Re: [Lxc-users] lxc-stop make Kernel crashing

Sun, 16 Oct 2011 22:20:00 -0700 

> Date: Fri, 14 Oct 2011 17:35:02 +0200
> From: Admin<[email protected]>
> Subject: [Lxc-users] lxc-stop make Kernel crashing
> To: [email protected]
> Message-ID:<[email protected]>
> Content-Type: text/plain; charset="iso-8859-1"

> Another question, anybody implement iptables inside containers and could
> give me advices configuring LOG chain or rsyslog inside container to
> isolate iptables kernel log message from the hypervisor ?
>
Tony,
Please find one firewall example running in a container.
Step 0: all chain must be in DROP condition as a default case...
   in my case, for the FORWARD chain...

  /sbin/iptables \
              --table filter \
              --policy FORWARD DROP

step 1: in the last table before, insert a rule in order to drop traffic
in the log, and never forget to limit total number of packet (!)
  /sbin/iptables \
              --table filter \
              --append FORWARD \
              --jump LOG \
              --log-prefix "gateway-3: DROP " \
              --match limit \
              --limit 4/second \
              --limit-burst 5

step 2: in the last chain, insert a SROP condition
     /sbin/iptables \
              --table filter \
              --append FORWARD \
              --jump DROP


root@gateway-3:~# iptables --verbose --line-numbers --list FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source 
  destination
..............
13       0     0 ACCEPT     tcp  --  eth3   eth2    192.168.22.0/24 
  anywhere            tcp dpt:www
14       0     0 ACCEPT     tcp  --  eth2   eth3    anywhere 
  192.168.22.0/24     tcp spt:www
15    1779  364K LOG        all  --  any    any     anywhere 
  anywhere            limit: avg 4/sec burst 5 LOG level warning prefix 
`gateway-3: DROP '
16    1784  365K DROP       all  --  any    any     anywhere 
  anywhere


Regards

-- 
--------------------------------------
  -- Jean-Marc LACROIX                 --
   -- mailto : [email protected] --
     ---------------------------------------

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
Lxc-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/lxc-users

Reply via email to