hello bruno,
thanks for the explanation, it helped in finding the right configuration
for shorewall. in short: i had to apply the filters to the $FW (local)
interface instead of dummy0 (eth0 or whatever interface your vserver is
using) and do the filtering for the ip addresses. i haven't tested it
with firehol.
Bruno wrote:
On Sunday 07 January 2007 18:13, oliver oli wrote:
i'm trying to restrict access from one vserver to another vserver
running on the same machine. one is running on dummy0, the other one on
dummy1. i tried firehol and shorewall, but it just doesn't work. it
seems that all firewall rules are just ignored. what's so special with
the vserver networking? has anyone examples how to setup working
iptables rules that prevents access from one vserver to another?
VServer just does IP-level isolation.
To filter with iptables, either specify lo as interface or no interface at
all, but just the addresses of both guests.
The reason for this is that kernel sees local traffic as going over lo, no
matter on what interface the IP addresses are assigned (would be the same if
IP addresses were on eth0 and eth1 or even on the same interface)
If I remember well, firehol by default allows ALL lo traffic... so getting the
filtering with firehol might be some more work (you need to disable default
allow policy on lo and setup your own rules)
Bruno
_______________________________________________
Vserver mailing list
[email protected]
http://list.linux-vserver.org/mailman/listinfo/vserver
