From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Sun 04 Apr 2004 - 15:15:20 BST
On Sat, Apr 03, 2004 at 10:58:01PM -0500, Gregory (Grisha) Trubetskoy wrote:
> Given that vserver won't allow you to use iptables, has anyone tried a
> solutions where tha iptables command is replaced by a stub command that
> talks to a daemon in context 0 to set up tables?
> It seems that you could create a chain (or two actually - input and
> output) for every vserver, and have a rule to jumpt to those chains based
> onthe vserver ip. With some clever replacing of INPUT or OUTPUT with name
> of the chains for those vservers it seems you could get a 80% functional
> iptables, probably enough to fool most firewall config tools (and most
> users). Since that chain is only accessed for that particular IP, there
> should be no way to cause any damage on the server.
while the basic idea sounds very good (it crossed my mind
some time ago), the devil is in the detail:
- let's assume we have 'rules' to identify the target vserver
- let's further assume we know from what server a packet is sent
this should allow us to traverse a vINPUT and vOUTPUT table
quite well, and it might even allow to do a vPREROUTING
or vPOSTROUTING, but it will also open the door for packet
mangling and S/DNAT, which is a security issue ...
other issues are with identifying the target vserver, because
what happens if two vserver share the same IP, but provide
different services on different ports ...
(but I guess this is a special case, just not handled here)
> I was going to try to write something like this, but wanted to check
> whether I might be reinventing the wheel here.
it might be interesting to join the (hopefully) upcoming
discussion about the next generation networking, maybe such
issues can be solved by some simple tricks ...
> Vserver mailing list
Vserver mailing list