On Wednesday 14 February 2007 17:17:39 Oliver Welter wrote: > Hi Asier, > > > Networking & firewall are not my strong points, so perhaps this could > > sound a silly question. > > There are only silly answers... > > > I've five linux VServers, each with it's own _real_ IP address (not > > 192.168.x.y, 10.x, etc). Each one has it's own services but I'd like to > > close access from outside to some ports, but allow full communication > > between the guests. The guests have valid IP addresses so I think > > [DS]NAT is not needed. > > Communication between the guests never crosses the iptables rules, so > you can safely use the toolset of your distro to block the ports from > outside. If you want to do it by hand, there are a lot of rulebuilder > outside, but for simply blocking ports this should be sufficient:
Sorry Oliver, but local traffic DOES cross iptables (INPUT and OUTPUT rules, not sure about pre/post-routing), but crossing is done with interface 'lo' instead of 'eth*' or whatever other interface. When setting up your iptables rules keep this in mind, and where it makes sense, specify the interface on which you check. It might be a good idea to do interface/network checks in the root chains (INPUT, OUTPUT chains) and do the real filtering in subchains. Usually the first step is to permit everything to/from lo, then selectively allow on other interfaces and finally have a drop/reject default policy. > iptables -I INPUT -p tcp --dport 3306 -j DROP > > Will drop all connections to mysql from outside. If you prefer a > whitelist approach you can deny all incoming trafic by policy and only > drill holes into the Firewall where needed - but this is a bit of magic > as you can really riun your day if you lock yourself out of the box :) > This would also block mysql between guest (only inside the guest itself you could connect to mysql using the unix socket) > Oliver Bruno _______________________________________________ Vserver mailing list [email protected] http://list.linux-vserver.org/mailman/listinfo/vserver
