SOLVED: [Vserver] IPTables and limiting inter-vserver communication
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Christian Affolter > Sent: Thursday, May 24, 2007 9:18 AM > To: vserver@list.linux-vserver.org > Subject: Re: [Vserver] IPTables and limiting inter-vserver > communication > > Hello James! > > > The configuration will have about 10 vserver clients running > > apache/php5 talking to a mysql server. Each vserver client has a > > regular (routable) IP address, but each has the same MAC address as > > the hosting server. I would like to use IPTables to block > the client > > vservers from talking to each other but since they all have > the same MAC address, this becomes problematic. > Why should this become problematic? You want to filter IP > addresses and not MAC address, don't you? > > > > What is the current best practice for doing this? > Implement the netfilter rules on the carrier. Remember that > inter vserver connections won't use the FORWARD chain, simply > use the INPUT and OUTPUT chains (as you probably already did > for filtering ingress and egress traffic). Furthermore all > packages will travel over the lo > (loopback) interface. > tcpdump and the various netfilter log targets will be your friends ;) > > > > I've read abit about NGNET-Testing and a vnet patch from > > http://oldwiki.linux-vserver.org/NGNET-Testing-HOWTO but > the code is dated. > I'm afraid I don't know what the state of the NGNET patch is... > > > > I tried setting up IPTables rules in on the vserver host, > this helps > > restrict traffic to the vserver clients but it doesn't > block 'inter' > > vserver communication. I've read 'hints' about running iptables > > inside of the vserver client (but I haven't figured out how to > > implement this) and then drop net_admin capability once the > rules are in place. > You don't have to enable any special capabilities for > filtering on the carrier. > Hello everyone, Thank you for your input everyone. My problem was I had rule, very early on, which allowed all communication over the loopback interface (I use ssh over xterm to connect to my hosts/servers). And as I'm sure you vserver experts know, inter-vserver communications occur over the loopback interface. Once I move my rule(s) to disable communication between vserver clients above the loopback rule everything worked as expected. As I side note, I REALLY wish I understood the capacities system better and where they're configured for newer versions of vserver. Hummm.. Someone should write a tutorial on that =) Thanks again! --Jim ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] IPTables and limiting inter-vserver communication
I would like to use IPTables to block the client vservers from talking to each other but since they all have the same MAC address, this becomes problematic. What is the current best practice for doing this? Have you tried blocking all traffic between local IPs except if source and destination are the same? As long as you don't give the NET_ADMIN or NET_RAW capabilities to the guest, the users in there cannot spoof the IP. baltasar ((( Baltasar Cevc ) World wide web: # http://www.openairkino.net/ (a project for the local youth; German only) # http://technik.juz-kirchheim.de/ (programming and admin projects) # http://baltasar.cevc-topp.de/ (private homepage) ) Phone: +49 176 23 22 08 22 ) PGP.sig Description: This is a digitally signed message part ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] IPTables and limiting inter-vserver communication
Hello James! > The configuration will have about 10 vserver clients running apache/php5 > talking to a mysql server. Each vserver client has a regular (routable) IP > address, but each has the same MAC address as the hosting server. I would > like to use IPTables to block the client vservers from talking to each other > but since they all have the same MAC address, this becomes problematic. Why should this become problematic? You want to filter IP addresses and not MAC address, don't you? > What is the current best practice for doing this? Implement the netfilter rules on the carrier. Remember that inter vserver connections won't use the FORWARD chain, simply use the INPUT and OUTPUT chains (as you probably already did for filtering ingress and egress traffic). Furthermore all packages will travel over the lo (loopback) interface. tcpdump and the various netfilter log targets will be your friends ;) > I've read abit about NGNET-Testing and a vnet patch from > http://oldwiki.linux-vserver.org/NGNET-Testing-HOWTO but the code is dated. I'm afraid I don't know what the state of the NGNET patch is... > I tried setting up IPTables rules in on the vserver host, this helps > restrict traffic to the vserver clients but it doesn't block 'inter' vserver > communication. I've read 'hints' about running iptables inside of the > vserver client (but I haven't figured out how to implement this) and then > drop net_admin capability once the rules are in place. You don't have to enable any special capabilities for filtering on the carrier. regards, Chris ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] IPTables and limiting inter-vserver communication
