Re: [Vserver] Routing in VServers:
 vserver development mailing list 
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]

Re: [Vserver] Routing in VServers

From: Bruno <bonbons67_at_internet.lu>
Date: Wed 14 Feb 2007 - 17:45:54 GMT
Message-Id: <200702141845.55447.bonbons67@internet.lu>

On Wednesday 14 February 2007 17:17:39 Oliver Welter wrote:
> Hi Asier,
>
> > Networking & firewall are not my strong points, so perhaps this could
> > sound a silly question.
>
> There are only silly answers...
>
> > I've five linux VServers, each with it's own _real_ IP address (not
> > 192.168.x.y, 10.x, etc). Each one has it's own services but I'd like to
> > close access from outside to some ports, but allow full communication
> > between the guests. The guests have valid IP addresses so I think
> > [DS]NAT is not needed.
>
> Communication between the guests never crosses the iptables rules, so
> you can safely use the toolset of your distro to block the ports from
> outside. If you want to do it by hand, there are a lot of rulebuilder
> outside, but for simply blocking ports this should be sufficient:

Sorry Oliver, but local traffic DOES cross iptables (INPUT and OUTPUT rules,
not sure about pre/post-routing), but crossing is done with interface 'lo'
instead of 'eth*' or whatever other interface.

When setting up your iptables rules keep this in mind, and where it makes
sense, specify the interface on which you check.

It might be a good idea to do interface/network checks in the root chains
(INPUT, OUTPUT chains) and do the real filtering in subchains.

Usually the first step is to permit everything to/from lo, then selectively
allow on other interfaces and finally have a drop/reject default policy.

> iptables -I INPUT -p tcp --dport 3306 -j DROP
>
> Will drop all connections to mysql from outside. If you prefer a
> whitelist approach you can deny all incoming trafic by policy and only
> drill holes into the Firewall where needed - but this is a bit of magic
> as you can really riun your day if you lock yourself out of the box :)
>
This would also block mysql between guest (only inside the guest itself you
could connect to mysql using the unix socket)

> Oliver

Bruno
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Wed Feb 14 18:38:32 2007

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 14 Feb 2007 - 18:38:42 GMT by hypermail 2.1.8