[pve-devel] RFC : iptables implementation

Alexandre DERUMIER aderumier at odiso.com
Wed Jan 22 08:07:00 CET 2014


>>I am not sure if that model correctly handle traffic form one VM to another (traffic from VM1 to VM2)?
>>Because you would need to apply out rules for VM1, the in rules for VM2.
>>Does that work - if so how?

Well, is like to have 2vms behind 2 firewalls.

If user of vm1 open outgoing rules to vm2, but user of vm2 don't allow inbound, it'll not work.(and it's good)

In my example (like openstack/amazon ec2), default outgoing rules is full open.
So, you only have to manage inbound rules for each vm.

Another way could be to default full open outgoing to internal network and drop for internet (external network) by default.

----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com>, "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Mercredi 22 Janvier 2014 07:19:28 
Objet: RE: [pve-devel] RFC : iptables implementation 

> what do you think about it ? 
> 
> 
> 
> iptables -F 
> iptables -X 
> 
> iptables -N tap110i0-out 
> iptables -N tap110i0-in 
> #out 
> iptables -A FORWARD -m physdev --physdev-is-bridged --physdev-in tap110i0 -j 
> tap110i0-out 
> #in 
> iptables -A FORWARD -m physdev --physdev-is-bridged --physdev-out tap110i0 -j 
> tap110i0-in 

I am not sure if that model correctly handle traffic form one VM to another (traffic from VM1 to VM2)? 
Because you would need to apply out rules for VM1, the in rules for VM2. 
Does that work - if so how? 



More information about the pve-devel mailing list