Re: [Vserver] firewall between 2 vservers

From: Bruno <bonbons67_at_internet.lu>
Date: Sun 07 Jan 2007 - 18:27:10 GMT
Message-Id: <200701071927.10986.bonbons67@internet.lu>

On Sunday 07 January 2007 18:13, oliver oli wrote:
> i'm trying to restrict access from one vserver to another vserver
> running on the same machine. one is running on dummy0, the other one on
> dummy1. i tried firehol and shorewall, but it just doesn't work. it
> seems that all firewall rules are just ignored. what's so special with
> the vserver networking? has anyone examples how to setup working
> iptables rules that prevents access from one vserver to another?

VServer just does IP-level isolation.

To filter with iptables, either specify lo as interface or no interface at
all, but just the addresses of both guests.
The reason for this is that kernel sees local traffic as going over lo, no
matter on what interface the IP addresses are assigned (would be the same if
IP addresses were on eth0 and eth1 or even on the same interface)

If I remember well, firehol by default allows ALL lo traffic... so getting the
filtering with firehol might be some more work (you need to disable default
allow policy on lo and setup your own rules)

Bruno
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Sun Jan 7 19:27:32 2007

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Sun 07 Jan 2007 - 19:27:38 GMT by hypermail 2.1.8