On 07/17/2011 01:13 AM, Todd And Margo Chester wrote:
On 07/16/2011 09:43 PM, Yasha Karant wrote:
How do you create the internal eth0 that does not use physical
hardware (assuming that eth 1 is physical)?
From what you have supplied, my guess is to use the vboxnet virtual
802.3 adapter and MAC address created by VirtualBox, and then "clone"
that into eth0.5 . I will try this approach on Monday.
Yasha
Hi Yasha,
eth0 and eth1 are physical (real) network adapters (I have two).
eth0.5 is the fake (vlan) one. I attach my VM to eth0.5 in
Virtual Box bridge mode. (Vbox can not tell my adapters apart.)
Eventually, my plans are to drop Virtual Box for KVM.
-T
On 07/17/2011 09:31 AM, Yasha Karant wrote:
Hi Todd,
That is the fundamental difference: I have one physical 802.3 NIC and
evidently I cannot allow it to share a MAC address with a virtual NIC
using the campus LAN (that is, two different NICs with the same MAC
address) unless I go out of my way to be certain that the virtual NIC
is fully hidden from the campus LAN (including ARP and any other
routing).
In the VLAN's ifcfg, just leave off the mac address? Or make one up?
I use iptables to set up what goes where. I use the "Everything is illegal,
except those things I specifically tell iptables are legal" method. See
below.
I am going to attempt to use the virtual NIC created by VirtualBox,
vboxnet as the subject of further virtualization (e.g., vboxnet0.5) .
I know from experience that the activation of vboxnet does not cause
any issues with the LAN at my campus.
Both VMWare and VirtualBox are professionally supported and maintained,
Uh oh. I have spent hours and hours trying to get support from Oracle
on Virtual Box. It does not exist and the word I finally got back was
"there will probably never be a pricing schedule". Be careful with
Virtual Box:
it is still a bit of a toy.
-T
################ Now for the Firewall #################
#
# Flush out whatever rules are currently set:
#
$tbls -F INPUT
$tbls -F OUTPUT
$tbls -F FORWARD
# Delete all chains that are not in default filter and nat table
$tbls --table nat --flush
$tbls --table nat --delete-chain
# Create and flush chain for eth1
$tbls -N dsl-in
$tbls -N dsl-out
$tbls -N dsl-for
$tbls -F dsl-in
$tbls -F dsl-out
$tbls -F dsl-for
# Create and flush chain for eth0.5
$tbls -N Vlan-in
$tbls -N Vlan-out
$tbls -N Vlan-for
$tbls -F Vlan-in
$tbls -F Vlan-out
$tbls -F Vlan-for
# Start by setting all policies to deny all network access:
#
$tbls -P INPUT DROP
$tbls -P OUTPUT DROP
$tbls -P FORWARD DROP
# Set rules for dsl chain and allow access
$tbls -A INPUT -i eth1 -j dsl-in
$tbls -A OUTPUT -o eth1 -j dsl-out
$tbls -A FORWARD -i eth1 -j dsl-for
$tbls -A dsl-in -j DROP
$tbls -A dsl-out -j DROP
$tbls -A dsl-for -j DROP
$tbls -A INPUT -i $VlanNic -j Vlan-in
$tbls -A OUTPUT -o $VlanNic -j Vlan-out
$tbls -A FORWARD -i $VlanNic -j Vlan-for
$tbls -A Vlan-in -j DROP
$tbls -A Vlan-out -j DROP
$tbls -A Vlan-for -j DROP
# Allow my local interface to work
$tbls -A INPUT -i lo -j ACCEPT
$tbls -A OUTPUT -o lo -j ACCEPT
$tbls -A FORWARD -i lo -j ACCEPT
