Re: [Vserver] IPTables and limiting inter-vserver communication:
 vserver development mailing list 
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]

Re: [Vserver] IPTables and limiting inter-vserver communication

From: Baltasar Cevc <baltasar_at_cevc-topp.de>
Date: Thu 24 May 2007 - 15:21:33 BST
Message-Id: <F3931C04-767B-4146-A609-8D97313112BB@cevc-topp.de>

> I would
> like to use IPTables to block the client vservers from talking to
> each other
> but since they all have the same MAC address, this becomes
> problematic.
> What is the current best practice for doing this?

Have you tried blocking all traffic between local IPs except if source
and destination are the same?

As long as you don't give the NET_ADMIN or NET_RAW capabilities to the
guest, the users in there cannot spoof the IP.

baltasar

((( Baltasar Cevc

) World wide web:
   # http://www.openairkino.net/ (a project for the local youth;
German only)
   # http://technik.juz-kirchheim.de/ (programming and admin projects)
   # http://baltasar.cevc-topp.de/ (private homepage)
) Phone:
   +49 176 23 22 08 22
)

_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Received on Thu May 24 16:33:32 2007
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Thu 24 May 2007 - 16:33:37 BST by hypermail 2.1.8