Re: [Vserver] Routing in VServers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 15.02.2007, at 08:30, Asier Baranguán wrote: Herbert Poetzl escribió: http://www.faqs.org/docs/iptables/traversingoftables.html note, in recent kernels the local tables can be selected independantly IIRC ... Hmm... one question not directly related to this. My guests work with 'eth0' interface but I've seen in some mails from the list that people make their guests work with the dummy0 interface. ¿What's the advantage of using it? I can't see the point :-? I'd say there is no technical advantage - I sometimes do that if I want to have public and private IP addresses separated (I use eth0 for public ones and dummy0 for private ones). The communication is taking place on 'lo' anyway, traffing going to the outerspace will be routed as usual by the host. So even with my dummy0 setup, I have to set up SNAT/Masquerading connections to outerspace. As far as I can see some people (that was what I thought at the beginning, too) don't want to have the guest to guest traffic on eth0 and use dummy. This is, of coure, pointless, as the kernel takes care of that and has all that traffic on lo. Hope that answers your question Balatasar ((( Baltasar Cevc ) World wide web: # http://www.openairkino.net/ (a project for the local youth; German only) # http://technik.juz-kirchheim.de/ (programming and admin projects) # http://baltasar.cevc-topp.de/ (private homepage) ) Phone: +49 178 691 22 33 ) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFF1CnUp2YsmzTbIwYRAhQOAJ9QpQsqbZ/N5dExGzmvsXGIPODzMQCgjVOq jFSAekO7bRtdZ63UI+IgKwU= =TSzn -END PGP SIGNATURE- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Routing in VServers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 � wrote: > Herbert Poetzl escribi�: > >> http://www.faqs.org/docs/iptables/traversingoftables.html >> >> note, in recent kernels the local tables can be selected >> independantly IIRC ... > > Hmm... one question not directly related to this. > > My guests work with 'eth0' interface but I've seen in some mails from > the list that people make their guests work with the dummy0 interface. > > �What's the advantage of using it? I can't see the point :-? for me, it means that i can have 'internal' vservers that are protected from outside attack, but are still accessible for use by my other vservers - e.g. i have a mysql vserver on an internal dummy interface, and also a development vserver like this. another advantage is that i can set stuff up that would normally require localhost (e.g. apache status monitoring) on the internal dummy interface so that i can see it, but again it is not accessible by the world. --gdm - -- http://docs.indymedia.org/view/Main/GarconDuMonde gpg --keyserver pgp.mit.edu --recv-keys 594B97C2 Key fingerprint = 7B70 F22D F275 D111 3A04 F9EE 0E25 4944 594B 97C2 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.1 (Darwin) iD8DBQFF1CdZDiVJRFlLl8IRAj4/AJ9owEjcLHuiLBk7BYca8Vw22ymDRwCfWDul PgUkTCaBDL4ncMcBvzyx15c= =Y1SS -END PGP SIGNATURE- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Routing in VServers
Herbert Poetzl escribió: http://www.faqs.org/docs/iptables/traversingoftables.html note, in recent kernels the local tables can be selected independantly IIRC ... Hmm... one question not directly related to this. My guests work with 'eth0' interface but I've seen in some mails from the list that people make their guests work with the dummy0 interface. ¿What's the advantage of using it? I can't see the point :-? Thanks begin:vcard fn;quoted-printable:Asier Barangu=C3=A1n n;quoted-printable:Barangu=C3=A1n;Asier org;quoted-printable:ELPA Gesti=C3=B3n adr;quoted-printable;dom:;;c/ Henao 4 - 3=C2=BAA;Bilbao;Bizkaia;48009 email;internet:[EMAIL PROTECTED] title:A/P tel;work:944.23.01.66 tel;fax:944.23.01.78 x-mozilla-html:FALSE url:http://www.elpagestion.com version:2.1 end:vcard ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Routing in VServers
Christian Affolter escribió: Could someone point me to some URL or doc? I think this tutorial should be helpful to you: http://iptables-tutorial.frozentux.net/iptables-tutorial.html Thanks! It's a very big document (>200 pg), so I'll take a look step by step :) begin:vcard fn;quoted-printable:Asier Barangu=C3=A1n n;quoted-printable:Barangu=C3=A1n;Asier org;quoted-printable:ELPA Gesti=C3=B3n adr;quoted-printable;dom:;;c/ Henao 4 - 3=C2=BAA;Bilbao;Bizkaia;48009 email;internet:[EMAIL PROTECTED] title:A/P tel;work:944.23.01.66 tel;fax:944.23.01.78 x-mozilla-html:FALSE url:http://www.elpagestion.com version:2.1 end:vcard ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Routing in VServers
Hi Bruno, > Sorry Oliver, but local traffic DOES cross iptables (INPUT and OUTPUT rules, > not sure about pre/post-routing), but crossing is done with interface 'lo' > instead of 'eth*' or whatever other interface. sorry you are totally right - fingers were faster then neurons :( Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Routing in VServers
