LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 01-08-2010, 12:31 AM   #1
sappi
LQ Newbie
 
Registered: Aug 2008
Posts: 10

Rep: Reputation: 0
Block all outgoing requests from IP. (iptables+OpenVZ)


So here we have.
OpenVZ server setup to run multiple vps. What i want to do is: block all outgoing connections and requests from inside of a vps?
How do i correctly do this with an ability to ssh to vps?

Beforehand thanks for any advice.
 
Old 01-10-2010, 01:49 PM   #2
Elemecca
Member
 
Registered: Nov 2008
Location: San Francisco, CA
Distribution: Gentoo, CentOS
Posts: 71

Rep: Reputation: 22
The basic idea is to allow packets belonging to established connections and those creating new inbound SSH connections and drop everything else.

The iptables rules to implement this depend on which container network interface (venet or veth) you're using. venet distinguishes containers by IP address whereas veth distinguishes by interface.

For venet:
Code:
# <ip> is container IP address

# Allow packets for established connections in both directions
-A INPUT -d <ip> -p TCP -m state --state ESTABLISHED -j ALLOW
-A INPUT -s <ip> -p TCP -m state --state ESTABLISHED -j ALLOW

# Allow new inbound SSH connections
-A INPUT -d <ip> -p TCP -m tcp -m state --dport 22 --state NEW -j ALLOW

# Drop all other packets in both directions
-A INPUT -d <ip> -j DROP
-A INPUT -s <ip> -j DROP
For veth:
Code:
# <in> is Internet interface
# <cn> is container interface

# Allow packets for established connections in both directions
-A INPUT -i <in> -o <cn> -p TCP -m state --state ESTABLISHED -j ALLOW
-A INPUT -i <cn> -o <in> -p TCP -m state --state ESTABLISHED -j ALLOW

# Allow new inbound SSH connections
-A INPUT -i <in> -o <cn> -p TCP -m tcp -m state --dport 22 --state NEW -j ALLOW

# Drop all other packets in both directions
-A INPUT -i <in> -o <cn> -j DROP
-A INPUT -i <cn> -j DROP
 
Old 01-10-2010, 03:30 PM   #3
sappi
LQ Newbie
 
Registered: Aug 2008
Posts: 10

Original Poster
Rep: Reputation: 0
We are using CentOS as a NH OS and it doesnt have ipt_allow.

If we use DROP instead : iptables -A FORWARD -s IP -j DROP ; it blocks all the connections to vps.
What would you suggest instead of ipt_allow?

Thanks.
 
Old 01-10-2010, 03:50 PM   #4
Elemecca
Member
 
Registered: Nov 2008
Location: San Francisco, CA
Distribution: Gentoo, CentOS
Posts: 71

Rep: Reputation: 22
I'm fairly certain that iptables doesn't support negated filters, so you cant say "DROP all except SSH". You have to say "ALLOW SSH; DROP".

AFAIK the ALLOW, DROP, and REJECT targets are builtins; it's not possible to make an iptables without them. Can you post the error message that tells you that ALLOW isn't available?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTables: block all dns requests except to the server(s) I specify Kage_ Linux - Networking 4 08-25-2019 03:18 PM
iptables blocking outgoing DNS requests laurensb Linux - Security 1 10-29-2009 11:48 AM
Redirect outgoing http requests with IPtables highllamas Linux - Security 1 06-17-2009 09:07 AM
Iptables/Guarddog - how to block specific outgoing packets craftybytes Linux - Security 7 05-19-2006 01:26 AM
apache track incoming, outgoing requests real-time dtra Linux - Networking 1 07-18-2005 08:19 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 02:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration