First of all you should define which iptables modules are available for VPSes.



Edit
/etc/sysconfig/iptables-config and /etc/sysconfig/vz on the hardware
node, abd add the modules you need into IPTABLES_MODULES= and IPTABLES= lines
correspondingly.



For example, a typical firewall configuration requires the following modules:



ipt_REJECT
ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle
ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat
ip_conntrack



The changes will be applied after you restart the vz on the hardware node.



You can also define a list of iptables modules for each VPS using —iptables option of the vzctl utility thusly:



vzctl set 101
—iptables iptable_filter —iptables ipt_length —iptables ipt_limit
—iptables iptable_mangle —iptables ipt_REDIRECT —iptables ipt_REJECT —iptables iptable_nat —iptables ipt_state —iptables ip_conntrack —save



You will probably also need to increase the barrier of the numiptent parameter in /proc/user_beancounters using the vzctl utility. This parameter limits the amount of iptables rules which VPS owners are allowed to create.



If you wish to run APF inside of a VPS, be sure that APF is configured with MONOKERN=1.