On Wed, Dec 18, 2002 at 12:56:19AM +0000, Paul Sladen wrote:
> On Tue, 17 Dec 2002, Roderick A. Anderson wrote:
>
> Hi Rod,
>
> > I'd like to try and get this straight in my head - poor container that it
> >
> > Ipchains do not work from in vservers.
>
> Ipchains won't work from the main server either, we're using
> netfilter/iptables now since 2.4...
hmm, in this case, what is the option
CONFIG_IP_NF_COMPAT_IPCHAINS=m
for? (taken from linux-2.4.20 *G*)
> Filtering is a kernel/system feature and therefore is prevented from access
> within a vserver; set it up in your host server...
>
> > If so then how do I control on a vserver by vserver the IPs and ports
> > that respond (or don't respond?)
>
> !?
>
> Which daemons you start on which ports will dictate which respond...
unbound port (per IP) will nit respond, bound will ...
> > In my situation I have total control over what is running in each
> > vserver but it varies for each vserver and may vary for each box I run
> > Vserver on.
>
> That probably helps, not having control over your own machines would
> probably leave you a bit stuck...
>
> > My concern/confusion is if I do the right thing and shut out everything
> > except ssh on the main server how will a vserver run a web-server, dns
> > server, or mail server only.
>
> Presumably you would only filter out traffic destined for the host-servers
> IP address, although if you're not running anything except NTP and SSH on
> that IP there's not really much to filter out anyway.
it is also advantageous, to use two separate nics
one for the physical/management net and another one
for the virtual server ips ... (again your mileage
may vary)
HAND (Hard Acronym Not Done *smile*)
Herbert
> HTH, HAND,
> -Paul
> --
> Nottingham, GB
>
