Page 1 of 1
OpenVZ - block IP from hostnode
Posted: 03 Feb 2016, 19:37
by sparek
Is it possible to block IPs from reaching any of the VEs inside an OpenVZ node?
We have CSF installed on the host node. Some of the VEs do not have CSF installed. We are wanting to block certain IPs from accessing those VEs. Blocking the IP on the hostnode doesn't seem to have any affect.
I suspect it's tied partly to the fact that:
Code: Select all
/sbin/iptables -A INPUT -i venet0 -j ACCEPT
/sbin/iptables -A OUTPUT -o venet0 -j ACCEPT
/sbin/iptables -A FORWARD -j ACCEPT -p all -s 0/0 -i venet0
/sbin/iptables -A FORWARD -j ACCEPT -p all -s 0/0 -o venet0
in /etc/csf/csfpre.sh
Is there some way to do this?
Re: OpenVZ - block IP from hostnode
Posted: 28 Apr 2016, 11:01
by Mangelot
We are wondering also if this is possible.
We have IP_DENY max limits in the VPS virtual containers, (IPSET doesn't work on OpenVZ)
The hostnode is able to use IPSET (which can take an huge amount of blocked ips)
So with the csf clustering we can build a huge blocklist on the hostnode and a small list on the VPS.
Code: Select all
/sbin/iptables -A INPUT -i venet0 -j ACCEPT
/sbin/iptables -A OUTPUT -o venet0 -j ACCEPT
/sbin/iptables -A FORWARD -j ACCEPT -p all -s 0/0 -i venet0
/sbin/iptables -A FORWARD -j ACCEPT -p all -s 0/0 -o venet0
Will let everything through between Hostnode en VPS servers, so if I block an IP on the hostnode I can still visit the VPS. what we do not want.. any ideas?
Re: OpenVZ - block IP from hostnode
Posted: 02 May 2016, 16:17
by Mangelot
I have just finished some scripts and they work awesome.. ;-)
Free memory increase for all vps servers, (csf/lfd disabled functions on vps)
Better network stability, 20% reduced datatraffic (drop pakket before reaching the vps servers)
Blocking container IP's and RBL lists right at the doorstep off your VPS servers
(The hostnode does the hardwork and can handle more ip's because off IPSET works on the hostnode.)
If you like it share it: ...
https://www.mangelot-hosting.nl/network ... z-hostnode
Re: OpenVZ - block IP from hostnode
Posted: 02 Nov 2016, 21:07
by Pietro Aretino
I'm curious how you got ConfigServer Security & Firewall to work with your OpenVZ containers.....
Mangelot wrote:We are wondering also if this is possible.
We have IP_DENY max limits in the VPS virtual containers, (IPSET doesn't work on OpenVZ)
The hostnode is able to use IPSET (which can take an huge amount of blocked ips)
So with the csf clustering we can build a huge blocklist on the hostnode and a small list on the VPS.
Code: Select all
/sbin/iptables -A INPUT -i venet0 -j ACCEPT
/sbin/iptables -A OUTPUT -o venet0 -j ACCEPT
/sbin/iptables -A FORWARD -j ACCEPT -p all -s 0/0 -i venet0
/sbin/iptables -A FORWARD -j ACCEPT -p all -s 0/0 -o venet0
Will let everything through between Hostnode en VPS servers, so if I block an IP on the hostnode I can still visit the VPS. what we do not want.. any ideas?