1309219865 Q * cehteh Ping timeout: 480 seconds
1309220318 J * cehteh ~ct@pipapo.org
1309220911 Q * ghislain Quit: Leaving.
1309224603 M * nicholi still getting familiar with linux networking, if you could bare with me... sort of a general networking question
1309224646 M * nicholi i am using dummy numdummies= module so each guest has its own dummy interface and assigning an external IP to each interface
1309224662 M * nicholi but i'm getting lost in how you forward all packets to/from the dummy interface to the actual public interface, if that is how you go about it...
1309225122 M * Bertl first, there is no need to have more than one dummy interface ... well, as a matter of fact there is not even a need for a single one
1309225174 M * Bertl and you definitely do not want to route/forward anything to the dummy device, because as the name suggests, it's a dummy, i.e. it will simply discard any packets sent to it
1309225187 M * Bertl (and of course, nothing will come out of a dummy device either)
1309225244 M * Bertl if you have several public IPs and want to use them for guests, the simplest way is to assign them to the actual interface (e.g. eth0, eth1)
1309225305 M * Bertl you can then decide if you want to use it directly for a guest (i.e. assign that IP to the guest) or indirectly by assigning private IPs to the guests and using S/DNAT to map incoming and outgoing traffic between private and public IPs
1309225416 M * nicholi hmm, the only reason i sort of thought of the multiple dummy thing was it would be easier to track network stats per guest that way... because each has its own interface
1309225419 M * nicholi i guess not thought ?
1309225422 M * nicholi *though
1309225452 M * Bertl well, what do the dummy interfaces account so far? :)
1309225471 M * nicholi well nothing right now :3
1309225532 M * Bertl if you want to do per guest accounting, just add a log/account entry to the appropriate iptables chain
1309225544 M * nicholi ok, that sounds reasonable
1309225547 M * Bertl (it's somewhere in the FAQ, IIRC)
1309225560 M * nicholi probably, i've been reading lots of iptables stuff
1309225664 M * nicholi one other question while i got ya here, in regards to disk limits...whats the reserved option all about? space reserved for root user??
1309225683 M * Bertl yep
1309225736 M * nicholi what exactly would be the purpose of that?
1309226175 M * Bertl the unix disk space concept reserves a certain percentage for the priviledged (root) use
1309226176 M * nicholi i mean i thought thats what the user/group quota stuff was for...just not sure why it would be required to reserve space for guest root when using disk limits
1309226216 M * nicholi oh, just an age old tradition :)
1309226236 M * Bertl for example, if you have syslog running as root, and you want to make sure that the logs are written even if you run out of disk space (i.e. for normal users)
1309226268 M * nicholi righto, gotta have space for logs
1309226280 M * Bertl also not that you won't be able to use per guest user/group quotas on a shared disk space
1309226314 M * nicholi i'm not planning to use the quotas anyways, just plain dlimits
1309226343 M * nicholi so what accounts for the root reserved space? all files owned by root ?
1309226373 M * Bertl doesn't matter, the unix root reserve is just a percentage
1309226402 M * nicholi percentage of free space ?
1309226413 M * nicholi i mean how would i know if i've already gone over the reserved percentage
1309226419 M * Bertl i.e. if you are a 'normal' user, and the filesystem is over (100 - root reserve)%, the disk says 'full'
1309226442 M * Bertl and you won't be able to create new files, etc
1309226459 M * nicholi ahh ok
1309226462 M * Bertl for the priviledged root user, it will not be full till the 100% are reached
1309229826 Q * hparker Quit: Quit
1309231060 Q * ccxCZ Read error: No route to host
1309231074 J * ccxCZ ~ccxCZ@193.209.forpsi.net
1309231536 M * Bertl off to bed now ... have a good one everyone!
1309231540 N * Bertl Bertl_zZ
1309234979 J * sannes ~ace@cm-84.209.81.224.getinternet.no
1309235638 Q * ccxCZ Read error: Connection reset by peer
1309235754 J * ccxCZ ~ccxCZ@193.209.forpsi.net
1309242941 J * petzsch ~markus@dslb-088-075-174-112.pools.arcor-ip.net
1309243191 J * thierryp ~thierry@82.226.190.44
1309243250 Q * thierryp Remote host closed the connection
1309243270 Q * derjohn_mob Ping timeout: 480 seconds
1309244529 J * ghislain ~AQUEOS@adsl2.aqueos.com
1309246203 J * derjohn_mob ~aj@213.238.45.2
1309247431 J * harobed ~harobed@pda57-1-82-231-115-1.fbx.proxad.net
1309250810 J * kir ~kir@swsoft-msk-nat.sw.ru
1309251028 P * kir 
1309251817 J * BenG ~bengreen@cpc12-aztw24-2-0-cust146.aztw.cable.virginmedia.com
1309253475 J * thierryp ~thierry@zanzibar.inria.fr
1309255037 T * * http://linux-vserver.org/ |stable 2.2.0.7, exp 2.3.0.36.38, grsec 2.3.0.36.28|util-vserver-0.30.216-pre2914| He who asks a question is a fool for a minute; he who doesn't ask is a fool for a lifetime -- share the gained knowledge on the Wiki, and we forget about the minute.
