From: MH - Entwicklung (entwicklung_at_heubach-edv.de)
Date: Mon 12 May 2003 - 10:13:05 BST
> Looks cool.
> > For cost effectivness it is a nice idea to run public accessable
> > services on the same host where the firewall(netfilter and proxies) is
> > running. Netfilter can limit the network access to and from each
> > vserver's address.
> How do you doit?
> Do the virtual servers have public addresses?
> Do you have netfilter and routing config
> files for us to see?
The netfilter configuration is no big deal. You can use public addresses or private addresses with DNAT/SNAT for routing.
Just for testing I have this configuration (without DNAT/SNAT).
Route server address 192.168.0.1
vserver's address 192.168.0.2
you block network access to/from your vserver simply by
iptables -I OUTPUT -s 192.168.0.2 -j REJECT
iptables -I INPUT -d 192.168.0.2 -j REJECT
(I use REJECT here for diagnosis in production use this should be DROP)
If you try to send packets to or from the vserver they're rejected.
However I found out that if you give the vserver the CAP_NET_RAW capability, ICMP packets generated within the vserver context originate from the root server's address and not from the vserver and therefore the above rules don't match.
If you only want to allow ssh to the vserver you can just insert the rules:
iptables -I INPUT -d 192.168.0.2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT -d 192.168.0.2 -p tcp --dport 22 -m state --state NEW -j ACCEPT
You now can use ssh to your vserver from the network.