[CentOS] iptables drop on virtual host
Bob Hoffman
bob at bobhoffman.com
Fri Apr 27 22:41:03 UTC 2012
On 4/27/2012 5:05 PM, Bob Hoffman wrote:
> dropping IPs by host machine, protecting the vms.
> would something like this work
>
> -A PREROUTING -s 66.77.65.128/26 -j DROP
>
>
> or would my server die upon testing it...lol
> _______________________________________________
>
okay, after about 400 atempts and some hour or so of reading, I find
that red hat auto disables the ability to use the host iptables rules to
protect the virtual machines.
# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
not sure which would be turned on, bottom two or just the middle
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1
There is a lot of talk about making this change but no real talk of any security or performance issue.
I imagine with multiple bridges this could be an issue, but my machine is just a host with one bridge going to
all the VMs...
but is it safe to change this? It seems like until rhel 6 it was set on by default.
anyone got a clue on dangers or issues of this?
More information about the CentOS
mailing list