[Vserver] IPTables and limiting inter-vserver communication
Hello everyone, I have a Debian Etch vserver host running 2.6.18-4-xen-vserver-686 kernel, util-vserver 0.30.212-1 and vserver-debiantools 0.3.4. The configuration will have about 10 vserver clients running apache/php5 talking to a mysql server. Each vserver client has a regular (routable) IP address, but each has the same MAC address as the hosting server. I would like to use IPTables to block the client vservers from talking to each other but since they all have the same MAC address, this becomes problematic. What is the current best practice for doing this? I've read abit about NGNET-Testing and a vnet patch from http://oldwiki.linux-vserver.org/NGNET-Testing-HOWTO but the code is dated. I tried setting up IPTables rules in on the vserver host, this helps restrict traffic to the vserver clients but it doesn't block 'inter' vserver communication. I've read 'hints' about running iptables inside of the vserver client (but I haven't figured out how to implement this) and then drop net_admin capability once the rules are in place. Again, if someone can point me to a 'best practices' for accomplishing this I would be most appreciative. Thanks, Jim ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] IPTables and limiting inter-vserver communication
Hello James! The configuration will have about 10 vserver clients running apache/php5 talking to a mysql server. Each vserver client has a regular (routable) IP address, but each has the same MAC address as the hosting server. I would like to use IPTables to block the client vservers from talking to each other but since they all have the same MAC address, this becomes problematic. Why should this become problematic? You want to filter IP addresses and not MAC address, don't you? What is the current best practice for doing this? Implement the netfilter rules on the carrier. Remember that inter vserver connections won't use the FORWARD chain, simply use the INPUT and OUTPUT chains (as you probably already did for filtering ingress and egress traffic). Furthermore all packages will travel over the lo (loopback) interface. tcpdump and the various netfilter log targets will be your friends ;) I've read abit about NGNET-Testing and a vnet patch from http://oldwiki.linux-vserver.org/NGNET-Testing-HOWTO but the code is dated. I'm afraid I don't know what the state of the NGNET patch is... I tried setting up IPTables rules in on the vserver host, this helps restrict traffic to the vserver clients but it doesn't block 'inter' vserver communication. I've read 'hints' about running iptables inside of the vserver client (but I haven't figured out how to implement this) and then drop net_admin capability once the rules are in place. You don't have to enable any special capabilities for filtering on the carrier. regards, Chris ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] IPTables and limiting inter-vserver communication
I would like to use IPTables to block the client vservers from talking to each other but since they all have the same MAC address, this becomes problematic. What is the current best practice for doing this? Have you tried blocking all traffic between local IPs except if source and destination are the same? As long as you don't give the NET_ADMIN or NET_RAW capabilities to the guest, the users in there cannot spoof the IP. baltasar ((( Baltasar Cevc ) World wide web: # http://www.openairkino.net/ (a project for the local youth; German only) # http://technik.juz-kirchheim.de/ (programming and admin projects) # http://baltasar.cevc-topp.de/ (private homepage) ) Phone: +49 176 23 22 08 22 ) PGP.sig Description: This is a digitally signed message part ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
SOLVED: [Vserver] IPTables and limiting inter-vserver communication
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christian Affolter Sent: Thursday, May 24, 2007 9:18 AM To: vserver@list.linux-vserver.org Subject: Re: [Vserver] IPTables and limiting inter-vserver communication Hello James! The configuration will have about 10 vserver clients running apache/php5 talking to a mysql server. Each vserver client has a regular (routable) IP address, but each has the same MAC address as the hosting server. I would like to use IPTables to block the client vservers from talking to each other but since they all have the same MAC address, this becomes problematic. Why should this become problematic? You want to filter IP addresses and not MAC address, don't you? What is the current best practice for doing this? Implement the netfilter rules on the carrier. Remember that inter vserver connections won't use the FORWARD chain, simply use the INPUT and OUTPUT chains (as you probably already did for filtering ingress and egress traffic). Furthermore all packages will travel over the lo (loopback) interface. tcpdump and the various netfilter log targets will be your friends ;) I've read abit about NGNET-Testing and a vnet patch from http://oldwiki.linux-vserver.org/NGNET-Testing-HOWTO but the code is dated. I'm afraid I don't know what the state of the NGNET patch is... I tried setting up IPTables rules in on the vserver host, this helps restrict traffic to the vserver clients but it doesn't block 