Re: Vserver networking: to make a forward only.

[lee <lee@yun.yagibdah.de>]

On Mon, Jul 13, 2009 at 09:23:13PM +0700, Sthu Deus wrote:
> Good day.
> 
> I want to make a well closed machine running vservers - that is I want to make
> such a forwarding that any communications will be off the machine (for the
> security reasons)

Unplugging the network connection is the best way to achieve that.

> - but only affecting those in vserver.

?

> Thus far I have on real machine:
> 
> *filter

Which firewall script are you using? There are some, like shorewall ...
 
> My problem is: when I set INPUT/OUTPUT policies to DROP then I can not get a
> web page from 192.168.1.1 requesting from eth0.

The related packages are probably dropped, as you have set. But
without more detailed information, I can only guess.

> But it works only when those chains are set to ACCEPT. Why is it
> so?!

It's probably because input and output are being accepted instead of
dropped.

> - IMHO all the forward should not
> apply to the routing machine - that are INPUT, OUTPUT on real machine. Or I
> miss something?

Don't you need to assign a network card --- or at least an IP address
--- to each of the different OSs you're running on the same computer
before you can apply firewall rules to them?

If you want to keep network traffic from reaching the different OSs
running on the same computer, then don't assign network cards/IPs to
them.

If you want to set up a firewall from scratch, one way of doing it is
to drop all network traffic and then to make rules which only allow
traffic for those combinations of IPs, ports and protocols you want to
allow traffic for.