OpenVZ - block IP from hostnode

[sparek]

Is it possible to block IPs from reaching any of the VEs inside an OpenVZ node?

We have CSF installed on the host node. Some of the VEs do not have CSF installed. We are wanting to block certain IPs from accessing those VEs. Blocking the IP on the hostnode doesn't seem to have any affect.

I suspect it's tied partly to the fact that:

Code: Select all

/sbin/iptables -A INPUT -i venet0 -j ACCEPT
/sbin/iptables -A OUTPUT -o venet0 -j ACCEPT
/sbin/iptables -A FORWARD -j ACCEPT -p all -s 0/0 -i venet0
/sbin/iptables -A FORWARD -j ACCEPT -p all -s 0/0 -o venet0

in /etc/csf/csfpre.sh

Is there some way to do this?

[Mangelot]

We are wondering also if this is possible.
We have IP_DENY max limits in the VPS virtual containers, (IPSET doesn't work on OpenVZ)

The hostnode is able to use IPSET (which can take an huge amount of blocked ips)
So with the csf clustering we can build a huge blocklist on the hostnode and a small list on the VPS.

Code: Select all

/sbin/iptables -A INPUT -i venet0 -j ACCEPT
/sbin/iptables -A OUTPUT -o venet0 -j ACCEPT
/sbin/iptables -A FORWARD -j ACCEPT -p all -s 0/0 -i venet0
/sbin/iptables -A FORWARD -j ACCEPT -p all -s 0/0 -o venet0

Will let everything through between Hostnode en VPS servers, so if I block an IP on the hostnode I can still visit the VPS. what we do not want.. any ideas?

[Mangelot]

I have just finished some scripts and they work awesome.. ;-)

Free memory increase for all vps servers, (csf/lfd disabled functions on vps)
Better network stability, 20% reduced datatraffic (drop pakket before reaching the vps servers)

Blocking container IP's and RBL lists right at the doorstep off your VPS servers
(The hostnode does the hardwork and can handle more ip's because off IPSET works on the hostnode.)

If you like it share it: ...

https://www.mangelot-hosting.nl/network ... z-hostnode

[Pietro Aretino]

I'm curious how you got ConfigServer Security & Firewall to work with your OpenVZ containers.....

We are wondering also if this is possible.
We have IP_DENY max limits in the VPS virtual containers, (IPSET doesn't work on OpenVZ)

The hostnode is able to use IPSET (which can take an huge amount of blocked ips)
So with the csf clustering we can build a huge blocklist on the hostnode and a small list on the VPS.

Code: Select all

/sbin/iptables -A INPUT -i venet0 -j ACCEPT
/sbin/iptables -A OUTPUT -o venet0 -j ACCEPT
/sbin/iptables -A FORWARD -j ACCEPT -p all -s 0/0 -i venet0
/sbin/iptables -A FORWARD -j ACCEPT -p all -s 0/0 -o venet0

Will let everything through between Hostnode en VPS servers, so if I block an IP on the hostnode I can still visit the VPS. what we do not want.. any ideas?