LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)
-   -   Block all outgoing requests from IP. (iptables+OpenVZ) (https://www.linuxquestions.org/questions/linux-general-1/block-all-outgoing-requests-from-ip-iptables-openvz-780753/)

sappi 01-07-2010 11:31 PM
Block all outgoing requests from IP. (iptables+OpenVZ)
 
So here we have.
OpenVZ server setup to run multiple vps. What i want to do is: block all outgoing connections and requests from inside of a vps?
How do i correctly do this with an ability to ssh to vps?

Beforehand thanks for any advice.

Elemecca 01-10-2010 12:49 PM
The basic idea is to allow packets belonging to established connections and those creating new inbound SSH connections and drop everything else.

The iptables rules to implement this depend on which container network interface (venet or veth) you're using. venet distinguishes containers by IP address whereas veth distinguishes by interface.

For venet:
Code:
# <ip> is container IP address

# Allow packets for established connections in both directions
-A INPUT -d <ip> -p TCP -m state --state ESTABLISHED -j ALLOW
-A INPUT -s <ip> -p TCP -m state --state ESTABLISHED -j ALLOW

# Allow new inbound SSH connections
-A INPUT -d <ip> -p TCP -m tcp -m state --dport 22 --state NEW -j ALLOW

# Drop all other packets in both directions
-A INPUT -d <ip> -j DROP
-A INPUT -s <ip> -j DROP
For veth:
Code:
# <in> is Internet interface
# <cn> is container interface

# Allow packets for established connections in both directions
-A INPUT -i <in> -o <cn> -p TCP -m state --state ESTABLISHED -j ALLOW
-A INPUT -i <cn> -o <in> -p TCP -m state --state ESTABLISHED -j ALLOW

# Allow new inbound SSH connections
-A INPUT -i <in> -o <cn> -p TCP -m tcp -m state --dport 22 --state NEW -j ALLOW

# Drop all other packets in both directions
-A INPUT -i <in> -o <cn> -j DROP
-A INPUT -i <cn> -j DROP

sappi 01-10-2010 02:30 PM
We are using CentOS as a NH OS and it doesnt have ipt_allow.

If we use DROP instead : iptables -A FORWARD -s IP -j DROP ; it blocks all the connections to vps.
What would you suggest instead of ipt_allow?

Thanks.

Elemecca 01-10-2010 02:50 PM
I'm fairly certain that iptables doesn't support negated filters, so you cant say "DROP all except SSH". You have to say "ALLOW SSH; DROP".

AFAIK the ALLOW, DROP, and REJECT targets are builtins; it's not possible to make an iptables without them. Can you post the error message that tells you that ALLOW isn't available?


All times are GMT -5. The time now is 10:50 AM.