| Iptables problem - when enabled, can't access VPSes [message #20235] |
Thu, 13 September 2007 16:52  |
tomfra
Messages: 28
Registered: September 2007
|
Junior Member |
|
|
I know some people reported different problem related to iptables but none of the forum posts (and not just on this forum) helped me solve my particular problem...
The problem: When firewall is enabled, I can't ping or in any other way access the VPS, when it's disabled, it works just fine.
Here are the facts:
* Hardware node works OK, has iptables / CSF firewall installed.
* Kernel is 2.6.18 custom compiled, behaviour of the related problem is the same with standard OpenVZ kernel though.
* IP forwarding is enabled - cat /proc/sys/net/ipv4/ip_forward returns 1.
* OS: CentOS 5 x86_64, all standard packages updated via yum daily.
* VPS IP address is added to csf.allow list and is properly added as an allowed IP to iptables rules.
I have attached my iptables rules as set by CSF. There are currently 2 IPs on the csf.deny list (hackers) and 2 IPs on the csf.allow list. Those IPs are the MAIN_NODE_IP and TEST_VPS_IP. There are real IPs on the original list of course.
Any ideas what could be causing this problem are *very* welcome.
Thanks for your time!
Tomas
Do you really believe the Internet is a safe place?
IdentityCloaker.com - Take Back Your Privacy!
[Updated on: Thu, 13 September 2007 16:53] Report message to a moderator |
|
|
|
|
|
|
|
| Re: Iptables problem - when enabled, can't access VPSes [message #20259 is a reply to message #20245] |
Fri, 14 September 2007 10:43  |
tomfra
Messages: 28
Registered: September 2007
|
Junior Member |
|
|
| ugob wrote on Fri, 14 September 2007 04:40 |
However, you must use iptables to firewall your VE's afterward, either using FORWARD rules on the HN, or using iptables inside the VEs.
|
I realized that if I enable the venet0 forwarding, any VPS traffic will not be affected by the HN firewall. This is not that bad since I plan to install firewall on each of the VPSes (they will all be owned by myself, for different projects), but it would still be nice if the VPS traffic was, to a degree, affected by the HN firewall - so that for example a hacker's IP would get blocked for all of the VPSes on the HN, even if the attack was committed towards only one of them.
Then I would have a firewall on the VPS itself, filtering the traffic further. I don't know how to accomplish that though. As I mentioned on the LXLabs forum, I am no iptables expert. But I can see some disadvantages of such a system and it would probably be just a complication anyway.
Tomas
Do you really believe the Internet is a safe place?
IdentityCloaker.com - Take Back Your Privacy!
|
|
|
|
| Re: Iptables problem - when enabled, can't access VPSes [message #20260 is a reply to message #20259] |
Fri, 14 September 2007 10:47 |
ugob
Messages: 271
Registered: March 2007
|
Senior Member |
|
|
| ugob wrote on Fri, 14 September 2007 04:40 |
However, you must use iptables to firewall your VE's afterward, either using FORWARD rules on the HN, or using iptables inside the VEs.
|
| tomfra wrote on Fri, 14 September 2007 06:43 |
I realized that if I enable the venet0 forwarding, any VPS traffic will not be affected by the HN firewall. This is not that bad since I plan to install firewall on each of the VPSes (they will all be owned by myself, for different projects), but it would still be nice if the VPS traffic was, to a degree, affected by the HN firewall - so that for example a hacker's IP would get blocked for all of the VPSes on the HN, even if the attack was committed towards only one of them.
|
Using FORWARD rules on the HN, you could achieve this.
Please read the manual before asking questions:
http://download.openvz.org/doc/OpenVZ-Users-Guide.pdf
Please have a look at the wiki before asking questions:
http://wiki.openvz.org/Main_Page
[Updated on: Fri, 14 September 2007 10:47] Report message to a moderator |
|
|
|
OpenVZ Forum
Members
Search
Help
Register
Login
Home