On Wed, Feb 14, 2007 at 05:17:39PM +0100, Oliver Welter wrote: > Hi Asier, > > > Networking & firewall are not my strong points, so perhaps this could > > sound a silly question. > > There are only silly answers... > > > I've five linux VServers, each with it's own _real_ IP address (not > > 192.168.x.y, 10.x, etc). Each one has it's own services but I'd like to > > close access from outside to some ports, but allow full communication > > between the guests. The guests have valid IP addresses so I think > > [DS]NAT is not needed. > > Communication between the guests never crosses the iptables rules, > so you can safely use the toolset of your distro to block the ports > from outside. ahem, wrong! traffic between guests and traffic between guest and host is handled as local traffic, and passes all the chains appropriate for local traffic, which, and that is probably what you meant, does _not_ include the FORWARD chains ... > If you want to do it by hand, there are a lot of rulebuilder > outside, but for simply blocking ports this should be sufficient: > > iptables -I INPUT -p tcp --dport 3306 -j DROP http://www.faqs.org/docs/iptables/traversingoftables.html note, in recent kernels the local tables can be selected independantly IIRC ... HTC, Herbert > Will drop all connections to mysql from outside. If you prefer a > whitelist approach you can deny all incoming trafic by policy and only > drill holes into the Firewall where needed - but this is a bit of magic > as you can really riun your day if you lock yourself out of the box :) > > Oliver > -- > Diese Nachricht wurde digital unterschrieben > oliwel's public key: http://www.oliwel.de/oliwel.crt > Basiszertifikat: http://www.ldv.ei.tum.de/page72 > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Routing in VServers
On Wednesday 14 February 2007 17:17:39 Oliver Welter wrote: > Hi Asier, > > > Networking & firewall are not my strong points, so perhaps this could > > sound a silly question. > > There are only silly answers... > > > I've five linux VServers, each with it's own _real_ IP address (not > > 192.168.x.y, 10.x, etc). Each one has it's own services but I'd like to > > close access from outside to some ports, but allow full communication > > between the guests. The guests have valid IP addresses so I think > > [DS]NAT is not needed. > > Communication between the guests never crosses the iptables rules, so > you can safely use the toolset of your distro to block the ports from > outside. If you want to do it by hand, there are a lot of rulebuilder > outside, but for simply blocking ports this should be sufficient: Sorry Oliver, but local traffic DOES cross iptables (INPUT and OUTPUT rules, not sure about pre/post-routing), but crossing is done with interface 'lo' instead of 'eth*' or whatever other interface. When setting up your iptables rules keep this in mind, and where it makes sense, specify the interface on which you check. It might be a good idea to do interface/network checks in the root chains (INPUT, OUTPUT chains) and do the real filtering in subchains. Usually the first step is to permit everything to/from lo, then selectively allow on other interfaces and finally have a drop/reject default policy. > iptables -I INPUT -p tcp --dport 3306 -j DROP > > Will drop all connections to mysql from outside. If you prefer a > whitelist approach you can deny all incoming trafic by policy and only > drill holes into the Firewall where needed - but this is a bit of magic > as you can really riun your day if you lock yourself out of the box :) > This would also block mysql between guest (only inside the guest itself you could connect to mysql using the unix socket) > Oliver Bruno ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Routing in VServers
heya, i don't think this is what you're looking for, but i put my firewalling and routing scripts (pre-start and post-stop) online : http://people.linux-vserver.org/~harry/scripts/ hope you find some use in it... greetz, Asier Baranguán wrote: Hi all! Networking & firewall are not my strong points, so perhaps this could sound a silly question. I've five linux VServers, each with it's own _real_ IP address (not 192.168.x.y, 10.x, etc). Each one has it's own services but I'd like to close access from outside to some ports, but allow full communication between the guests. The guests have valid IP addresses so I think [DS]NAT is not needed. I've readed that this must be done in the host, but I'm lost because my knowledge about iptables is nearly zero. Could someone point me to some URL or doc? -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://people.linux-vserver.org/~harry thinking always leads to conclusions... and those can be extremely dangerous -- me ;) Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Routing in VServers
Hi!
