Re: [Vserver] Routing in VServers

From: Herbert Poetzl <herbert_at_13thfloor.at>
Date: Wed 14 Feb 2007 - 19:56:51 GMT
Message-ID: <20070214195651.GB23523@MAIL.13thfloor.at>

On Wed, Feb 14, 2007 at 05:17:39PM +0100, Oliver Welter wrote:
> Hi Asier,
>
> > Networking & firewall are not my strong points, so perhaps this could
> > sound a silly question.
>
> There are only silly answers...
>
> > I've five linux VServers, each with it's own _real_ IP address (not
> > 192.168.x.y, 10.x, etc). Each one has it's own services but I'd like to
> > close access from outside to some ports, but allow full communication
> > between the guests. The guests have valid IP addresses so I think
> > [DS]NAT is not needed.
>
> Communication between the guests never crosses the iptables rules,
> so you can safely use the toolset of your distro to block the ports
> from outside.

ahem, wrong!

traffic between guests and traffic between guest and host
is handled as local traffic, and passes all the chains
appropriate for local traffic, which, and that is probably
what you meant, does _not_ include the FORWARD chains ...

> If you want to do it by hand, there are a lot of rulebuilder
> outside, but for simply blocking ports this should be sufficient:
>
> iptables -I INPUT -p tcp --dport 3306 -j DROP

http://www.faqs.org/docs/iptables/traversingoftables.html

note, in recent kernels the local tables can be selected
independantly IIRC ...

HTC,
Herbert

> Will drop all connections to mysql from outside. If you prefer a
> whitelist approach you can deny all incoming trafic by policy and only
> drill holes into the Firewall where needed - but this is a bit of magic
> as you can really riun your day if you lock yourself out of the box :)
>
> Oliver
> --
> Diese Nachricht wurde digital unterschrieben
> oliwel's public key: http://www.oliwel.de/oliwel.crt
> Basiszertifikat: http://www.ldv.ei.tum.de/page72

> _______________________________________________
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver

_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Wed Feb 14 20:28:43 2007

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 14 Feb 2007 - 20:28:49 GMT by hypermail 2.1.8