This post is a good one for Setting up an iptables firewall on OpenVZ.

In this article, there is a sample /etc/init.d/firewall file. The line for "chkconfig 2345 08 82" was apparently coppied from /etc/init.d/iptables. While iptables can start at sequence number 8, the openvz firewall should only be invoked after vz has started. Thus, we change the number to

# chkconfig: 2345 97 87