From: Gregory (Grisha) Trubetskoy (grisha_at_ispol.com)
Date: Sun 04 Apr 2004 - 04:58:01 BST

• Previous message: Bodo Eggert: "Re: [Vserver] Tiny system for template..."
• Next in thread: Herbert Poetzl: "Re: [Vserver] iptables"
• Reply: Herbert Poetzl: "Re: [Vserver] iptables"
• Reply: Enrico Scholz: "Re: [Vserver] iptables"

Given that vserver won't allow you to use iptables, has anyone tried a
solutions where tha iptables command is replaced by a stub command that
talks to a daemon in context 0 to set up tables?

It seems that you could create a chain (or two actually - input and
output) for every vserver, and have a rule to jumpt to those chains based
onthe vserver ip. With some clever replacing of INPUT or OUTPUT with name
of the chains for those vservers it seems you could get a 80% functional
iptables, probably enough to fool most firewall config tools (and most
users). Since that chain is only accessed for that particular IP, there
should be no way to cause any damage on the server.

I was going to try to write something like this, but wanted to check
whether I might be reinventing the wheel here.

Grisha
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

• Previous message: Bodo Eggert: "Re: [Vserver] Tiny system for template..."
• Next in thread: Herbert Poetzl: "Re: [Vserver] iptables"
• Reply: Herbert Poetzl: "Re: [Vserver] iptables"
• Reply: Enrico Scholz: "Re: [Vserver] iptables"