http://wiki.openvz.org/Setting_up_an_iptables_firewall mentions to load xt_state before starting a container in order to run iptables in containers. so I ran modprobe xt_state on the host and restarted the container and it worked great. To make this persist I added xt_state to /etc/modules.
The problem is when I restart the physical node the containers iptables wont work unless I manually restart the container, at which point it'll work again. lsmod shows that xt_state is loaded. anyone know why my containers iptables won't work until I manually restart the container?
Best Answer
To me it looks like module is not loaded before ovz containers are started. Since you are using /etc/modules, i guess you are using Debian. I have no ovz host on Debian, but I would check if the modules are really loaded before ovz is started, maybe even load them explicitly in ovz startup script, just to be sure.