Subject: | |
From: | |
Reply To: | |
Date: | Sun, 17 Jul 2011 20:02:15 -0700 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
> On 07/17/2011 01:13 AM, Todd And Margo Chester wrote:
>> On 07/16/2011 09:43 PM, Yasha Karant wrote:
>>> How do you create the internal eth0 that does not use physical
>>> hardware (assuming that eth 1 is physical)?
>>>
>>> From what you have supplied, my guess is to use the vboxnet virtual
>>> 802.3 adapter and MAC address created by VirtualBox, and then "clone"
>>> that into eth0.5 . I will try this approach on Monday.
>>>
>>> Yasha
>> Hi Yasha,
>>
>> eth0 and eth1 are physical (real) network adapters (I have two).
>> eth0.5 is the fake (vlan) one. I attach my VM to eth0.5 in
>> Virtual Box bridge mode. (Vbox can not tell my adapters apart.)
>>
>> Eventually, my plans are to drop Virtual Box for KVM.
>>
>> -T
>
On 07/17/2011 09:31 AM, Yasha Karant wrote:
> Hi Todd,
>
> That is the fundamental difference: I have one physical 802.3 NIC and
> evidently I cannot allow it to share a MAC address with a virtual NIC
> using the campus LAN (that is, two different NICs with the same MAC
> address) unless I go out of my way to be certain that the virtual NIC
> is fully hidden from the campus LAN (including ARP and any other
> routing).
In the VLAN's ifcfg, just leave off the mac address? Or make one up?
I use iptables to set up what goes where. I use the "Everything is illegal,
except those things I specifically tell iptables are legal" method. See
below.
>
> I am going to attempt to use the virtual NIC created by VirtualBox,
> vboxnet as the subject of further virtualization (e.g., vboxnet0.5) .
> I know from experience that the activation of vboxnet does not cause
> any issues with the LAN at my campus.
>
>
> Both VMWare and VirtualBox are professionally supported and maintained,
Uh oh. I have spent hours and hours trying to get support from Oracle
on Virtual Box. It does not exist and the word I finally got back was
"there will probably never be a pricing schedule". Be careful with
Virtual Box:
it is still a bit of a toy.
-T
################ Now for the Firewall #################
#
# Flush out whatever rules are currently set:
#
$tbls -F INPUT
$tbls -F OUTPUT
$tbls -F FORWARD
# Delete all chains that are not in default filter and nat table
$tbls --table nat --flush
$tbls --table nat --delete-chain
# Create and flush chain for eth1
$tbls -N dsl-in
$tbls -N dsl-out
$tbls -N dsl-for
$tbls -F dsl-in
$tbls -F dsl-out
$tbls -F dsl-for
# Create and flush chain for eth0.5
$tbls -N Vlan-in
$tbls -N Vlan-out
$tbls -N Vlan-for
$tbls -F Vlan-in
$tbls -F Vlan-out
$tbls -F Vlan-for
# Start by setting all policies to deny all network access:
#
$tbls -P INPUT DROP
$tbls -P OUTPUT DROP
$tbls -P FORWARD DROP
# Set rules for dsl chain and allow access
$tbls -A INPUT -i eth1 -j dsl-in
$tbls -A OUTPUT -o eth1 -j dsl-out
$tbls -A FORWARD -i eth1 -j dsl-for
$tbls -A dsl-in -j DROP
$tbls -A dsl-out -j DROP
$tbls -A dsl-for -j DROP
$tbls -A INPUT -i $VlanNic -j Vlan-in
$tbls -A OUTPUT -o $VlanNic -j Vlan-out
$tbls -A FORWARD -i $VlanNic -j Vlan-for
$tbls -A Vlan-in -j DROP
$tbls -A Vlan-out -j DROP
$tbls -A Vlan-for -j DROP
# Allow my local interface to work
$tbls -A INPUT -i lo -j ACCEPT
$tbls -A OUTPUT -o lo -j ACCEPT
$tbls -A FORWARD -i lo -j ACCEPT
|
|
|