On Friday 27 April 2012 18:41, the following was written: > On 4/27/2012 5:05 PM, Bob Hoffman wrote: > > dropping IPs by host machine, protecting the vms. > > would something like this work > > > > -A PREROUTING -s 66.77.65.128/26 -j DROP > > > > > > or would my server die upon testing it...lol > > _______________________________________________ > > okay, after about 400 atempts and some hour or so of reading, I find > that red hat auto disables the ability to use the host iptables rules to > protect the virtual machines. > > # Disable netfilter on bridges. > net.bridge.bridge-nf-call-ip6tables = 0 > net.bridge.bridge-nf-call-iptables = 0 > net.bridge.bridge-nf-call-arptables = 0 > > not sure which would be turned on, bottom two or just the middle > > net.bridge.bridge-nf-call-ip6tables = 0 > net.bridge.bridge-nf-call-iptables = 1 > net.bridge.bridge-nf-call-arptables = 1 I would think you only need the middle one turned on for the firewall. If you are looking to block ip addresses from getting to your VM's then you should seetup your firewall on the bridge. And adding that one rule above should take care of your issues. -- Regards Robert Linux The adventure of a lifetime. Linux User #296285 Get Counted http://linuxcounter.net/