> -----Original Message-----
> From: vserver-bounces@list.linux-vserver.org
> [mailto:vserver-bounces@list.linux-vserver.org] On Behalf Of
> Christian Affolter
> Sent: Thursday, May 24, 2007 9:18 AM
> To: vserver@list.linux-vserver.org
> Subject: Re: [Vserver] IPTables and limiting inter-vserver
> communication
>
> Hello James!
>
> > The configuration will have about 10 vserver clients running
> > apache/php5 talking to a mysql server. Each vserver client has a
> > regular (routable) IP address, but each has the same MAC address as
> > the hosting server. I would like to use IPTables to block
> the client
> > vservers from talking to each other but since they all have
> the same MAC address, this becomes problematic.
> Why should this become problematic? You want to filter IP
> addresses and not MAC address, don't you?
>
>
> > What is the current best practice for doing this?
> Implement the netfilter rules on the carrier. Remember that
> inter vserver connections won't use the FORWARD chain, simply
> use the INPUT and OUTPUT chains (as you probably already did
> for filtering ingress and egress traffic). Furthermore all
> packages will travel over the lo
> (loopback) interface.
> tcpdump and the various netfilter log targets will be your friends ;)
>
>
> > I've read abit about NGNET-Testing and a vnet patch from
> > http://oldwiki.linux-vserver.org/NGNET-Testing-HOWTO but
> the code is dated.
> I'm afraid I don't know what the state of the NGNET patch is...
>
>
> > I tried setting up IPTables rules in on the vserver host,
> this helps
> > restrict traffic to the vserver clients but it doesn't
> block 'inter'
> > vserver communication. I've read 'hints' about running iptables
> > inside of the vserver client (but I haven't figured out how to
> > implement this) and then drop net_admin capability once the
> rules are in place.
> You don't have to enable any special capabilities for
> filtering on the carrier.
>
Hello everyone,
Thank you for your input everyone. My problem was I had rule, very early
on, which allowed all communication over the loopback interface (I use ssh
over xterm to connect to my hosts/servers). And as I'm sure you vserver
experts know, inter-vserver communications occur over the loopback
interface. Once I move my rule(s) to disable communication between vserver
clients above the loopback rule everything worked as expected.
As I side note, I REALLY wish I understood the capacities system better and
where they're configured for newer versions of vserver. Hummm.. Someone
should write a tutorial on that =)
Thanks again!
--Jim
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Thu May 24 18:32:11 2007