> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Christian Affolter > Sent: Thursday, May 24, 2007 9:18 AM > To: vserver@list.linux-vserver.org > Subject: Re: [Vserver] IPTables and limiting inter-vserver > communication > > Hello James! > > > The configuration will have about 10 vserver clients running > > apache/php5 talking to a mysql server. Each vserver client has a > > regular (routable) IP address, but each has the same MAC address as > > the hosting server. I would like to use IPTables to block > the client > > vservers from talking to each other but since they all have > the same MAC address, this becomes problematic. > Why should this become problematic? You want to filter IP > addresses and not MAC address, don't you? > > > > What is the current best practice for doing this? > Implement the netfilter rules on the carrier. Remember that > inter vserver connections won't use the FORWARD chain, simply > use the INPUT and OUTPUT chains (as you probably already did > for filtering ingress and egress traffic). Furthermore all > packages will travel over the lo > (loopback) interface. > tcpdump and the various netfilter log targets will be your friends ;) > > > > I've read abit about NGNET-Testing and a vnet patch from > > http://oldwiki.linux-vserver.org/NGNET-Testing-HOWTO but > the code is dated. > I'm afraid I don't know what the state of the NGNET patch is... > > > > I tried setting up IPTables rules in on the vserver host, > this helps > > restrict traffic to the vserver clients but it doesn't > block 'inter' > > vserver communication. I've read 'hints' about running iptables > > inside of the vserver client (but I haven't figured out how to > > implement this) and then drop net_admin capability once the > rules are in place. > You don't have to enable any special capabilities for > filtering on the carrier. >
Hello everyone, Thank you for your input everyone. My problem was I had rule, very early on, which allowed all communication over the loopback interface (I use ssh over xterm to connect to my hosts/servers). And as I'm sure you vserver experts know, inter-vserver communications occur over the loopback interface. Once I move my rule(s) to disable communication between vserver clients above the loopback rule everything worked as expected. As I side note, I REALLY wish I understood the capacities system better and where they're configured for newer versions of vserver. Hummm.. Someone should write a tutorial on that =) Thanks again! --Jim _______________________________________________ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
