| Re: iptables - host node or VPSes? [message #299 is a reply to message #297] |
Thu, 03 November 2005 12:17  |
dim
Messages: 344
Registered: August 2005
|
Senior Member |
|
|
Typical VPS' packet travel looks like:
1) to VPS: sender, network, HN's input interface, ip stack with HN context, forward to venet interface, venet interface, IP stack with VPS context, receiver inside VPS.
2) from VPS: sender inside VPS, IP stack with VPS context, venet interface, IP stack with HN context, forward to HN's output interface, output, network, receiver.
Both ways have their advantages and disadvantages.
If you apply rules on HN, you avoid travel of bad packets through the system, but this way slows down all VPSs network performance.
If you apply iptables rules in VPS, they will be checked only if packet context equals to this VPS. But you need to load iptables modules before VPS start and permit them in VPS config (or in global vz config, if you need the same set for all VPSs).
So, for hosting purposes where HN administrator and VPS owners are different identities, I'd prefer iptable rules on HN - thus I'll be sure, that at least these rules will work as expected 
About second question - we have common UserGuide for all distros and it is likely that its instructions are not quite correct for some of them.
[Updated on: Thu, 03 November 2005 18:03] by Moderator Report message to a moderator |
|
|
|
OpenVZ Forum
Members
Search
Help
Register
Login
Home
