Re: [pve-devel] RFC : iptables implementation

Wed, 22 Jan 2014 06:09:20 -0800 

openstack is doing something like this:

-A FORWARD -m physdev --physdev-out tap100i0 --physdev-is-bridged -j 
proxmoxfw-chain
-A FORWARD -m physdev --physdev-in tap100i0 --physdev-is-bridged -j 
proxmoxfw-chain
-A FORWARD -m physdev --physdev-out tap120i0 --physdev-is-bridged -j 
proxmoxfw-chain
-A FORWARD -m physdev --physdev-in tap120i0 --physdev-is-bridged -j 
proxmoxfw-chain

-A proxmoxfw-chain -m physdev --physdev-out tap100i0 --physdev-is-bridged -j 
tap100i0-in
-A proxmoxfw-chain -m physdev --physdev-in tap100i0 --physdev-is-bridged -j 
tap100i0-out
-A proxmoxfw-chain -m physdev --physdev-out tap120i0 --physdev-is-bridged -j 
tap120i0-in
-A proxmoxfw-chain -m physdev --physdev-in tap120i0 --physdev-is-bridged -j 
tap120i0-out
-A proxmoxfw-chain -j ACCEPT

#out rules for tap110i0 : allow out ssh
iptables -A tap110i0-out -p tcp --dport 22 -j RETURN
iptables -A tap110i0-out -j LOG --log-prefix "tap110out-dropped: " --log-level 4
iptables -A tap110i0-out -j DROP

#in rules for tap110i0
iptables -A tap110i0-in -m state --state INVALID -j DROP
iptables -A tap110i0-in -m state --state RELATED,ESTABLISHED -j RETURN
iptables -A tap110i0-in -j LOG --log-prefix "tap110i0in-dropped: " --log-level 4
iptables -A tap110i0-in -j DROP



FORWARD -> proxmoxfw-chain ->jump in tap chain1
                           <-return or drop
                           ->jump in tap chain2
                           <-return or drop

                           ->ACCEPT


don't known if it's better than

FORWARD ->jump in tap chain1
         <-return or drop
         ->jump in tap chain2
         <-return or drop

(I think ACCEPT is implicit, but I'm not sure)




----- Mail original ----- 

De: "Dietmar Maurer" <[email protected]> 
À: "Alexandre DERUMIER" <[email protected]> 
Cc: "pve-devel" <[email protected]> 
Envoyé: Mercredi 22 Janvier 2014 13:18:05 
Objet: RE: [pve-devel] RFC : iptables implementation 

yes, that looks better now. 

> -----Original Message----- 
> From: Alexandre DERUMIER [mailto:[email protected]] 
> Sent: Mittwoch, 22. Jänner 2014 10:27 
> To: Dietmar Maurer 
> Cc: pve-devel 
> Subject: Re: [pve-devel] RFC : iptables implementation 
> 
> Hi, again, 
> It's seem to works if I use RETURN instead ACCEPT in outgoing rules. 
> (to another tap, or to external network). 
_______________________________________________
pve-devel mailing list
[email protected]
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to