1309255037 T * ChanServ -
1309255185 Q * puck Server closed connection
1309255188 J * puck ~puck@leibniz.catalyst.net.nz
1309255626 Q * Vudumen Server closed connection
1309255628 J * Vudumen ~vudumen@perverz.hu
1309256338 Q * tam Server closed connection
1309256349 J * tam ~tam@says.screwallofyoubitches.com
1309257234 Q * wibble Server closed connection
1309257236 J * wibble wibble@vortex.ukshells.co.uk
1309257417 Q * sung Server closed connection
1309257419 J * sung ~sung@doot.realfuckingnews.com
1309257470 J * hparker ~hparker@2001:470:1f0f:32c:beae:c5ff:fe01:b647
1309257570 Q * Radiance Server closed connection
1309257591 J * Radiance ~Radiance@193.16.154.187
1309258260 J * Piet_ ~Piet__@04ZAAADI5.tor-irc.dnsbl.oftc.net
1309258365 Q * Piet Remote host closed the connection
1309258385 N * Piet_ Piet
1309258554 Q * Wonka Server closed connection
1309258555 J * Wonka ~produzier@chaos.in-kiel.de
1309258650 Q * trippeh_ Server closed connection
1309258651 J * trippeh atomt@uff.ugh.no
1309258982 N * Bertl_zZ Bertl
1309258990 M * Bertl morning folks!
1309259952 J * ghislain1 ~AQUEOS@adsl2.aqueos.com
1309260252 Q * ghislain Ping timeout: 480 seconds
1309260570 Q * tokkee Server closed connection
1309260571 J * tokkee tokkee@osprey.tokkee.org
1309262149 Q * Piet Remote host closed the connection
1309262241 J * Piet ~Piet__@04ZAAADNP.tor-irc.dnsbl.oftc.net
1309262970 Q * sladen Server closed connection
1309262975 J * sladen ~paul@starsky.19inch.net
1309263018 Q * ard Server closed connection
1309263020 J * ard ~ard@gw-tweakb16.kwaak.net
1309264626 Q * LuckyLuk1 Server closed connection
1309264646 J * LuckyLuke ~luca@host65-83-static.228-95-b.business.telecomitalia.it
1309265298 Q * wurtel__ Server closed connection
1309265301 J * wurtel__ ~paul@gw-office.telegraaf.net
1309265484 Q * FloodServ resistance.oftc.net synthon.oftc.net
1309265666 T * ChanServ http://linux-vserver.org/ |stable 2.2.0.7, exp 2.3.0.36.38, grsec 2.3.0.36.28|util-vserver-0.30.216-pre2914| He who asks a question is a fool for a minute; he who doesn't ask is a fool for a lifetime -- share the gained knowledge on the Wiki, and we forget about the minute.
1309265666 J * FloodServ services@services.oftc.net
1309266264 N * quasisane_ quasisane
1309266362 Q * quasisane Quit: leaving
1309266379 J * quasisane ~sanep@c-76-24-80-97.hsd1.nh.comcast.net
1309266474 Q * arekm Server closed connection
1309266476 J * arekm ~arekm@ixion.pld-linux.org
1309271446 Q * BenG Quit: I Leave
1309271930 J * dowdle ~dowdle@scott.coe.montana.edu
1309276812 Q * harobed Quit: Ex-Chat
1309277060 Q * thierryp Remote host closed the connection
1309277771 J * bonbons ~bonbons@2001:960:7ab:0:246f:63cf:f3f9:e1da
1309278688 M * nicholi morn
1309279068 Q * petzsch Quit: Leaving.
1309279595 Q * derjohn_mob Ping timeout: 480 seconds
1309279748 J * petzsch ~markus@dslb-088-075-174-112.pools.arcor-ip.net
1309280140 J * nicola_pavlov ~IceChat77@mail2.tikalnetworks.com
1309280169 M * nicola_pavlov hello. How can i add iptables to guest machines?
1309280262 M * Mr_Smoke I don't think you can
1309280301 M * Mr_Smoke Last time I checked, doing that was only possible with NET_RAW, meaning any guest would potentially have total control over your network traffic/interface