Hello everyone, I have a Debian Etch vserver host running 2.6.18-4-xen-vserver-686 kernel, util-vserver 0.30.212-1 and vserver-debiantools 0.3.4. The configuration will have about 10 vserver clients running apache/php5 talking to a mysql server. Each vserver client has a regular (routable) IP address, but each has the same MAC address as the hosting server. I would like to use IPTables to block the client vservers from talking to each other but since they all have the same MAC address, this becomes problematic. What is the current best practice for doing this? I've read abit about NGNET-Testing and a vnet patch from http://oldwiki.linux-vserver.org/NGNET-Testing-HOWTO but the code is dated. I tried setting up IPTables rules in on the vserver host, this helps restrict traffic to the vserver clients but it doesn't block 'inter' vserver communication. I've read 'hints' about running iptables inside of the vserver client (but I haven't figured out how to implement this) and then drop net_admin capability once the rules are in place. Again, if someone can point me to a 'best practices' for accomplishing this I would be most appreciative. Thanks, Jim ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] IPTABLES inside vserver guests (experimental version)
Oliver, Sure. How do you want to integrate virtuatables to the webinterface? At first the main idea was to make users able to run iptables from shell but I am sure we can work out on this code and implement other solutions (after making a stable version). -- Andre Bruce <[EMAIL PROTECTED]> On Thu, 2006-11-23 at 22:24 +0100, Cryptronic wrote: > Hi Andre, > > as you might know, there is a Webinterface to managed vserver called openvcp > (http://www.openvcp.org). > Because, I am a developer of the Webinterface I want to ask you whether we > could work together to implement this in our Webinterface? > > best regards > Oliver Werner aka cryptronic > > Am Donnerstag, 23. November 2006 20:53 schrieb Andre Bruce: > > Hello, > > > > We are developing a client/server (host/guest) application which makes > > it possible for a guest to run a "virtual" iptables (the guest > > application should replace the offical iptables binary). > > This project is still at experimental stage and may not work as > > expected, so use it at your own risk. > > > > You are welcome to post your problems and sugestions so we can fix the > > code and get it 100%. :) > > > > The files and instructions can be downloaded at: > > http://www.virtuaserver.com.br/forum/viewtopic.php?p=215 > > > > If you want to contact me directly (not through this list), please use > > the forum or the e-mail abruce @__at__@ virtuaserver.com.br. > ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] IPTABLES inside vserver guests (experimental version)
Hi Andre, as you might know, there is a Webinterface to managed vserver called openvcp (http://www.openvcp.org). Because, I am a developer of the Webinterface I want to ask you whether we could work together to implement this in our Webinterface? best regards Oliver Werner aka cryptronic Am Donnerstag, 23. November 2006 20:53 schrieb Andre Bruce: > Hello, > > We are developing a client/server (host/guest) application which makes > it possible for a guest to run a "virtual" iptables (the guest > application should replace the offical iptables binary). > This project is still at experimental stage and may not work as > expected, so use it at your own risk. > > You are welcome to post your problems and sugestions so we can fix the > code and get it 100%. :) > > The files and instructions can be downloaded at: > http://www.virtuaserver.com.br/forum/viewtopic.php?p=215 > > If you want to contact me directly (not through this list), please use > the forum or the e-mail abruce @__at__@ virtuaserver.com.br. -- Mit freundlichen Grüßen O. Werner ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] IPTABLES inside vserver guests (experimental version)
Hello, We are developing a client/server (host/guest) application which makes it possible for a guest to run a "virtual" iptables (the guest application should replace the offical iptables binary). This project is still at experimental stage and may not work as expected, so use it at your own risk. You are welcome to post your problems and sugestions so we can fix the code and get it 100%. :) The files and instructions can be downloaded at: http://www.virtuaserver.com.br/forum/viewtopic.php?p=215 If you want to contact me directly (not through this list), please use the forum or the e-mail abruce @__at__@ virtuaserver.com.br. -- André Bruce - abruce @__at__@ virtuaserver.com.br http://www.virtuaserver.com.br ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Iptables NAT & vservers
thanks all for the answers, I'll go on with a "per services" dispatch. ...and yes I think apache provides such mechanism, but I wanted to do it cleanly ;-) Joep Gommers wrote: Well for web, radius you could use Squid as a reversed proxy. For SSH you can setup different ports on the different ip's. Or in some nasy way you could use snort to match for your hostname and dynamicly make the forward, and remove it when its gone. But thats just utter nonesense.. nonetheless possible J- On 3/13/06, Sebastian Harl <[EMAIL PROTECTED]> wrote: .. it would explain why I didn't succeed ;-) Indeed ;-) Do you think there is a other way to redirect all incoming connection to a particular machine base on the "connection name" but not on the port number ex: ssh mymachine.example.com No, I don't think so... TCP/IP does not carry any hostname information, so routing would have to be done in the application layer protocol. HTTP, for example, carries the hostname with it - that's why domain based hosting is available (and possible ;-) e.g. in Apache. The "connection name" that you were refering to is the IP address... Cheers, Sebastian -- Sebastian "tokkee" Harl GnuPG-ID: 0x8501C7FC http://tokkee.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEFaGpEFEKc4UBx/wRArUaAJ9qWM6/ZoxUO/NTeR1n0RG0msB5YgCeJMMS O0QxWlQjbue01b61VnFTDPU= =Kmhm -END PGP SIGNATURE- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- Programmers.ch Solutions libres et Opensources Tel: ++41 76 44 888 72 Site: http://www.programmers.ch Site: http://openprojects.ch ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Iptables NAT & vservers
Well for web, radius you could use Squid as a reversed proxy. For SSH you can setup different ports on the different ip's. Or in some nasy way you could use snort to match for your hostname and dynamicly make the forward, and remove it when its gone. But thats just utter nonesense.. nonetheless possible J- On 3/13/06, Sebastian Harl <[EMAIL PROTECTED]> wrote: > > .. it would explain why I didn't succeed ;-) > > Indeed ;-) > > > Do you think there is a other way to redirect all incoming connection to > > a particular machine base on the "connection name" but not on the port > > number ex: > > ssh mymachine.example.com > > No, I don't think so... TCP/IP does not carry any hostname information, so > routing would have to be done in the application layer protocol. HTTP, for > example, carries the hostname with it - that's why domain based hosting is > available (and possible ;-) e.g. in Apache. > > The "connection name" that you were refering to is the IP address... > > Cheers, > Sebastian > -- > Sebastian "tokkee" Harl > GnuPG-ID: 0x8501C7FC > http://tokkee.org/ > > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.1 (GNU/Linux) > > iD8DBQFEFaGpEFEKc4UBx/wRArUaAJ9qWM6/ZoxUO/NTeR1n0RG0msB5YgCeJMMS > O0QxWlQjbue01b61VnFTDPU= > =Kmhm > -END PGP SIGNATURE- > > > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver > > > ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Iptables NAT & vservers
> .. it would explain why I didn't succeed ;-) Indeed ;-) > Do you think there is a other way to redirect all incoming connection to > a particular machine base on the "connection name" but not on the port > number ex: > ssh mymachine.example.com No, I don't think so... TCP/IP does not carry any hostname information, so routing would have to be done in the application layer protocol. HTTP, for example, carries the hostname with it - that's why domain based hosting is available (and possible ;-) e.g. in Apache. The "connection name" that you were refering to is the IP address... Cheers, Sebastian -- Sebastian "tokkee" Harl GnuPG-ID: 0x8501C7FC http://tokkee.org/ signature.asc Description: Digital signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Iptables NAT & vservers
