寻觅生命中的那一片浅草......

每日存档 十一月 15th, 2010

让OpenVZ 更加好支持iptables

在硬件节点内修改iptables挂载模组

vim /etc/sysconfig/iptables-config

IPTABLES_MODULES=”ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp”

vim /etc/sysconfig/vz

IPTABLES=”ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp”

重新启动VZ服务

service vz restart

放行更加多的iptables 条目

# vzctl set $CTID –numiptent 400 –save

vzctl enter $CTID

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -I INPUT -j ACCEPT -m state –state ESTABLISHED,RELATED
iptables -I FORWARD -j ACCEPT -m state –state ESTABLISHED,RELATED
iptables -I INPUT -j ACCEPT -i lo
iptables -I INPUT -p tcp –dport 25 -j ACCEPT
iptables -I INPUT -p tcp –dport 110 -j ACCEPT
iptables -I INPUT -p tcp –dport 995 -j ACCEPTiptables -I INPUT -p tcp –dport 80 -j ACCEPT
iptables -I INPUT -p tcp –dport 53 -j ACCRPTiptables -I INPUT -p udp –dport 53 -j ACCEPT
service iptables save
service iptables restart

转载自:
http://hi.baidu.com/enjoyunix/blog/item/09cc631bd1cec1dcac6e7573.html

2010年十一月
« 10月   12月 »
1234567
891011121314
15161718192021
22232425262728
2930