Re: iptables drop on virtual host

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Friday 27 April 2012 18:41, the following was written:

>  On 4/27/2012 5:05 PM, Bob Hoffman wrote:
>  > dropping IPs by host machine, protecting the vms.
>  > would something like this work
>  >
>  > -A PREROUTING -s 66.77.65.128/26 -j DROP
>  >
>  >
>  > or would my server die upon testing it...lol
>  > _______________________________________________
>
>  okay, after about 400 atempts and some hour or so of reading, I find
>  that red hat auto disables the ability to use the host iptables rules to
>  protect the virtual machines.
>
>  # Disable netfilter on bridges.
>  net.bridge.bridge-nf-call-ip6tables = 0
>  net.bridge.bridge-nf-call-iptables = 0
>  net.bridge.bridge-nf-call-arptables = 0
>
>  not sure which would be turned on, bottom two or just the middle
>
>  net.bridge.bridge-nf-call-ip6tables = 0
>  net.bridge.bridge-nf-call-iptables = 1
>  net.bridge.bridge-nf-call-arptables = 1

I would think you only need the middle one turned on for the firewall.

If you are looking to block ip addresses from getting to your VM's then you 
should seetup your firewall on the bridge.  And adding that one rule above 
should take care of your issues.


-- 

Regards
Robert

Linux
The adventure of a lifetime.

Linux User #296285
Get Counted
http://linuxcounter.net/
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[CentOS]     [CentOS Announce]     [CentOS Docs]     [CentOS Virtualization]     [Linux Media]     [Asterisk]     [Photo]     [DCCP]     [Netdev]     [Xorg]     [Xfree86]     [Linux USB]     [Project Hail Cloud Computing]

Powered by Linux Add to Google