.. it would explain why I didn't succeed ;-) Do you think there is a other way to redirect all incoming connection to a particular machine base on the "connection name" but not on the port number ex: ssh mymachine.example.com Sebastian Harl a écrit : Hi, iptables is suppose to handle the -d (host is 10.0.0.160) -A PREROUTING -p tcp -m tcp -d test.example.com -j DNAT --to-destination 10.0.1.2 ... what's wrong with my approach, I didn't succeed to make it work. iptables does only support IP based routing. I guess, the -d switch is only provided for convenience but will simply resolve the hostname to the appropriate IP. I don't think domainname based routing is available at all... Cheers, Sebastian ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- Programmers.ch Solutions libres et Opensources Tel: ++41 76 44 888 72 Site: http://www.programmers.ch Site: http://openprojects.ch ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Iptables NAT & vservers
Hi, > iptables is suppose to handle the -d > > (host is 10.0.0.160) > > -A PREROUTING -p tcp -m tcp -d test.example.com -j DNAT --to-destination > 10.0.1.2 > > ... what's wrong with my approach, I didn't succeed to make it work. iptables does only support IP based routing. I guess, the -d switch is only provided for convenience but will simply resolve the hostname to the appropriate IP. I don't think domainname based routing is available at all... Cheers, Sebastian -- Sebastian "tokkee" Harl GnuPG-ID: 0x8501C7FC http://tokkee.org/ signature.asc Description: Digital signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Iptables NAT & vservers
Hello, I tried to setup a subnetwork using several vservers. - host system is connected to internet - several guest in a different subnetwork on it. - the host has the normal eth0 interface and a "virtual" tap0 one. - host can see and connect both network. Now the "problem" is : - from outside I have several subdomain test.example.com, test2.example.com pointing on the guest ip. and base on the name I would like to redirect de incoming connection too the corresponding guest. iptables is suppose to handle the -d (host is 10.0.0.160) -A PREROUTING -p tcp -m tcp -d test.example.com -j DNAT --to-destination 10.0.1.2 ... what's wrong with my approach, I didn't succeed to make it work. Any Idea ? Marc -- Programmers.ch Solutions libres et Opensources Tel: ++41 76 44 888 72 Site: http://www.programmers.ch Site: http://openprojects.ch ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] iptables inside vserver client?
Hi Michael, * Michael S. Zick <[EMAIL PROTECTED]> [060110 23:49]: > Reading step three of the virtual tour does not say that the ip rules > are 'within' your virtual server. Only that the rules that apply to > your virtual server can be controlled by a web interface (on the host > system) most likely. > > That would be fairly straight forward thing to do, just write > rule chain(s) for a particular IP address. Constrain the web update > to do dynamic rules on the rule chain for a particular customer. > > For instance, start with the dynamic rule handling of PSAD, be creative > with the chain naming, add a web interface, etc. Ah, I see. Thanks for your reply. Cheers, Steph. ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] iptables inside vserver client?
On Tue January 10 2006 15:15, Stephan Mueller wrote: > Hi, > > on the hosting page in the wiki the provider [vRoutix], Argentina > anounces iptables support inside a vserver client while i read on the > beginners faq page that the forward chain is not touched by packets > between the clients. > > Which one is true? :) Do they use some sort of tap or tun devices? > Probably both are true. Reading step three of the virtual tour does not say that the ip rules are 'within' your virtual server. Only that the rules that apply to your virtual server can be controlled by a web interface (on the host system) most likely. That would be fairly straight forward thing to do, just write rule chain(s) for a particular IP address. Constrain the web update to do dynamic rules on the rule chain for a particular customer. For instance, start with the dynamic rule handling of PSAD, be creative with the chain naming, add a web interface, etc. Mike ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] iptables inside vserver client?