1309280358 M * nicholi aye, what Mr_Smoke said
1309280365 M * nicholi all routing should be done on host if possible
1309280382 M * nicola_pavlov i want to block sip connections
1309280390 M * nicola_pavlov is there a way to do that?
1309280679 M * Mr_Smoke Do it on the host
1309280710 M * nicola_pavlov any hints how?
1309280727 M * Mr_Smoke iptables on the host 
1309280790 M * nicola_pavlov i have iptables on the host
1309280805 M * nicola_pavlov can i specify rules and it will block them on the guests?
1309281090 M * Bertl networking happens on the host (by default)
1309281119 M * Bertl i.e. traffic is routed and filtered on the host via normal linux routing and iptables filtering
1309281153 M * Bertl the guest itself is limited to a certain IP subset, which is called IP isolation
1309281261 M * nicola_pavlov Bertl i have openvcp_in and openvcp_out rules
1309281272 M * nicola_pavlov i should drp connections on those chains
1309281274 M * nicola_pavlov right?
1309281304 M * nicholi weee
1309281307 A * nicholi fixed an upstart issue
1309281326 J * BenG ~bengreen@cpc12-aztw24-2-0-cust146.aztw.cable.virginmedia.com
1309281345 Q * BenG 
1309281463 M * nicola_pavlov any example on the rules?
1309281468 M * nicola_pavlov like what i need to specify?
1309281483 M * nicola_pavlov destination = guest, source = host?
1309281702 M * Bertl what do you want to block?
1309281716 M * nicola_pavlov sip, 5060
1309281785 M * nicola_pavlov i am not familiar with iptables rules
1309281794 M * nicola_pavlov i appreciate any hint
1309281842 M * Bertl so you want to block any access to/from port 5060 to/from a specific guest, yes?
1309281847 M * nicholi if you just want to block the guest, probably iptables -A INPUT -p tcp --dport 5060 --dst guestip -j DROP
1309281871 M * Bertl something like that, for input, similar for output
1309281877 M * nicholi aye
1309281895 A * nicholi wonders if sip is tcp...
1309281898 M * jrayhawk or -j REJECT --reject-with icmp-admin-prohibited if you're feeling friendly
1309281912 M * nicholi :)
1309281925 M * jrayhawk grep 5060 /etc/services
1309282061 M * nicola_pavlov i got the idea
1309282070 M * nicola_pavlov thanks a lot guys
1309282077 M * nicola_pavlov i will try it
1309282335 M * nicola_pavlov nicholi: i am afraid it did not work :S
1309282343 M * nicola_pavlov i ran the command u suggested
1309282353 M * nicola_pavlov i still see hits on the guest
1309282386 M * jrayhawk You probably want to drop the -p tcp so you can catch both protocols.
1309282407 M * nicola_pavlov my bad
1309282411 M * nicola_pavlov 5060 is udp
1309282419 M * nicola_pavlov so i put udp and it worked
1309282579 M * Bertl excellent!
1309282621 J * Piet_ ~Piet__@04ZAAAD3S.tor-irc.dnsbl.oftc.net
1309283013 J * derjohn_mob ~aj@d170160.adsl.hansenet.de
1309283032 Q * Piet Ping timeout: 480 seconds
1309283170 Q * nicola_pavlov Quit: Make it idiot proof and someone will make a better idiot.
1309283555 J * jeroen_ ~jeroen@imap.powerinternet.eu
1309286269 Q * tokkee Read error: Connection reset by peer
1309289392 J * hijacker_ ~hijacker@87-126-142-51.btc-net.bg
1309289459 Q * hijacker_ 
1309291809 Q * sannes Remote host closed the connection
1309292475 Q * bonbons Quit: Leaving
1309293132 Q * vasko Ping timeout: 480 seconds
1309293768 Q * nicholi Ping timeout: 480 seconds
1309294354 Q * minecraftfan Remote host closed the connection
1309294386 J * minecraftfan ~minecraft@74.63.212.88
1309295528 J * nicholi ~nicholi@12.232.116.66
1309295811 Q * minecraftfan Remote host closed the connection
1309295862 J * minecraftfan ~minecraft@74.63.212.88
1309296012 N * Piet_ Piet
1309296636 Q * FireEgl Remote host closed the connection
1309297457 J * FireEgl FireEgl@2001:470:e056:1:94c5:1387:fd6d:6487
1309298081 Q * FireEgl Remote host closed the connection
1309298113 Q * petzsch Quit: Leaving.
1309298438 Q * Piet Remote host closed the connection
1309298485 J * Piet ~Piet__@1RDAAADNW.tor-irc.dnsbl.oftc.net
1309298769 J * FireEgl FireEgl@2001:470:e056:1:4554:cc32:446a:cf72
1309303626 N * ensc Guest223
1309303636 J * ensc ~irc-ensc@p5DF2F4EE.dip.t-dialin.net
1309304048 Q * Guest223 Ping timeout: 480 seconds