OpenVZ Forum: Support » iptables

Home » General » Support » iptables - host node or VPSes?

Show: Today's Messages :: Show Polls :: Message Navigator
E-mail to friend

iptables - host node or VPSes? [message #297]

Thu, 03 November 2005 11:17

GameOver
Messages: 4
Registered: November 2005

Junior Member

Hi there,

I have a couple of VPSes and want to use iptables to protect them, I'll use the same rules for all VPSes anyway. Should I apply my iptables rules to the hostnode or to each individual VPS? I think the former method is better because it reduces the number of rules in the kernel and it is more stable as it can load/unload iptables modules but I could be wrong.

By the way, using OpenVZ instructions I could not load iptables modules automatically on a RHEL4 based hostnode. Is it just me or the instructions are incorrect? Of cource I can load them through rc.local.

Report message to a moderator

Re: iptables - host node or VPSes? [message #299 is a reply to message #297]

Thu, 03 November 2005 12:17

dim
Messages: 344
Registered: August 2005

Senior Member

Typical VPS' packet travel looks like:
1) to VPS: sender, network, HN's input interface, ip stack with HN context, forward to venet interface, venet interface, IP stack with VPS context, receiver inside VPS.
2) from VPS: sender inside VPS, IP stack with VPS context, venet interface, IP stack with HN context, forward to HN's output interface, output, network, receiver.

Both ways have their advantages and disadvantages.

If you apply rules on HN, you avoid travel of bad packets through the system, but this way slows down all VPSs network performance.

If you apply iptables rules in VPS, they will be checked only if packet context equals to this VPS. But you need to load iptables modules before VPS start and permit them in VPS config (or in global vz config, if you need the same set for all VPSs).

So, for hosting purposes where HN administrator and VPS owners are different identities, I'd prefer iptable rules on HN - thus I'll be sure, that at least these rules will work as expected Very Happy

About second question - we have common UserGuide for all distros and it is likely that its instructions are not quite correct for some of them.

http://static.openvz.org/openvz_userbar_en.gif

[Updated on: Thu, 03 November 2005 18:03] by Moderator

Report message to a moderator

Previous Topic:	Quotastats
Next Topic:	COMPAQ/HP ARRAY SUPPORT

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

] [

]

Current Time: Mon Aug 12 20:58:18 GMT 2024

Total time taken to generate the page: 0.02859 seconds