From: Adam H. Pendleton (fmonkey_at_fmonkey.net)
Date: Wed 18 Dec 2002 - 01:44:27 GMT
Offhand, I would say that you can create ipchains (or iptables) rules that
affect only the IP of a vserver. For instance, if your master server has
an IP of 192.168.10.12, and you have vservers at .13 and .14, the
following ipchains would allow ssh to the master, but only to the .13
vserver (blocking it for .14):
ipchains -A input -s 0/0 -p tcp -d 192.168.10.12 22 -j ACCEPT
ipchains -A input -s 0/0 -p tcp -d 192.168.10.13 22 -j ACCEPT
ipchains -A input -s 0/0 -p tcp -d 192.168.10.14 22 -j DENY
Keep in mind that a vserver really isn't a separate server, in the
strictest sense; indeed, it is just an abstraction (more or less). So the
IP addresses of your vservers are really just IP aliases on the network
card of your master server, so you can refer to those IP's in your ipchains
rules, since the packets for those addresses will traverse the ipchains of
your master server.
P.S. -- Please, someone correct me if I have mis-spoken.
At 19:29 12/17/2002, you wrote:
>I'd like to try and get this straight in my head - poor container that it
>Ipchains do not work from in vservers. If so then how do I control on a
>vserver by vserver the IPs and ports that respond (or don't respond?)
> In my situation I have total control over what is running in each
>vserver but it varies for each vserver and may vary for each box I run
>Vserver on. My concern/confusion is if I do the right thing and shut out
>everything except ssh on the main server how will a vserver run a
>web-server, dns server, or mail server only.
>Again thanks for thoughts and ideas,
> "Open Source Software - Sometimes you get more than you paid for..."