'inter' vserver communication. I've read 'hints' about running iptables inside of the vserver client (but I haven't figured out how to implement this) and then drop net_admin capability once the rules are in place. You don't have to enable any special capabilities for filtering on the carrier. Hello everyone, Thank you for your input everyone. My problem was I had rule, very early on, which allowed all communication over the loopback interface (I use ssh over xterm to connect to my hosts/servers). And as I'm sure you vserver experts know, inter-vserver communications occur over the loopback interface. Once I move my rule(s) to disable communication between vserver clients above the loopback rule everything worked as expected. As I side note, I REALLY wish I understood the capacities system better and where they're configured for newer versions of vserver. Hummm.. Someone should write a tutorial on that =) Thanks again! --Jim ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] IPTABLES inside vserver guests (experimental version)
Oliver, Sure. How do you want to integrate virtuatables to the webinterface? At first the main idea was to make users able to run iptables from shell but I am sure we can work out on this code and implement other solutions (after making a stable version). -- Andre Bruce [EMAIL PROTECTED] On Thu, 2006-11-23 at 22:24 +0100, Cryptronic wrote: Hi Andre, as you might know, there is a Webinterface to managed vserver called openvcp (http://www.openvcp.org). Because, I am a developer of the Webinterface I want to ask you whether we could work together to implement this in our Webinterface? best regards Oliver Werner aka cryptronic Am Donnerstag, 23. November 2006 20:53 schrieb Andre Bruce: Hello, We are developing a client/server (host/guest) application which makes it possible for a guest to run a virtual iptables (the guest application should replace the offical iptables binary). This project is still at experimental stage and may not work as expected, so use it at your own risk. You are welcome to post your problems and sugestions so we can fix the code and get it 100%. :) The files and instructions can be downloaded at: http://www.virtuaserver.com.br/forum/viewtopic.php?p=215 If you want to contact me directly (not through this list), please use the forum or the e-mail abruce @__at__@ virtuaserver.com.br. ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] IPTABLES inside vserver guests (experimental version)
Hello, We are developing a client/server (host/guest) application which makes it possible for a guest to run a virtual iptables (the guest application should replace the offical iptables binary). This project is still at experimental stage and may not work as expected, so use it at your own risk. You are welcome to post your problems and sugestions so we can fix the code and get it 100%. :) The files and instructions can be downloaded at: http://www.virtuaserver.com.br/forum/viewtopic.php?p=215 If you want to contact me directly (not through this list), please use the forum or the e-mail abruce @__at__@ virtuaserver.com.br. -- André Bruce - abruce @__at__@ virtuaserver.com.br http://www.virtuaserver.com.br ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] IPTABLES inside vserver guests (experimental version)
Hi Andre, as you might know, there is a Webinterface to managed vserver called openvcp (http://www.openvcp.org). Because, I am a developer of the Webinterface I want to ask you whether we could work together to implement this in our Webinterface? best regards Oliver Werner aka cryptronic Am Donnerstag, 23. November 2006 20:53 schrieb Andre Bruce: Hello, We are developing a client/server (host/guest) application which makes it possible for a guest to run a virtual iptables (the guest application should replace the offical iptables binary). This project is still at experimental stage and may not work as expected, so use it at your own risk. You are welcome to post your problems and sugestions so we can fix the code and get it 100%. :) The files and instructions can be downloaded at: http://www.virtuaserver.com.br/forum/viewtopic.php?p=215 If you want to contact me directly (not through this list), please use the forum or the e-mail abruce @__at__@ virtuaserver.com.br. -- Mit freundlichen Grüßen O. Werner ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Iptables NAT vservers
Hello, I tried to setup a subnetwork using several vservers. - host system is connected to internet - several guest in a different subnetwork on it. - the host has the normal eth0 interface and a virtual tap0 one. - host can see and connect both network. Now the problem is : - from outside I have several subdomain test.example.com, test2.example.com pointing on the guest ip. and base on the name I would like to redirect de incoming connection too the corresponding guest. iptables is suppose to handle the -d hostname (host is 10.0.0.160) -A PREROUTING -p tcp -m tcp -d test.example.com -j DNAT --to-destination 10.0.1.2 ... what's wrong with my approach, I didn't succeed to make it work. Any Idea ? Marc -- Programmers.ch Solutions libres et Opensources Tel: ++41 76 44 888 72 Site: http://www.programmers.ch Site: http://openprojects.ch ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Iptables NAT vservers
Hi, iptables is suppose to handle the -d hostname (host is 10.0.0.160) -A PREROUTING -p tcp -m tcp -d test.example.com -j DNAT --to-destination 10.0.1.2 ... what's wrong with my approach, I didn't succeed to make it work. iptables does only support IP based routing. I guess, the -d hostname switch is only provided for convenience but will simply resolve the hostname to the appropriate IP. I don't think domainname based routing is available at all... Cheers, Sebastian -- Sebastian tokkee Harl GnuPG-ID: 0x8501C7FC http://tokkee.org/ signature.asc Description: Digital signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Iptables NAT vservers
.. it would explain why I didn't succeed ;-) Do you think there is a other way to redirect all incoming connection to a particular machine base on the "connection name" but not on the port number ex: ssh mymachine.example.com Sebastian Harl a crit: Hi, iptables is suppose to handle the -d hostname (host is 10.0.0.160) -A PREROUTING -p tcp -m tcp -d test.example.com -j DNAT --to-destination 10.0.1.2 ... what's wrong with my approach, I didn't succeed to make it work. iptables does only support IP based routing. I guess, the -d hostname switch is only provided for convenience but will simply resolve the hostname to the appropriate IP. I don't think domainname based routing is available at all... Cheers, Sebastian ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- Programmers.ch Solutions libres et Opensources Tel: ++41 76 44 888 72 Site: http://www.programmers.ch Site: http://openprojects.ch ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Iptables NAT vservers
.. it would explain why I didn't succeed ;-) Indeed ;-) Do you think there is a other way to redirect all incoming connection to a particular machine base on the connection name but not on the port number ex: ssh mymachine.example.com No, I don't think so... TCP/IP does not carry any hostname information, so routing would have to be done in the application layer protocol. HTTP, for example, carries the hostname with it - that's why domain based hosting is available (and possible ;-) e.g. in Apache. The connection name that you were refering to is the IP address... Cheers, Sebastian -- Sebastian tokkee Harl GnuPG-ID: 0x8501C7FC http://tokkee.org/ signature.asc Description: Digital signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Iptables NAT vservers
Well for web, radius you could use Squid as a reversed proxy. For SSH you can setup different ports on the different ip's. Or in some nasy way you could use snort to match for your hostname and dynamicly make the forward, and remove it when its gone. But thats just utter nonesense.. nonetheless possible J- On 3/13/06, Sebastian Harl [EMAIL PROTECTED] wrote: .. it would explain why I didn't succeed ;-) Indeed ;-) Do you think there is a other way to redirect all incoming connection to a particular machine base on the connection name but not on the port number ex: ssh mymachine.example.com No, I don't think so... TCP/IP does not carry any hostname information, so routing would have to be done in the application layer protocol. HTTP, for example, carries the hostname with it - that's why domain based hosting is available (and possible ;-) e.g. in Apache. The connection name that you were refering to is the IP address... Cheers, Sebastian -- Sebastian tokkee Harl GnuPG-ID: 0x8501C7FC http://tokkee.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEFaGpEFEKc4UBx/wRArUaAJ9qWM6/ZoxUO/NTeR1n0RG0msB5YgCeJMMS O0QxWlQjbue01b61VnFTDPU= =Kmhm -END PGP SIGNATURE- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Iptables NAT vservers
thanks all for the answers, I'll go on with a "per services" dispatch. ...and yes I think apache provides such mechanism, but I wanted to do it cleanly ;-) Joep Gommers wrote: Well for web, radius you could use Squid as a reversed proxy. For SSH you can setup different ports on the different ip's. Or in some nasy way you could use snort to match for your hostname and dynamicly make the forward, and remove it when its gone. But thats just utter nonesense.. nonetheless possible J- On 3/13/06, Sebastian Harl [EMAIL PROTECTED] wrote: .. it would explain why I didn't succeed ;-) Indeed ;-) Do you think there is a other way to redirect all incoming connection to a particular machine base on the "connection name" but not on the port number ex: ssh mymachine.example.com No, I don't think so... TCP/IP does not carry any hostname information, so routing would have to be done in the application layer protocol. HTTP, for example, carries the hostname with it - that's why domain based hosting is available (and possible ;-) e.g. in Apache. The "connection name" that you were refering to is the IP address... Cheers, Sebastian -- Sebastian "tokkee" Harl GnuPG-ID: 0x8501C7FC http://tokkee.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEFaGpEFEKc4UBx/wRArUaAJ9qWM6/ZoxUO/NTeR1n0RG0msB5YgCeJMMS O0QxWlQjbue01b61VnFTDPU= =Kmhm -END PGP SIGNATURE- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- Programmers.ch Solutions libres et Opensources Tel: ++41 76 44 888 72 Site: http://www.programmers.ch Site: http://openprojects.ch ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] iptables inside vserver client?
