About this list Date view Thread view Subject view Author view Attachment view

From: MH - Entwicklung (entwicklung_at_heubach-edv.de)
Date: Mon 12 May 2003 - 10:13:05 BST

> Hi,
> Looks cool.
> > For cost effectivness it is a nice idea to run public accessable
> > services on the same host where the firewall(netfilter and proxies) is
> > running. Netfilter can limit the network access to and from each
> > vserver's address.
> How do you doit?
> Do the virtual servers have public addresses?
> Do you have netfilter and routing config
> files for us to see?
> Best
> Ragnar
> ragnar_at_this.is

The netfilter configuration is no big deal. You can use public addresses or private addresses with DNAT/SNAT for routing.

Just for testing I have this configuration (without DNAT/SNAT).

Route server address
vserver's address

you block network access to/from your vserver simply by

iptables -I OUTPUT -s -j REJECT
iptables -I INPUT -d -j REJECT

(I use REJECT here for diagnosis in production use this should be DROP)

If you try to send packets to or from the vserver they're rejected.

However I found out that if you give the vserver the CAP_NET_RAW capability, ICMP packets generated within the vserver context originate from the root server's address and not from the vserver and therefore the above rules don't match.

If you only want to allow ssh to the vserver you can just insert the rules:

iptables -I INPUT -d -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT -d -p tcp --dport 22 -m state --state NEW -j ACCEPT

You now can use ssh to your vserver from the network.


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Mon 12 May 2003 - 10:32:11 BST by hypermail 2.1.3