On 4/27/2012 5:05 PM, Bob Hoffman wrote:
dropping IPs by host machine, protecting the vms. would something like this work
-A PREROUTING -s 66.77.65.128/26 -j DROP
or would my server die upon testing it...lol _______________________________________________
okay, after about 400 atempts and some hour or so of reading, I find that red hat auto disables the ability to use the host iptables rules to protect the virtual machines.
# Disable netfilter on bridges. net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0
not sure which would be turned on, bottom two or just the middle
net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-arptables = 1
There is a lot of talk about making this change but no real talk of any security or performance issue. I imagine with multiple bridges this could be an issue, but my machine is just a host with one bridge going to all the VMs...
but is it safe to change this? It seems like until rhel 6 it was set on by default.
anyone got a clue on dangers or issues of this?