| configure iptables on VZ7 host [message #52948] |
Sun, 03 September 2017 10:04  |
mangust
Messages: 39
Registered: April 2008
Location: USA
|
Member |
|
|
Hi,
I have some interfaces on external network with other machines plugged in there. I want to give some containers public IPs
Interfaces got automatic local IPv6 and able to communicate with any neighbours and maybe beyond.
17: bond0.798@bond0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vzbr798 state UP qlen 1000
link/ether b8:ca:3a:6a:0f:d4 brd ff:ff:ff:ff:ff:ff
inet6 fe80::baca:3aff:fe6a:fd4/64 scope link
valid_lft forever preferred_lft forever
18: vzbr798: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether b8:ca:3a:6a:0f:d4 brd ff:ff:ff:ff:ff:ff
inet6 fe80::baca:3aff:fe6a:fd4/64 scope link
valid_lft forever preferred_lft forever
I want to protect my node with firewall and disable all IPv6 traffic:
ip6tables -F
ip6tables -t nat -F
ip6tables -t mangle -F
ip6tables -t raw -F
ip6tables -t nat -F
ip6tables -X
ip6tables -t nat -X
ip6tables -t mangle -X
ip6tables -t raw -X
ip6tables -t nat -X
ip6tables -P FORWARD DROP
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
/usr/libexec/iptables/ip6tables.init save
It help till next reboot. But some default rules appears again. Especially I like:
-A INPUT -j INPUT_ZONES
-A INPUT_ZONES -i vzbr799 -g IN_public
-A INPUT_ZONES -i vzbr798 -g IN_public
-A IN_public -j IN_public_allow
-A IN_public_allow -d fe80::/64 -p udp -m udp --dport 546 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
How can I protect hardware nodes?
Maybe configure ip6tables from crontab every minute? Funny isn't it?
|
|
|
|
OpenVZ Forum
Members
Search
Help
Register
Login
Home
