Fiedler Roman wrote:
> Hello Christian,
>
> Full Network stack separation is not possible, but with newer kernel iptables for guest separation are working and I'm using them quite frequently.
>
> Since guest cannot add new rules, all rules are created on host. Rules for guests are in different files so that removal of rules together with guest is easier.
>
> Tell me, if you are interested in (very simple) config examples
I think many of us are interested. The LV systems I admin tend to run
servers (MX, NS, etc.) but there is some interest in providing guests
for clients.
Yes please either post or but on the site.
Rod
-- > > Regards, > Roman > >> -----Ursprüngliche Nachricht----- >> Von: Christian Balzer [mailto:chibi@gol.com] >> Gesendet: Mittwoch, 21. März 2012 14:30 >> An: vserver@list.linux-vserver.org >> Betreff: [vserver] IPtables, network namespaces >> >> >> Hello, >> >> Every once in a while (actually more frequent than that) the need for >> iptables in a guest creeps up. And I'm not just talking about cases where >> people want to use iptables because it's the only hammer they know beat >> packets into submission. >> >> Scouring this ML finds only a few mentions, most of them completely >> outdated and I'm happy that I at least remembered reading about this more >> than 2.5 years ago and coming up with the net namespaces search string as >> well. >> >> I believe any host based iptables (as in some client tool messaging >> something on the host to manipulate a client specific iptable) is >> cumbersome at best and prone to abuse at worst. >> Given the functionality of net namespaces, has anybody in the past 2.5 >> years successfully used this with Vservers to set up fully functional >> client network interface? Care to share your knowledge/experiences? >> >> No trace of this in util-vserver for now, AFAIK. >> >> Regards, >> >> Christian >> -- >> Christian Balzer Network/Systems Engineer >> chibi@gol.com Global OnLine Japan/Fusion Communications >> http://www.gol.com/Received on Wed Mar 21 14:04:08 2012