Hi Michael, * Michael S. Zick [EMAIL PROTECTED] [060110 23:49]: Reading step three of the virtual tour does not say that the ip rules are 'within' your virtual server. Only that the rules that apply to your virtual server can be controlled by a web interface (on the host system) most likely. That would be fairly straight forward thing to do, just write rule chain(s) for a particular IP address. Constrain the web update to do dynamic rules on the rule chain for a particular customer. For instance, start with the dynamic rule handling of PSAD, be creative with the chain naming, add a web interface, etc. Ah, I see. Thanks for your reply. Cheers, Steph. ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] iptables inside vserver client?
Hi, on the hosting page in the wiki the provider [vRoutix], Argentina anounces iptables support inside a vserver client while i read on the beginners faq page that the forward chain is not touched by packets between the clients. Which one is true? :) Do they use some sort of tap or tun devices? Cheers and thanks, Steph. ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] iptables inside vserver client?
On Tue January 10 2006 15:15, Stephan Mueller wrote: Hi, on the hosting page in the wiki the provider [vRoutix], Argentina anounces iptables support inside a vserver client while i read on the beginners faq page that the forward chain is not touched by packets between the clients. Which one is true? :) Do they use some sort of tap or tun devices? Probably both are true. Reading step three of the virtual tour does not say that the ip rules are 'within' your virtual server. Only that the rules that apply to your virtual server can be controlled by a web interface (on the host system) most likely. That would be fairly straight forward thing to do, just write rule chain(s) for a particular IP address. Constrain the web update to do dynamic rules on the rule chain for a particular customer. For instance, start with the dynamic rule handling of PSAD, be creative with the chain naming, add a web interface, etc. Mike ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] vserver iptables
Hello I'm new to the list. I installed a vserver with kernel 2.6 (http://home.xnull.de/work/gentoo/vserver/guide/) on my gentoo server As network interface I use an alias (eth1:0) As firewall I'm using shorewall eth0 -- Internet eth1 is the card of my loc zone. 192.168.2.0/24 eth1:0 is the alias from the vserver 192.168.50.50 from the vserver I can connect to eth0 but not to the internet. From my local net everything works fine. I know, I need something like this... ?? iptables -A INPUT -i eth0 -d 192.168.2.50 -j ACCEPT iptables -A OUTPUT -o eth0 -s 192.168.2.50 -j ACCEPT Any help would be appreciated Bast ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver iptables
On Thursday 23 December 2004 18:27, Bastian Boday wrote: from the vserver I can connect to eth0 but not to the internet. From my local net everything works fine. You need to do SNAT in order to get your vservers connecting to the internet when you're using different IPs on the root dev and the alias... it looks like this: /sbin/iptables -t nat -A POSTROUTING -s 192.168.50.0/255.255.255.0 -d ! 192.168.50.0/255.255.255.0 -j SNAT --to-source 192.168.2.x (this should be the ip of eth1) Bene -- Benedikt Boehm www.croup.de [EMAIL PROTECTED] GPG-ID: 0x32585A3D If it moves, compile it. -- Gentoo pgpHl5UvTaPfq.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vserver Iptables
27 2004 18:02 Herbert Poetzl (a): Can i use iptables rules in ctx ? yes, there are two alternatives: - allow the vserver to modify _all_ iptable rules Where i can read how to allow ? Can i allow one vserver or all vservers? Can i allow vserver to modify one chain ? -- WBR Alexander V. Denisov Digital Union icq: 4616935 ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vserver Iptables
On Tue, Apr 27, 2004 at 11:52:52AM +0500, Alexander Denisov wrote: Hello Can i use iptables rules in ctx ? yes, there are two alternatives: - allow the vserver to modify _all_ iptable rules - do not allow the vserver to mody _any_ rules best, Herbert -- WBR Alexander V. Denisov Digital Union icq: 4616935 ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] iptables
[EMAIL PROTECTED] (Gregory (Grisha) Trubetskoy) writes: Given that vserver won't allow you to use iptables, has anyone tried a solutions where tha iptables command is replaced by a stub command that talks to a daemon in context 0 to set up tables? vserver-djinni[1] is such a daemon and it should be easy to write rules for iptables management. This program requires libvserver from the util-vserver alpha-branch. Enrico Footnotes: [1] http://www.tu-chemnitz.de/~ensc/fedora.us-build/html/ar01s02.html#sec:components:vserver-djinni http://www.tu-chemnitz.de/~ensc/fedora.us-build/files/ ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] iptables
On Sat, Apr 03, 2004 at 10:58:01PM -0500, Gregory (Grisha) Trubetskoy wrote: Given that vserver won't allow you to use iptables, has anyone tried a solutions where tha iptables command is replaced by a stub command that talks to a daemon in context 0 to set up tables? It seems that you could create a chain (or two actually - input and output) for every vserver, and have a rule to jumpt to those chains based onthe vserver ip. With some clever replacing of INPUT or OUTPUT with name of the chains for those vservers it seems you could get a 80% functional iptables, probably enough to fool most firewall config tools (and most users). Since that chain is only accessed for that particular IP, there should be no way to cause any damage on the server. while the basic idea sounds very good (it crossed my mind some time ago), the devil is in the detail: - let's assume we have 'rules' to identify the target vserver - let's further assume we know from what server a packet is sent this should allow us to traverse a vINPUT and vOUTPUT table quite well, and it might even allow to do a vPREROUTING or vPOSTROUTING, but it will also open the door for packet mangling and S/DNAT, which is a security issue ... other issues are with identifying the target vserver, because what happens if two vserver share the same IP, but provide different services on different ports ... (but I guess this is a special case, just not handled here) I was going to try to write something like this, but wanted to check whether I might be reinventing the wheel here. it might be interesting to join the (hopefully) upcoming discussion about the next generation networking, maybe such issues can be solved by some simple tricks ... best, Herbert Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] iptables POM extras repository
On Tue, 2004-03-30 at 09:51, Dariush Pietrzak wrote: http://strongboxlinux.com/files/linux-2.4.25sbl1/ vserver+POM+supermount+evfs+freeswan+a few other things Wow. Super patchset! For those of us slightly Linux challenged will a yup, and broken systrace on top. Very clever. I've been playing around with systrace, somewhat successfully. But, yes, it should come with the warning that it's not entirely as secure as it says it is. And, since the patch is split off, you don't need to apply it. google search for supermount, evfs, and freeswan help explain what and I wouldn't recommend freeswan for 2.4.25, it's not trivial to merge, and there already is openswan project that's in active development. This is for compatibility with some older systems. Not trivial to merge? I really didn't have much problem with it... mind you, I'm using a 2.0x version. As to the other stuff that's in there: evfs is an encrypted VFS level filesystem. It patches in a set of utilities in /usr/src/linux/evfs, and creates a binary, called efs that you use for mounting partitions. (efs /source/dir /dest/dir). There's a page on it, somewhere, at hysteria.sk... although the guy who wrote it is no longer actively maintaining it. I've got it on there because it's the only working VFS level encryption scheme I've used for linux, so I've been playing with it. The other semi working one is part of the FIST project - but, I've never had it work reliably (i.e. across a reboot, which is pretty sad). Supermount is a patch set to allow mounts on devices that don't exist yet ;) Do a search on that for relevant information and code snippets. Anyways, as usual, YMMV. Also, be warned: ALWAYS recompile iptables if you're going to use a POM enabled netfilter if your kernel BEFORE you reboot the box - as it will cause many firewall rules to fail, and thus may stop you from being able to get into the box! Cheers, Liam ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] iptables POM extras repository
Has anyone applied the IPTables POM patches from the extras repository
at netfilter.org?
I just started looking into it and like a couple of the modules. Not sure
if they will work/function/work-with(in) a vserver especially TARPIT and
those that could be used for honey-potting.
Thoughts?
TIA,
Rod
--
Open Source Software - You usually get more than you pay for...
Build A Brighter Lamp :: Linux Apache {middleware} PostgreSQL
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] iptables POM extras repository
On Mon, 29 Mar 2004, Liam Helmer wrote:
Works no problem. You can use my patchset if you're running 2.4.25:
Thanks Liam.
http://strongboxlinux.com/files/linux-2.4.25sbl1/
vserver+POM+supermount+evfs+freeswan+a few other things
Wow. Super patchset! For those of us slightly Linux challenged will a
google search for supermount, evfs, and freeswan help explain what and
how?
And if you're using the Netfilter inside a vserver could you explain
how etc?
Rod
--
Open Source Software - You usually get more than you pay for...
Build A Brighter Lamp :: Linux Apache {middleware} PostgreSQL
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] iptables
I know someone who has a virtuozzo-base hosting account, and it appears that their latest version aloows for iptalbes/ipchains to work somehow. Anyone know how it works, and is this something that might be possible with VServer, perhaps in the future? Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] iptables
, 26.03.2004, 00:06, Gregory (Grisha) Trubetskoy : I know someone who has a virtuozzo-base hosting account, and it appears that their latest version aloows for iptalbes/ipchains to work somehow. Anyone know how it works, and is this something that might be possible with VServer, perhaps in the future? Grisha current vserver - not. Try FreeVPS - her allow use iptables inside vps. -- Alex Lyashkov [EMAIL PROTECTED] PSoft ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
