From: Sam Vilain (sam_at_vilain.net)
Date: Sun 10 Jul 2005 - 21:39:14 BST
Oliver Dietz wrote:
>>> # Block everything between 2 vserver
>>> iptables -A INPUT -d 192.168.0.155 -s 192.168.0.157 -j DROP
>>> iptables -A INPUT -d 192.168.0.157 -s 192.168.0.155 -j DROP
>> The INPUT chain is for packets entering the box, but with vservers
>> packets don't enter the box, all traffic is flowing inside the box. Try
>> using the PREROUTING chain instead.
> And which table? Am i right with the mangle table?
> I played around a bit, but didn't find the solution until now ... maybe
> i will try it in the next weeks again ...
[... elsewhere ...]
> I didnt tey but I guess that packets between the servers dont pass
> "INCOMING" chain as they are not entering the kernel from outside...
> I think they will walk through the Forward Chain
Well, using FWBuilder, which generally Just Works™, the commands it
generates look like this;
$IPTABLES -A INPUT -i lo -p tcp \
-s 192.168.255.49 -d 192.168.255.0/24 --dport 22 \
-m state --state NEW -j ACCEPT
I think the packets end up going through PREROUTING, INPUT and OUTPUT,
but not FORWARD.
However, note that they are going via the "lo" interface, even though
in this case the servers are all set up on interface dummy0.
Vserver mailing list