Hello everyone,
I have a Debian Etch vserver host running 2.6.18-4-xen-vserver-686 kernel,
util-vserver 0.30.212-1 and vserver-debiantools 0.3.4.
The configuration will have about 10 vserver clients running apache/php5
talking to a mysql server. Each vserver client has a regular (routable) IP
address, but each has the same MAC address as the hosting server. I would
like to use IPTables to block the client vservers from talking to each other
but since they all have the same MAC address, this becomes problematic.
What is the current best practice for doing this?
I've read abit about NGNET-Testing and a vnet patch from
http://oldwiki.linux-vserver.org/NGNET-Testing-HOWTO but the code is dated.
I tried setting up IPTables rules in on the vserver host, this helps
restrict traffic to the vserver clients but it doesn't block 'inter' vserver
communication. I've read 'hints' about running iptables inside of the
vserver client (but I haven't figured out how to implement this) and then
drop net_admin capability once the rules are in place.
Again, if someone can point me to a 'best practices' for accomplishing this
I would be most appreciative.
Thanks,
Jim
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Thu May 24 14:34:00 2007