Vserver networking: to make a forward only.

To: debian-user@lists.debian.org
Subject: Vserver networking: to make a forward only.
From: Sthu Deus <sthu.deus@gmail.com>
Date: Mon, 13 Jul 2009 21:23:13 +0700
Message-id: <[🔎] 4a5b68d3.0ab6660a.11c7.7b0f@mx.google.com>

Good day.

I want to make a well closed machine running vservers - that is I want to make
such a forwarding that any communications will be off the machine (for the
security reasons)
- but only affecting those in vserver.

Thus far I have on real machine:

*filter
:INPUT ACCEPT
:FORWARD DROP
:OUTPUT ACCEPT

-A FORWARD -p tcp -m tcp -m --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp -d 192.168.1.1 --dport 80 -j ACCEPT

COMMIT


*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT

-F
-F POSTROUTING
-A POSTROUTING -o eth0 -j SNAT --to-source=192.168.0.2

-A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:80

COMMIT

My problem is: when I set INPUT/OUTPUT policies to DROP then I can not get a
web page from 192.168.1.1 requesting from eth0. But it works only when those
chains are set to ACCEPT. Why is it so?! - IMHO all the forward should not
apply to the routing machine - that are INPUT, OUTPUT on real machine. Or I
miss something?

Please, feel free for any comments.
Thank You for Your time.

Reply to:

Follow-Ups:
- Re: Vserver networking: to make a forward only.
  - From: lee <lee@yun.yagibdah.de>

Prev by Date: Re: lvm2 - question about pvmove
Next by Date: a tool that allows to continue copying between HDDs
Previous by thread: Re: Iceweasel's rendering faster than Firefox?
Next by thread: Re: Vserver networking: to make a forward only.
Index(es):
- Date
- Thread