Hi Asier, > Networking & firewall are not my strong points, so perhaps this could > sound a silly question.
There are only silly answers... > I've five linux VServers, each with it's own _real_ IP address (not > 192.168.x.y, 10.x, etc). Each one has it's own services but I'd like to > close access from outside to some ports, but allow full communication > between the guests. The guests have valid IP addresses so I think > [DS]NAT is not needed. Communication between the guests never crosses the iptables rules, so you can safely use the toolset of your distro to block the ports from outside. If you want to do it by hand, there are a lot of rulebuilder outside, but for simply blocking ports this should be sufficient: iptables -I INPUT -p tcp --dport 3306 -j DROP Will drop all connections to mysql from outside. If you prefer a whitelist approach you can deny all incoming trafic by policy and only drill holes into the Firewall where needed - but this is a bit of magic as you can really riun your day if you lock yourself out of the box :) Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Vserver mailing list [email protected] http://list.linux-vserver.org/mailman/listinfo/vserver
