Re: Vserver networking: to make a forward only.

To: debian-user@lists.debian.org
Subject: Re: Vserver networking: to make a forward only.
From: Sthu Deus <sthu.deus@gmail.com>
Date: Wed, 15 Jul 2009 19:57:36 +0700
Message-id: <[🔎] 4a5e0cea.1c07d00a.358a.ffffc686@mx.google.com>
In-reply-to: <[🔎] 20090714031915.GG5031@cat.rubenette.is-a-geek.com>
References: <[🔎] 4a5b68d3.0ab6660a.11c7.7b0f@mx.google.com> <[🔎] 20090714031915.GG5031@cat.rubenette.is-a-geek.com>

Thank You for Your time and answer, lee:

> Unplugging the network connection is the best way to achieve that.

How will v-server will get network then?

> > - but only affecting those in vserver.  
> ?

Meaning that all packets come to and back from - only for/from the v-server.
That the home machine will not be processing the packets.

 
> > *filter  
> Which firewall script are you using? There are some, like shorewall ...

It is my hand made script. Is it wrong?

> The related packages are probably dropped, as you have set. But
> without more detailed information, I can only guess.

Which detailed info I should provide?
Sure, it is dropped. How I can make it working (forwarding) and close
INPUT/OUTPUT chains?
 
> It's probably because input and output are being accepted instead of
> dropped.

That's right, but my question was, Why do I need to set ACCEPT for INPUT/OUTPUT
chains while all I want is FORWARD? - Why FORWARD seems to not function with
dropped INPUT/OUTPUT?
 
> Don't you need to assign a network card --- or at least an IP address
> --- to each of the different OSs you're running on the same computer
> before you can apply firewall rules to them?

So I have: for home OS I have ip x.x.0.2 while for the v-server - x.x.1.1
 
> If you want to keep network traffic from reaching the different OSs
> running on the same computer, then don't assign network cards/IPs to
> them.

I want that those v-servers have networking.

> If you want to set up a firewall from scratch, one way of doing it is
> to drop all network traffic and then to make rules which only allow
> traffic for those combinations of IPs, ports and protocols you want to
> allow traffic for.

Does my script do the very same thing?!
For instance,

-A FORWARD -p tcp -m tcp -m --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp -d 192.168.1.1 --dport 80 -j ACCEPT

-A POSTROUTING -o eth0 -j SNAT --to-source=192.168.0.2

-A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:80

?

How I can do that not from scratch?!

Reply to:

Follow-Ups:
- Re: Vserver networking: to make a forward only.
  - From: lee <lee@yun.yagibdah.de>

References:
- Vserver networking: to make a forward only.
  - From: Sthu Deus <sthu.deus@gmail.com>
- Re: Vserver networking: to make a forward only.
  - From: lee <lee@yun.yagibdah.de>

Prev by Date: Keyboard in X does not auto repeat cursor keys.
Next by Date: Re: aptitude problems
Previous by thread: Re: Vserver networking: to make a forward only.
Next by thread: Re: Vserver networking: to make a forward only.
Index(es):
- Date
- Thread