From: Paul Sladen (vserver_at_paul.sladen.org)
Date: Wed 18 Dec 2002 - 00:56:19 GMT
On Tue, 17 Dec 2002, Roderick A. Anderson wrote:
Hi Rod,
> I'd like to try and get this straight in my head - poor container that it
>
> Ipchains do not work from in vservers.
Ipchains won't work from the main server either, we're using
netfilter/iptables now since 2.4...
Filtering is a kernel/system feature and therefore is prevented from access
within a vserver; set it up in your host server...
> If so then how do I control on a vserver by vserver the IPs and ports
> that respond (or don't respond?)
!?
Which daemons you start on which ports will dictate which respond...
> In my situation I have total control over what is running in each
> vserver but it varies for each vserver and may vary for each box I run
> Vserver on.
That probably helps, not having control over your own machines would
probably leave you a bit stuck...
> My concern/confusion is if I do the right thing and shut out everything
> except ssh on the main server how will a vserver run a web-server, dns
> server, or mail server only.
Presumably you would only filter out traffic destined for the host-servers
IP address, although if you're not running anything except NTP and SSH on
that IP there's not really much to filter out anyway.
HTH, HAND,
-Paul
-- Nottingham, GB