RE: [vserver] blocking ssh access from virtual server to physical one

About this list Date view Thread view Subject view Author view Attachment view

From: Jerry Wilborn (jerry.wilborn_at_fast.net)
Date: Mon Apr 22 2002 - 10:31:27 EDT


fyi, the rules DO reject machines that are not within the allowed block, so
it seems the rules are good/applied for traffic coming off the wire.

Jerry Wilborn, Operations Engineer
FASTNET - Internet Solutions
610-266-6700
www.fast.net

-----Original Message-----
From: Jerry Wilborn [mailto:jerry.wilborn_at_fast.net]
Sent: Monday, April 22, 2002 10:29 AM
To: 'vserver_at_solucorp.qc.ca'
Subject: RE: [vserver] blocking ssh access from virtual server to
physical one

packet level rules dont appear to work; here are my rules and ipchains -v L
-n

it only disallows a connection if i add something to hosts.allow/deny. but
then again you can tell that the port is open from the virtual machine.

from /etc/sysconfig/ipchains

:input ACCEPT
:forward REJECT
:output ACCEPT
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -p tcp -s 205.147.200.0/24 -d 0/0 22 -i eth0 -j ACCEPT
-A input -p tcp -s 0/0 -d 0/0 22 -i lo -j REJECT
-A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT
-A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT
-A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT
-A input -p udp -s 0/0 -d 0/0 2049 -j REJECT
-A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT
-A input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT

[root_at_jerrytest root]# ipchains -L -n -v
Chain input (policy ACCEPT: 182019 packets, 14019944 bytes):
 pkts bytes target prot opt tosa tosx ifname mark outsize
source destination ports
   28 1928 ACCEPT all ------ 0xFF 0x00 lo
0.0.0.0/0 0.0.0.0/0 n/a
 4297 322K ACCEPT tcp ------ 0xFF 0x00 eth0
205.147.200.0/24 0.0.0.0/0 * -> 22
    0 0 REJECT tcp ------ 0xFF 0x00 lo
0.0.0.0/0 0.0.0.0/0 * -> 22
  524 23916 REJECT tcp -y---- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 * -> 0:1023
    0 0 REJECT tcp -y---- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 * -> 2049
54852 6529K REJECT udp ------ 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 * -> 0:1023
    0 0 REJECT udp ------ 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 * -> 2049
    0 0 REJECT tcp -y---- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 * -> 6000:6009
    0 0 REJECT tcp -y---- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 * -> 7100
Chain forward (policy REJECT: 0 packets, 0 bytes):
Chain output (policy ACCEPT: 223468 packets, 23335617 bytes):

Jerry Wilborn, Operations Engineer
FASTNET - Internet Solutions
610-266-6700
www.fast.net

-----Original Message-----
From: Thomas Weber [mailto:l_vserver_at_mail2news.4t2.com]
Sent: Monday, April 22, 2002 10:22 AM
To: vserver_at_solucorp.qc.ca
Subject: Re: [vserver] blocking ssh access from virtual server to
physical one

On Mon, Apr 22, 2002 at 11:13:04AM +0200, Jon Bendtsen wrote:
> Thomas Weber wrote:
> >
> > On Wed, Apr 17, 2002 at 02:59:05PM -0400, Jerry Wilborn wrote:
> > > i tried implementing ipchains rules on the physical server to reject
> > > packets, tried hosts.allow/deny combis
> > >
> > > has anyone been able to successfully block traffic coming from a
virtual
> > > server going to the physical server's ip?
> >
> > should be straight forward. With iptables it'd be like this:
> > iptables -I INPUT -s vserversaddress --dport ssh -j DROP
>
> And what if the IP address is the same as the server ??
>
> What if you used the interface option?? So, only allowing from ethX?

huh? i don't understand what you wanna do. Each of your vservers has one IP
address to which the processes in the vserver can bind. So block incoming
traffic from this address and you're done.

  Tom


About this list Date view Thread view Subject view Author view Attachment view

This archive was generated by hypermail 2.1.4 : Mon Aug 19 2002 - 12:01:01 EDT