OpenVZ Forum


Home » General » Support » hidden iptables in containers
hidden iptables in containers [message #35811] Fri, 24 April 2009 06:52 Go to next message
cgm00 is currently offline  cgm00
Messages: 5
Registered: April 2009
Junior Member
Hello
Is it posible to create iptables rules in hwnode that are not seen
inside containers related with -m owner . Basically I do not want
that if some1 gets root inside a CT to be able to alter/see
any iptables rules (you can not use -m owner with FORWARD )
Or are there plans to implement such feature?



Re: hidden iptables in containers [message #35820 is a reply to message #35811] Fri, 24 April 2009 12:45 Go to previous messageGo to next message
maratrus is currently offline  maratrus
Messages: 1495
Registered: August 2007
Location: Moscow
Senior Member
Hello,

could you possibly provide the precise command that needs to be invoked on the HN so that we'll be able to see the rule on the HN and inside VE simultaneously?
Re: hidden iptables in containers [message #35822 is a reply to message #35820] Fri, 24 April 2009 13:32 Go to previous messageGo to next message
cgm00 is currently offline  cgm00
Messages: 5
Registered: April 2009
Junior Member
Lets say this command

#iptables -A OUTPUT -m owner --uid-owner 0 -j ACCEPT

Re: hidden iptables in containers [message #35835 is a reply to message #35822] Mon, 27 April 2009 07:59 Go to previous messageGo to next message
maratrus is currently offline  maratrus
Messages: 1495
Registered: August 2007
Location: Moscow
Senior Member
Hi,

# uname -a
Linux test 2.6.18-92.1.18.el5.028stab060.2 #1 SMP Tue Jan 13 12:18:59 MSK 2009 i686 i686 i386 GNU/Linux
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            owner UID matchroot
# vzctl exec 101 iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


Please, specify your kernel. I cannot reproduce the issue. The provided rule was aplied on the HN (and iptables -L command showed that it appeared in OUTPUT chain), but there was nothing inside VE.
Re: hidden iptables in containers [message #35839 is a reply to message #35835] Mon, 27 April 2009 08:37 Go to previous messageGo to next message
cgm00 is currently offline  cgm00
Messages: 5
Registered: April 2009
Junior Member
I did not said this is a bug. I asked if is posible to see
iptables ONLY from hwnode(for CT), this would be a great security feature.

Re: hidden iptables in containers [message #35840 is a reply to message #35839] Mon, 27 April 2009 08:43 Go to previous message
maratrus is currently offline  maratrus
Messages: 1495
Registered: August 2007
Location: Moscow
Senior Member
Hi,

Quote:


I asked if is posible to see iptables ONLY from hwnode(for CT)


Of course, it shouldn't be possible.
If you manage to observe such behavior - it's a secure bug and it have to be filed to bugzilla.
http://bugzilla.openvz.org/
Previous Topic: Virtuozzo under openvz kernel
Next Topic: Static Routes
Goto Forum:
  


Current Time: Thu Nov 14 02:18:37 GMT 2024

Total time taken to generate the page: 0.02945 seconds