From: MH - Entwicklung (entwicklung_at_heubach-edv.de)
Date: Mon 12 May 2003 - 13:08:32 BST
> On Mon, May 12, 2003 at 10:47:59AM +0200, Tor Rune Skoglund wrote:
> > Hi List,
> > E.g to prevent a vserver from accessing the host, and the
> > vserver has it's own IP address, would it be correct and safe
> > to DROP all packet from specific vserver to the host, by
> > iptables -A INPUT -p tcp -s <vserver-local-IP> -j DROP
> > in the host iptables config?
> No, local traffic isn't ran through iptables as far as I'm aware.
> Erik Smit
Local traffic *is* run through netfilter.
I just checked this out:
root server: 192.168.0.1
iptables -I INPUT -s 192.168.0.2 -d 192.168.0.1 -j DROP
-> ssh from vserver to root server doesn't work
--> ssh from vserver to root server works
(Assuming netfilter default policies are ACCEPT)