Hi, on the hosting page in the wiki the provider [vRoutix], Argentina anounces iptables support inside a vserver client while i read on the beginners faq page that the forward chain is not touched by packets between the clients. Which one is true? :) Do they use some sort of tap or tun devices? Cheers and thanks, Steph. ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver iptables
Benedikt Böhm wrote: On Thursday 23 December 2004 18:27, Bastian Boday wrote: from the vserver I can connect to eth0 but not to the internet. From my local net everything works fine. You need to do SNAT in order to get your vservers connecting to the internet when you're using different IPs on the root dev and the alias... it looks like this: /sbin/iptables -t nat -A POSTROUTING -s 192.168.50.0/255.255.255.0 -d ! 192.168.50.0/255.255.255.0 -j SNAT --to-source 192.168.2.x (this should be the ip of eth1) I tried it, but no success. now I changed the ip back to a normal ip from "loc" zone (loc is 192.168.2.0/24 with interface 192.168.2.1, vserver alias eth1:0 192.168.2.50) can ping the loc interface but not to the internet Could it have something to do with this ? http://lists.shorewall.net/pipermail/shorewall-users/2002-December/003900.html thanx Bast ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver iptables
On Thursday 23 December 2004 18:27, Bastian Boday wrote: > from the vserver I can connect to eth0 but not to the internet. From my > local net everything works fine. You need to do SNAT in order to get your vservers connecting to the internet when you're using different IPs on the root dev and the alias... it looks like this: /sbin/iptables -t nat -A POSTROUTING -s 192.168.50.0/255.255.255.0 -d ! 192.168.50.0/255.255.255.0 -j SNAT --to-source 192.168.2.x (this should be the ip of eth1) Bene -- Benedikt Boehm www.croup.de [EMAIL PROTECTED] GPG-ID: 0x32585A3D "If it moves, compile it." -- Gentoo pgpHl5UvTaPfq.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] vserver iptables
Hello I'm new to the list. I installed a vserver with kernel 2.6 (http://home.xnull.de/work/gentoo/vserver/guide/) on my gentoo server As network interface I use an alias (eth1:0) As firewall I'm using shorewall eth0 --> Internet eth1 is the card of my "loc" zone. 192.168.2.0/24 eth1:0 is the alias from the vserver 192.168.50.50 from the vserver I can connect to eth0 but not to the internet. From my local net everything works fine. I know, I need something like this... ?? iptables -A INPUT -i eth0 -d 192.168.2.50 -j ACCEPT iptables -A OUTPUT -o eth0 -s 192.168.2.50 -j ACCEPT Any help would be appreciated Bast ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vserver Iptables
В Срд, 28.04.2004, в 09:14, Alexander Denisov пишет: > В сообщении от 27 Апрель 2004 18:02 Herbert Poetzl написал(a): > > > Can i use iptables rules in ctx ? > > > > yes, there are two alternatives: > > > > - allow the vserver to modify _all_ iptable rules > > Where i can read how to allow ? Add CAP_NETADMIN capability to you vserver :) but it allow all network operations from this vserver with all network objects, as routing, ip address and all other.. > Can i allow one vserver or all vservers? Who have CAP_NETADMIN capability - can work with iptables and other network objects. > Can i allow vserver to modify one chain ? you can`t do it. -- Alex Lyashkov <[EMAIL PROTECTED]> PSoft ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vserver Iptables
В сообщении от 27 Апрель 2004 18:02 Herbert Poetzl написал(a): > > Can i use iptables rules in ctx ? > > yes, there are two alternatives: > > - allow the vserver to modify _all_ iptable rules Where i can read how to allow ? Can i allow one vserver or all vservers? Can i allow vserver to modify one chain ? -- WBR Alexander V. Denisov Digital Union icq: 4616935 ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vserver Iptables
On Tue, Apr 27, 2004 at 11:52:52AM +0500, Alexander Denisov wrote: > > Hello > > Can i use iptables rules in ctx ? yes, there are two alternatives: - allow the vserver to modify _all_ iptable rules - do not allow the vserver to mody _any_ rules best, Herbert > -- > WBR Alexander V. Denisov > Digital Union > icq: 4616935 > ___ > Vserver mailing list > [EMAIL PROTECTED] > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Vserver Iptables
Hello Can i use iptables rules in ctx ? -- WBR Alexander V. Denisov Digital Union icq: 4616935 ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] iptables
