Sharing hosts.deny
James Gray
james at gray.net.au
Mon Oct 25 11:51:37 UTC 2010
On 25/10/2010, at 10:28 PM, Tapas Mishra wrote:
> On Mon, Oct 25, 2010 at 4:42 PM, Ahmed Kamal <ahmed.kamal at canonical.com> wrote:
>> Don't know what the general consensus is, but I've almost never really
>> used hosts.deny in real production. iptables just does everything I
>> need. OP might want to consider this
>>
> Yes I do want to use IPTABLES but I noticed using IPTABLES to deny
> services on Virtual Machines which run on Vmware causes the VMs to
> disconnect from internet.Not sure what port Vmware needs to be open so
> that the VM (Virtual Machine) can be accessed from outside.
> I use IPTABLES on host and guest both.
OK - so theres a little gem :) DONT try to filer services on a guest at the hypervisor layer! The hypervisor (VMware) couldn't care less about the traffic destined for a guest, its firewall is only concerned about traffic destined for the hypervisor. Filter the guests' traffic on the GUEST, and only the guest.
If you have a virtual switch you might want to do some fancy VLAN tagging voodoo to do pseudo-hypervisor filtering, but that's probably heading into the "why bother" end of the discussion. Just filter the traffic for the guest on the guest's firewall and all will be well with the world :)
Cheers,
James
More information about the ubuntu-server
mailing list