[Lxc-users] lxc-stop make Kernel crashing
LACROIX Jean Marc
jeanmarc.lacroix at free.fr
Mon Oct 17 05:17:27 UTC 2011
> Date: Fri, 14 Oct 2011 17:35:02 +0200
> From: Admin<admin at libra-linux.com>
> Subject: [Lxc-users] lxc-stop make Kernel crashing
> To: lxc-users at lists.sourceforge.net
> Message-ID:<4E9856A6.70605 at libra-linux.com>
> Content-Type: text/plain; charset="iso-8859-1"
> Another question, anybody implement iptables inside containers and could
> give me advices configuring LOG chain or rsyslog inside container to
> isolate iptables kernel log message from the hypervisor ?
>
Tony,
Please find one firewall example running in a container.
Step 0: all chain must be in DROP condition as a default case...
in my case, for the FORWARD chain...
/sbin/iptables \
--table filter \
--policy FORWARD DROP
step 1: in the last table before, insert a rule in order to drop traffic
in the log, and never forget to limit total number of packet (!)
/sbin/iptables \
--table filter \
--append FORWARD \
--jump LOG \
--log-prefix "gateway-3: DROP " \
--match limit \
--limit 4/second \
--limit-burst 5
step 2: in the last chain, insert a SROP condition
/sbin/iptables \
--table filter \
--append FORWARD \
--jump DROP
root at gateway-3:~# iptables --verbose --line-numbers --list FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source
destination
..............
13 0 0 ACCEPT tcp -- eth3 eth2 192.168.22.0/24
anywhere tcp dpt:www
14 0 0 ACCEPT tcp -- eth2 eth3 anywhere
192.168.22.0/24 tcp spt:www
15 1779 364K LOG all -- any any anywhere
anywhere limit: avg 4/sec burst 5 LOG level warning prefix
`gateway-3: DROP '
16 1784 365K DROP all -- any any anywhere
anywhere
Regards
--
--------------------------------------
-- Jean-Marc LACROIX --
-- mailto : jeanmarc.lacroix at free.fr --
---------------------------------------
More information about the lxc-users
mailing list