From: MH - Entwicklung (entwicklung_at_heubach-edv.de)
Date: Mon 12 May 2003 - 11:39:23 BST
> Hi List,
> iptables and vservers: As far as I can understand, it won't be
> and shouldn't be possible to edit iptables fra a vserver, as
> the tables are in the kernel space?
As far as I know it is not possible to change netfilter rules from within a vserver.
The iptables command failes in a vserver context due to not beeing able to access the netfilter tables.
> I have a problem seeing "the whole picture" though.... Will
> the vservers inherit/use the tables from the server host, and
> if so, are there any special considerations when defining the
> iptables in the host?
The netfilter rules set on the host (root server) apply to all vservers. They are not really "inherited" but just apply to any ip traffic on the host.
However as in the thread "root server as firewall ..." mentioned there is one problem at the moment:
ICMP packets (e.g. ping) are generated with source address of the root server and not with that of the vserver. This must be kept in mind when building netfilter rules. (You need CAP_NET_RAW for the vserver in order to generate ICMP packets)
MASQUERADE does not work for vservers. Instead DNAT and SNAT must be used. People using dynamic IP addresses have to build some ip.up and ip.down scripts to change DNAT and SNAT rules dynamically.
> E.g to prevent a vserver from accessing the host, and the
> vserver has it's own IP address, would it be correct and safe
> to DROP all packet from specific vserver to the host, by
> iptables -A INPUT -p tcp -s <vserver-local-IP> -j DROP
> in the host iptables config?
Oops, you also have to specify the destination address (-d <root server local ip>) otherwise the vserver can't connect to itself. This is important because loopback uses the local ip of the vserver and not 127.0.0.1
I'm not envolved in the development of ctx. All I know is from documentation and the results of experiments. So please don't take this for 100%.