Thank You for Your time and answer, lee: > Unplugging the network connection is the best way to achieve that.
How will v-server will get network then? > > - but only affecting those in vserver. > ? Meaning that all packets come to and back from - only for/from the v-server. That the home machine will not be processing the packets. > > *filter > Which firewall script are you using? There are some, like shorewall ... It is my hand made script. Is it wrong? > The related packages are probably dropped, as you have set. But > without more detailed information, I can only guess. Which detailed info I should provide? Sure, it is dropped. How I can make it working (forwarding) and close INPUT/OUTPUT chains? > It's probably because input and output are being accepted instead of > dropped. That's right, but my question was, Why do I need to set ACCEPT for INPUT/OUTPUT chains while all I want is FORWARD? - Why FORWARD seems to not function with dropped INPUT/OUTPUT? > Don't you need to assign a network card --- or at least an IP address > --- to each of the different OSs you're running on the same computer > before you can apply firewall rules to them? So I have: for home OS I have ip x.x.0.2 while for the v-server - x.x.1.1 > If you want to keep network traffic from reaching the different OSs > running on the same computer, then don't assign network cards/IPs to > them. I want that those v-servers have networking. > If you want to set up a firewall from scratch, one way of doing it is > to drop all network traffic and then to make rules which only allow > traffic for those combinations of IPs, ports and protocols you want to > allow traffic for. Does my script do the very same thing?! For instance, -A FORWARD -p tcp -m tcp -m --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -i eth0 -p tcp -m tcp -d 192.168.1.1 --dport 80 -j ACCEPT -A POSTROUTING -o eth0 -j SNAT --to-source=192.168.0.2 -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:80 ? How I can do that not from scratch?! -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
