Does this work?
adding DROP to iptables on the virtual host's iptables, before the phys bridge....will it prevent those ips from getting to the bridged part of iptables? Or would a different syntax be used?
-A INPUT -s 66.77.65.128/26 -j DROP -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
On 4/27/2012 9:36 AM, Bob Hoffman wrote:
Does this work?
adding DROP to iptables on the virtual host's iptables, before the phys bridge....will it prevent those ips from getting to the bridged part of iptables? Or would a different syntax be used?
-A INPUT -s 66.77.65.128/26 -j DROP -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
would something like this work
-A PREROUTING -s 66.77.65.128/26 -j DROP
or would my server die upon testing it...lol
On 4/27/2012 5:05 PM, Bob Hoffman wrote:
dropping IPs by host machine, protecting the vms. would something like this work
-A PREROUTING -s 66.77.65.128/26 -j DROP
or would my server die upon testing it...lol _______________________________________________
okay, after about 400 atempts and some hour or so of reading, I find that red hat auto disables the ability to use the host iptables rules to protect the virtual machines.
# Disable netfilter on bridges. net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0
not sure which would be turned on, bottom two or just the middle
net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-arptables = 1
There is a lot of talk about making this change but no real talk of any security or performance issue. I imagine with multiple bridges this could be an issue, but my machine is just a host with one bridge going to all the VMs...
but is it safe to change this? It seems like until rhel 6 it was set on by default.
anyone got a clue on dangers or issues of this?
On Friday 27 April 2012 18:41, the following was written:
On 4/27/2012 5:05 PM, Bob Hoffman wrote:
dropping IPs by host machine, protecting the vms. would something like this work
-A PREROUTING -s 66.77.65.128/26 -j DROP
or would my server die upon testing it...lol _______________________________________________
okay, after about 400 atempts and some hour or so of reading, I find that red hat auto disables the ability to use the host iptables rules to protect the virtual machines.
# Disable netfilter on bridges. net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0
not sure which would be turned on, bottom two or just the middle
net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-arptables = 1
I would think you only need the middle one turned on for the firewall.
If you are looking to block ip addresses from getting to your VM's then you should seetup your firewall on the bridge. And adding that one rule above should take care of your issues.