On Mon, Jul 13, 2009 at 09:23:13PM +0700, Sthu Deus wrote: > Good day. > > I want to make a well closed machine running vservers - that is I want to make > such a forwarding that any communications will be off the machine (for the > security reasons)
Unplugging the network connection is the best way to achieve that. > - but only affecting those in vserver. ? > Thus far I have on real machine: > > *filter Which firewall script are you using? There are some, like shorewall ... > My problem is: when I set INPUT/OUTPUT policies to DROP then I can not get a > web page from 192.168.1.1 requesting from eth0. The related packages are probably dropped, as you have set. But without more detailed information, I can only guess. > But it works only when those chains are set to ACCEPT. Why is it > so?! It's probably because input and output are being accepted instead of dropped. > - IMHO all the forward should not > apply to the routing machine - that are INPUT, OUTPUT on real machine. Or I > miss something? Don't you need to assign a network card --- or at least an IP address --- to each of the different OSs you're running on the same computer before you can apply firewall rules to them? If you want to keep network traffic from reaching the different OSs running on the same computer, then don't assign network cards/IPs to them. If you want to set up a firewall from scratch, one way of doing it is to drop all network traffic and then to make rules which only allow traffic for those combinations of IPs, ports and protocols you want to allow traffic for. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org