Hello James! > The configuration will have about 10 vserver clients running apache/php5 > talking to a mysql server. Each vserver client has a regular (routable) IP > address, but each has the same MAC address as the hosting server. I would > like to use IPTables to block the client vservers from talking to each other > but since they all have the same MAC address, this becomes problematic. Why should this become problematic? You want to filter IP addresses and not MAC address, don't you?
> What is the current best practice for doing this? Implement the netfilter rules on the carrier. Remember that inter vserver connections won't use the FORWARD chain, simply use the INPUT and OUTPUT chains (as you probably already did for filtering ingress and egress traffic). Furthermore all packages will travel over the lo (loopback) interface. tcpdump and the various netfilter log targets will be your friends ;) > I've read abit about NGNET-Testing and a vnet patch from > http://oldwiki.linux-vserver.org/NGNET-Testing-HOWTO but the code is dated. I'm afraid I don't know what the state of the NGNET patch is... > I tried setting up IPTables rules in on the vserver host, this helps > restrict traffic to the vserver clients but it doesn't block 'inter' vserver > communication. I've read 'hints' about running iptables inside of the > vserver client (but I haven't figured out how to implement this) and then > drop net_admin capability once the rules are in place. You don't have to enable any special capabilities for filtering on the carrier. regards, Chris _______________________________________________ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver