 18.04 LTS
- iptables: 1.6.1-2ubuntu2
- ufw: 0.35-5
Turris OS: 3.10.1
- iptables: 1.6.1
Oops, some kernel modules were missing from Turris OS 
opkg install kmod-ipt-extra for xt_addrtype
opkg install kmod-ipt-hashlimit for xt_hashlimit
opkg install kmod-ip6tables-extra for ip6t_rt
2 Likes