I've five linux VServers, each with it's own _real_ IP address (not
192.168.x.y, 10.x, etc).
Those are real too ;) Just not supposed to be routed on the public Internet.
Each one has it's own services but I'd like to
close access from outside to some ports, but allow full communication
between the guests. The guests have valid IP addresses so I think
[DS]NAT is not needed.
No, there's no need for NAT'ing if you have assigned public IP addresses
to your vservers.
I've readed that this must be done in the host, but I'm lost because my
knowledge about iptables is nearly zero.
Yes, you need to specify your iptables rules on the host. There's
nothing special with vserver enable kernels and iptables. It works the
same way as on vanilla kernels.
The only thing you'll need to keep in mind, is that your vservers (on
the same host) will communicate over the loopback ('lo') interface.
However as you don't want to filter traffic between local vservers, this
won't be an issue to you.
Could someone point me to some URL or doc?
I think this tutorial should be helpful to you:
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
Hope this helps
Chris
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Routing in VServers
Hi Asier, > Networking & firewall are not my strong points, so perhaps this could > sound a silly question. There are only silly answers... > I've five linux VServers, each with it's own _real_ IP address (not > 192.168.x.y, 10.x, etc). Each one has it's own services but I'd like to > close access from outside to some ports, but allow full communication > between the guests. The guests have valid IP addresses so I think > [DS]NAT is not needed. Communication between the guests never crosses the iptables rules, so you can safely use the toolset of your distro to block the ports from outside. If you want to do it by hand, there are a lot of rulebuilder outside, but for simply blocking ports this should be sufficient: iptables -I INPUT -p tcp --dport 3306 -j DROP Will drop all connections to mysql from outside. If you prefer a whitelist approach you can deny all incoming trafic by policy and only drill holes into the Firewall where needed - but this is a bit of magic as you can really riun your day if you lock yourself out of the box :) Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Routing in VServers
Hi all! Networking & firewall are not my strong points, so perhaps this could sound a silly question. I've five linux VServers, each with it's own _real_ IP address (not 192.168.x.y, 10.x, etc). Each one has it's own services but I'd like to close access from outside to some ports, but allow full communication between the guests. The guests have valid IP addresses so I think [DS]NAT is not needed. I've readed that this must be done in the host, but I'm lost because my knowledge about iptables is nearly zero. Could someone point me to some URL or doc? (kernel 2.6.8 with VServer 1.9) Thanks! begin:vcard fn;quoted-printable:Asier Barangu=C3=A1n n;quoted-printable:Barangu=C3=A1n;Asier org;quoted-printable:ELPA Gesti=C3=B3n adr;quoted-printable;dom:;;c/ Henao 4 - 3=C2=BAA;Bilbao;Bizkaia;48009 email;internet:[EMAIL PROTECTED] title:A/P tel;work:944.23.01.66 tel;fax:944.23.01.78 x-mozilla-html:FALSE url:http://www.elpagestion.com version:2.1 end:vcard ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
