Hello James!
> The configuration will have about 10 vserver clients running apache/php5
> talking to a mysql server. Each vserver client has a regular (routable) IP
> address, but each has the same MAC address as the hosting server. I would
> like to use IPTables to block the client vservers from talking to each other
> but since they all have the same MAC address, this becomes problematic.
Why should this become problematic? You want to filter IP addresses and
not MAC address, don't you?
> What is the current best practice for doing this?
Implement the netfilter rules on the carrier. Remember that inter
vserver connections won't use the FORWARD chain, simply use the INPUT
and OUTPUT chains (as you probably already did for filtering ingress and
egress traffic). Furthermore all packages will travel over the lo
(loopback) interface.
tcpdump and the various netfilter log targets will be your friends ;)
> I've read abit about NGNET-Testing and a vnet patch from
> http://oldwiki.linux-vserver.org/NGNET-Testing-HOWTO but the code is dated.
I'm afraid I don't know what the state of the NGNET patch is...
> I tried setting up IPTables rules in on the vserver host, this helps
> restrict traffic to the vserver clients but it doesn't block 'inter' vserver
> communication. I've read 'hints' about running iptables inside of the
> vserver client (but I haven't figured out how to implement this) and then
> drop net_admin capability once the rules are in place.
You don't have to enable any special capabilities for filtering on the
carrier.
regards,
Chris
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Thu May 24 15:56:57 2007