[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Openvds-devel] iptables
|
From: |
Chris Fulton |
|
Subject: |
Re: [Openvds-devel] iptables |
|
Date: |
09 Dec 2001 18:23:35 -0800 |
Simon,
>From my understanding, and experience with this same problem 'connecting
to self' I have observed that connections made from the VS start sockets
on eth0 when one would hope it would use eth0:2. In other words, use the
virtual interface instead of the real one.
Another related issue:
If you send youself some email from your VS account to an account on a
different server and look at the headers you will see that your host
server will be exposed due to the fact that the smtp server you connect
to will do a reverse lookup on your ip and discover the host server, not
the vs, since the packets originate from there.
This doesn't seem like an easy thing to fix. iptables has no way of
knowing which VS is generating the packets (please, correct me).
I think this is probably the biggest problem with running an effective
VS at the moment. Here is my understanding: If all VS' connections
originate from '127.0.0.1' on the host server, do all my clients have
access to VSD protocol? Yes. You have to allow it to be able to use
vsdadm from the command line. I'm sure there plenty of other reasons to
want VS' connections to originate from the VS' ip not the host's ip, and
not allow access to 127.0.0.1 from the VS.
You can get around VS users having access to vsd protocol with an
additional machine used solely for administration, then you can block
127.0.0.1 in iptables and allow just for the one machine. But then you
can't use vsdadm on the host server.
On Sun, 2001-12-09 at 16:37, Simon Garner wrote:
> Hi,
>
> (I sent this message a couple of weeks ago to the freeVSD list, but got no
> response so I'm resending.)
>
> Running under linux 2.4, redirecting HTTP using iptables works well except
> that I'm finding the redirection only works when connecting from other hosts
> on the network, not from the server itself.
>
> Example, on the host server (or in a vs, makes no difference):
>
> $ lynx http://vsone/
> Cannot connect to server
>
> $ lynx http://vsone:8080/
> Works fine
>
> But opening http://vsone/ on port 80 works fine from other hosts on the
> network/Internet.
>
> Are there any netfilter gurus here who can suggest some additional iptables
> rules to make this work?
>
> The rules generated by freeVSD look like this (from my
> /etc/sysconfig/iptables):
>
> [0:0] -A PREROUTING -d 192.168.0.150 -p tcp -m tcp --dport 80 -j
> DNAT --to-destination 192.168.0.150:8080
> [0:0] -A PREROUTING -d 192.168.0.150 -p udp -m udp --dport 80 -j
> DNAT --to-destination 192.168.0.150:8080
> [0:0] -A PREROUTING -d 192.168.0.150 -p tcp -m tcp --dport 443 -j
> DNAT --to-destination 192.168.0.150:8443
> [0:0] -A PREROUTING -d 192.168.0.150 -p udp -m udp --dport 443 -j
> DNAT --to-destination 192.168.0.150:8443
>
> PS: are those udp rules really necessary?
>
> Cheers,
>
> Simon Garner
>
>
>
>
> _______________________________________________
> Openvds-devel mailing list
> address@hidden
> http://mail.freesoftware.fsf.org/mailman/listinfo/openvds-devel
Re: [Openvds-devel] iptables,
Chris Fulton <=
- Re: [Openvds-devel] iptables, jimmy, 2001/12/11
- Re: [Openvds-devel] iptables, Urivan Saaib, 2001/12/11
- [Openvds-devel] Forum is available, RoseHosting Admin, 2001/12/11
- Re: [Openvds-devel] iptables, jimmy, 2001/12/11
- Re: [Openvds-devel] iptables, Urivan Saaib, 2001/12/11
- [Openvds-devel] w, who, hostname and uname, Lev V. Vanyan, 2001/12/12
- Re: [Openvds-devel] w, who, hostname and uname, Chris Fulton, 2001/12/12
- Re: [Openvds-devel] w, who, hostname and uname, Lev V. Vanyan, 2001/12/12