[Vserver] IPTables and limiting inter-vserver communication
Hello everyone, I have a Debian Etch vserver host running 2.6.18-4-xen-vserver-686 kernel, util-vserver 0.30.212-1 and vserver-debiantools 0.3.4. The configuration will have about 10 vserver clients running apache/php5 talking to a mysql server. Each vserver client has a regular (routable) IP address, but each has the same MAC address as the hosting server. I would like to use IPTables to block the client vservers from talking to each other but since they all have the same MAC address, this becomes problematic. What is the current best practice for doing this? I've read abit about NGNET-Testing and a vnet patch from http://oldwiki.linux-vserver.org/NGNET-Testing-HOWTO but the code is dated. I tried setting up IPTables rules in on the vserver host, this helps restrict traffic to the vserver clients but it doesn't block 'inter' vserver communication. I've read 'hints' about running iptables inside of the vserver client (but I haven't figured out how to implement this) and then drop net_admin capability once the rules are in place. Again, if someone can point me to a 'best practices' for accomplishing this I would be most appreciative. Thanks, Jim ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] IPTables and limiting inter-vserver communication
Hello James! > The configuration will have about 10 vserver clients running apache/php5 > talking to a mysql server. Each vserver client has a regular (routable) IP > address, but each has the same MAC address as the hosting server. I would > like to use IPTables to block the client vservers from talking to each other > but since they all have the same MAC address, this becomes problematic. Why should this become problematic? You want to filter IP addresses and not MAC address, don't you? > What is the current best practice for doing this? Implement the netfilter rules on the carrier. Remember that inter vserver connections won't use the FORWARD chain, simply use the INPUT and OUTPUT chains (as you probably already did for filtering ingress and egress traffic). Furthermore all packages will travel over the lo (loopback) interface. tcpdump and the various netfilter log targets will be your friends ;) > I've read abit about NGNET-Testing and a vnet patch from > http://oldwiki.linux-vserver.org/NGNET-Testing-HOWTO but the code is dated. I'm afraid I don't know what the state of the NGNET patch is... > I tried setting up IPTables rules in on the vserver host, this helps > restrict traffic to the vserver clients but it doesn't block 'inter' vserver > communication. I've read 'hints' about running iptables inside of the > vserver client (but I haven't figured out how to implement this) and then > drop net_admin capability once the rules are in place. You don't have to enable any special capabilities for filtering on the carrier. regards, Chris ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] IPTables and limiting inter-vserver communication
I would like to use IPTables to block the client vservers from talking to each other but since they all have the same MAC address, this becomes problematic. What is the current best practice for doing this? Have you tried blocking all traffic between local IPs except if source and destination are the same? As long as you don't give the NET_ADMIN or NET_RAW capabilities to the guest, the users in there cannot spoof the IP. baltasar ((( Baltasar Cevc ) World wide web: # http://www.openairkino.net/ (a project for the local youth; German only) # http://technik.juz-kirchheim.de/ (programming and admin projects) # http://baltasar.cevc-topp.de/ (private homepage) ) Phone: +49 176 23 22 08 22 ) PGP.sig Description: This is a digitally signed message part ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
SOLVED: [Vserver] IPTables and limiting inter-vserver communication
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Christian Affolter > Sent: Thursday, May 24, 2007 9:18 AM > To: vserver@list.linux-vserver.org > Subject: Re: [Vserver] IPTables and limiting inter-vserver > communication > > Hello James! > > > The configuration will have about 10 vserver clients running > > apache/php5 talking to a mysql server. Each vserver client has a > > regular (routable) IP address, but each has the same MAC address as > > the hosting server. I would like to use IPTables to block > the client > > vservers from talking to each other but since they all have > the same MAC address, this becomes problematic. > Why should this become problematic? You want to filter IP > addresses and not MAC address, don't you? > > > > What is the current best practice for doing this? > Implement the netfilter rules on the carrier. Remember that > inter vserver connections won't use the FORWARD chain, simply > use the INPUT and OUTPUT chains (as you probably already did > for filtering ingress and egress traffic). Furthermore all > packages will travel over the lo > (loopback) interface. > tcpdump and the various netfilter log targets will be your friends ;) > > > > I've read abit about NGNET-Testing and a vnet patch from > > http://oldwiki.linux-vserver.org/NGNET-Testing-HOWTO but > the code is dated. > I'm afraid I don't know what the state of the NGNET patch is... > > > > I tried setting up IPTables rules in on the vserver host, > this helps > > restrict traffic to the vserver clients but it doesn't > block 'inter' > > vserver communication. I've read 'hints' about running iptables > > inside of the vserver client (but I haven't figured out how to > > implement this) and then drop net_admin capability once the > rules are in place. > You don't have to enable any special capabilities for > filtering on the carrier. > Hello everyone, Thank you for your input everyone. My problem was I had rule, very early on, which allowed all communication over the loopback interface (I use ssh over xterm to connect to my hosts/servers). And as I'm sure you vserver experts know, inter-vserver communications occur over the loopback interface. Once I move my rule(s) to disable communication between vserver clients above the loopback rule everything worked as expected. As I side note, I REALLY wish I understood the capacities system better and where they're configured for newer versions of vserver. Hummm.. Someone should write a tutorial on that =) Thanks again! --Jim ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
