Block all outgoing requests from IP. (iptables+OpenVZ)

sappi · 01-07-2010, 11:31 PM

So here we have.
OpenVZ server setup to run multiple vps. What i want to do is: block all outgoing connections and requests from inside of a vps?
How do i correctly do this with an ability to ssh to vps?

Beforehand thanks for any advice.

Elemecca · 01-10-2010, 12:49 PM

The basic idea is to allow packets belonging to established connections and those creating new inbound SSH connections and drop everything else.

The iptables rules to implement this depend on which container network interface (venet or veth) you're using. venet distinguishes containers by IP address whereas veth distinguishes by interface.

For venet:

Code:

# <ip> is container IP address

# Allow packets for established connections in both directions
-A INPUT -d <ip> -p TCP -m state --state ESTABLISHED -j ALLOW
-A INPUT -s <ip> -p TCP -m state --state ESTABLISHED -j ALLOW

# Allow new inbound SSH connections
-A INPUT -d <ip> -p TCP -m tcp -m state --dport 22 --state NEW -j ALLOW

# Drop all other packets in both directions
-A INPUT -d <ip> -j DROP
-A INPUT -s <ip> -j DROP

For veth:

Code:

# <in> is Internet interface
# <cn> is container interface

# Allow packets for established connections in both directions
-A INPUT -i <in> -o <cn> -p TCP -m state --state ESTABLISHED -j ALLOW
-A INPUT -i <cn> -o <in> -p TCP -m state --state ESTABLISHED -j ALLOW

# Allow new inbound SSH connections
-A INPUT -i <in> -o <cn> -p TCP -m tcp -m state --dport 22 --state NEW -j ALLOW

# Drop all other packets in both directions
-A INPUT -i <in> -o <cn> -j DROP
-A INPUT -i <cn> -j DROP

sappi · 01-10-2010, 02:30 PM

We are using CentOS as a NH OS and it doesnt have ipt_allow.

If we use DROP instead : iptables -A FORWARD -s IP -j DROP ; it blocks all the connections to vps.
What would you suggest instead of ipt_allow?

Thanks.

Elemecca · 01-10-2010, 02:50 PM

I'm fairly certain that iptables doesn't support negated filters, so you cant say "DROP all except SSH". You have to say "ALLOW SSH; DROP".

AFAIK the ALLOW, DROP, and REJECT targets are builtins; it's not possible to make an iptables without them. Can you post the error message that tells you that ALLOW isn't available?