[EMAIL PROTECTED] ("Gregory (Grisha) Trubetskoy") writes: > Given that vserver won't allow you to use iptables, has anyone tried a > solutions where tha iptables command is replaced by a stub command that > talks to a daemon in context 0 to set up tables? vserver-djinni[1] is such a daemon and it should be easy to write rules for iptables management. This program requires libvserver from the util-vserver alpha-branch. Enrico Footnotes: [1] http://www.tu-chemnitz.de/~ensc/fedora.us-build/html/ar01s02.html#sec:components:vserver-djinni http://www.tu-chemnitz.de/~ensc/fedora.us-build/files/ ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] iptables
On Sat, Apr 03, 2004 at 10:58:01PM -0500, Gregory (Grisha) Trubetskoy wrote: > > Given that vserver won't allow you to use iptables, has anyone tried a > solutions where tha iptables command is replaced by a stub command that > talks to a daemon in context 0 to set up tables? > > It seems that you could create a chain (or two actually - input and > output) for every vserver, and have a rule to jumpt to those chains based > onthe vserver ip. With some clever replacing of INPUT or OUTPUT with name > of the chains for those vservers it seems you could get a 80% functional > iptables, probably enough to fool most firewall config tools (and most > users). Since that chain is only accessed for that particular IP, there > should be no way to cause any damage on the server. while the basic idea sounds very good (it crossed my mind some time ago), the devil is in the detail: - let's assume we have 'rules' to identify the target vserver - let's further assume we know from what server a packet is sent this should allow us to traverse a vINPUT and vOUTPUT table quite well, and it might even allow to do a vPREROUTING or vPOSTROUTING, but it will also open the door for packet mangling and S/DNAT, which is a security issue ... other issues are with identifying the target vserver, because what happens if two vserver share the same IP, but provide different services on different ports ... (but I guess this is a special case, just not handled here) > I was going to try to write something like this, but wanted to check > whether I might be reinventing the wheel here. it might be interesting to join the (hopefully) upcoming discussion about the next generation networking, maybe such issues can be solved by some simple tricks ... best, Herbert > Grisha > ___ > Vserver mailing list > [EMAIL PROTECTED] > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] iptables
Given that vserver won't allow you to use iptables, has anyone tried a solutions where tha iptables command is replaced by a stub command that talks to a daemon in context 0 to set up tables? It seems that you could create a chain (or two actually - input and output) for every vserver, and have a rule to jumpt to those chains based onthe vserver ip. With some clever replacing of INPUT or OUTPUT with name of the chains for those vservers it seems you could get a 80% functional iptables, probably enough to fool most firewall config tools (and most users). Since that chain is only accessed for that particular IP, there should be no way to cause any damage on the server. I was going to try to write something like this, but wanted to check whether I might be reinventing the wheel here. Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] iptables POM extras repository
> > > google search for supermount, evfs, and freeswan help explain what and > > I wouldn't recommend freeswan for 2.4.25, it's not trivial to merge, and > > there already is openswan project that's in active development. > > This is for compatibility with some older systems. Not trivial to merge? > I really didn't have much problem with it... mind you, I'm using a 2.0x Sorry, I haven't noticed it's 2.0x... but... if you say that you want to be compatible with older systems... why 2.0? With openswan you get 1.xx compatibility out of the box. If I would be upgrading from freeswan, it wouldn't be to freeswan 2.0, but to kame and racoon instead of pluto. -- Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 We're giving you a new chance in life, and an opportunity to screw it up in a new, original way. ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] iptables POM extras repository
On Tue, 2004-03-30 at 09:51, Dariush Pietrzak wrote: > > > http://strongboxlinux.com/files/linux-2.4.25sbl1/ > > > > > > vserver+POM+supermount+evfs+freeswan+a few other things > > > > Wow. Super patchset! For those of us slightly Linux challenged will a > yup, and broken systrace on top. Very clever. I've been playing around with systrace, somewhat successfully. But, yes, it should come with the warning that it's not entirely as secure as it says it is. And, since the patch is split off, you don't need to apply it. > > google search for supermount, evfs, and freeswan help explain what and > I wouldn't recommend freeswan for 2.4.25, it's not trivial to merge, and > there already is openswan project that's in active development. This is for compatibility with some older systems. Not trivial to merge? I really didn't have much problem with it... mind you, I'm using a 2.0x version. As to the other stuff that's in there: evfs is an encrypted VFS level filesystem. It patches in a set of utilities in /usr/src/linux/evfs, and creates a binary, called "efs" that you use for mounting partitions. (efs /source/dir /dest/dir). There's a page on it, somewhere, at hysteria.sk... although the guy who wrote it is no longer actively maintaining it. I've got it on there because it's the only working VFS level encryption scheme I've used for linux, so I've been playing with it. The other semi working one is part of the FIST project -> but, I've never had it work reliably (i.e. across a reboot, which is pretty sad). Supermount is a patch set to allow mounts on devices that don't exist yet ;) Do a search on that for relevant information and code snippets. Anyways, as usual, YMMV. Also, be warned: ALWAYS recompile iptables if you're going to use a POM enabled netfilter if your kernel BEFORE you reboot the box -> as it will cause many firewall rules to fail, and thus may stop you from being able to get into the box! Cheers, Liam ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] iptables POM extras repository
> > http://strongboxlinux.com/files/linux-2.4.25sbl1/ > > > > vserver+POM+supermount+evfs+freeswan+a few other things > > Wow. Super patchset! For those of us slightly Linux challenged will a yup, and broken systrace on top. Very clever. > google search for supermount, evfs, and freeswan help explain what and I wouldn't recommend freeswan for 2.4.25, it's not trivial to merge, and there already is openswan project that's in active development. -- Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 We're giving you a new chance in life, and an opportunity to screw it up in a new, original way. ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] iptables POM extras repository
On Mon, 29 Mar 2004, Liam Helmer wrote: > Works no problem. You can use my patchset if you're running 2.4.25: Thanks Liam. > http://strongboxlinux.com/files/linux-2.4.25sbl1/ > > vserver+POM+supermount+evfs+freeswan+a few other things Wow. Super patchset! For those of us slightly Linux challenged will a google search for supermount, evfs, and freeswan help explain what and how? And if you're using the Netfilter inside a vserver could you explain how etc? Rod -- "Open Source Software - You usually get more than you pay for..." "Build A Brighter Lamp :: Linux Apache {middleware} PostgreSQL" ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] iptables POM extras repository
Works no problem. You can use my patchset if you're running 2.4.25: http://strongboxlinux.com/files/linux-2.4.25sbl1/ vserver+POM+supermount+evfs+freeswan+a few other things Cheers, Liam On Mon, 2004-03-29 at 17:58, Roderick A. Anderson wrote: > Has anyone applied the IPTables POM patches from the extras repository > at netfilter.org? > > I just started looking into it and like a couple of the modules. Not sure > if they will work/function/work-with(in) a vserver especially TARPIT and > those that could be used for honey-potting. > > Thoughts? > > > TIA, > Rod ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] iptables POM extras repository
Has anyone applied the IPTables POM patches from the extras repository at netfilter.org? I just started looking into it and like a couple of the modules. Not sure if they will work/function/work-with(in) a vserver especially TARPIT and those that could be used for honey-potting. Thoughts? TIA, Rod -- "Open Source Software - You usually get more than you pay for..." "Build A Brighter Lamp :: Linux Apache {middleware} PostgreSQL" ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] iptables
В Птн, 26.03.2004, в 00:06, Gregory (Grisha) Trubetskoy пишет: > I know someone who has a virtuozzo-base hosting account, and it appears > that their latest version aloows for iptalbes/ipchains to work somehow. > > Anyone know how it works, and is this something that might be possible > with VServer, perhaps in the future? > > Grisha current vserver - not. Try FreeVPS - her allow use iptables inside vps. -- Alex Lyashkov <[EMAIL PROTECTED]> PSoft ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] iptables
I know someone who has a virtuozzo-base hosting account, and it appears that their latest version aloows for iptalbes/ipchains to work somehow. Anyone know how it works, and is this something that might be possible with VServer, perhaps in the future? Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver