> On 07/17/2011 01:13 AM, Todd And Margo Chester wrote:
>> On 07/16/2011 09:43 PM, Yasha Karant wrote:
>>> How do you create the internal eth0 that does not use physical
>>> hardware (assuming that eth 1 is physical)?
>>>
>>> From what you have supplied, my guess is to use the vboxnet virtual
>>> 802.3 adapter and MAC address created by VirtualBox, and then "clone"
>>> that into eth0.5 . I will try this approach on Monday.
>>>
>>> Yasha
>> Hi Yasha,
>>
>> eth0 and eth1 are physical (real) network adapters (I have two).
>> eth0.5 is the fake (vlan) one. I attach my VM to eth0.5 in
>> Virtual Box bridge mode. (Vbox can not tell my adapters apart.)
>>
>> Eventually, my plans are to drop Virtual Box for KVM.
>>
>> -T
>
On 07/17/2011 09:31 AM, Yasha Karant wrote:
> Hi Todd,
>
> That is the fundamental difference:  I have one physical 802.3 NIC and 
> evidently I cannot allow it to share a MAC address with a virtual NIC 
> using the campus LAN (that is, two different NICs with the same MAC 
> address) unless I go out of my way to be certain that the virtual NIC 
> is fully hidden from the campus LAN (including ARP and any other 
> routing).

In the VLAN's ifcfg, just leave off the mac address?  Or make one up?

I use iptables to set up what goes where.  I use the "Everything is illegal,
except those things I specifically tell iptables are legal" method.  See 
below.

>
> I am going to attempt to use the virtual NIC created by VirtualBox, 
> vboxnet as the subject of further virtualization (e.g., vboxnet0.5) . 
> I know from experience that the activation of vboxnet does not cause 
> any issues with the LAN at my campus.
>
>
> Both VMWare and VirtualBox are professionally supported and maintained,

Uh oh.  I have spent hours and hours trying  to get support from Oracle
on Virtual Box.  It does not exist and the word I finally got back was
"there will probably never be a pricing schedule".  Be careful with 
Virtual Box:
it is still a bit of a toy.

-T


################   Now for the Firewall   #################


#
# Flush out whatever rules are currently set:
#
$tbls -F INPUT
$tbls -F OUTPUT
$tbls -F FORWARD

# Delete all chains that are not in default filter and nat table
$tbls --table nat --flush
$tbls --table nat --delete-chain


# Create and flush chain for eth1
$tbls -N dsl-in
$tbls -N dsl-out
$tbls -N dsl-for

$tbls -F dsl-in
$tbls -F dsl-out
$tbls -F dsl-for


# Create and flush chain for eth0.5
    $tbls -N Vlan-in
    $tbls -N Vlan-out
    $tbls -N Vlan-for

    $tbls -F Vlan-in
    $tbls -F Vlan-out
    $tbls -F Vlan-for


# Start by setting all policies to deny all network access:
#
$tbls -P INPUT   DROP
$tbls -P OUTPUT  DROP
$tbls -P FORWARD DROP


# Set rules for dsl chain and allow access
$tbls -A INPUT   -i eth1 -j dsl-in
$tbls -A OUTPUT  -o eth1 -j dsl-out
$tbls -A FORWARD -i eth1 -j dsl-for

$tbls -A dsl-in   -j DROP
$tbls -A dsl-out  -j DROP
$tbls -A dsl-for  -j DROP

    $tbls -A INPUT   -i $VlanNic -j Vlan-in
    $tbls -A OUTPUT  -o $VlanNic -j Vlan-out
    $tbls -A FORWARD -i $VlanNic -j Vlan-for

    $tbls -A Vlan-in   -j DROP
    $tbls -A Vlan-out  -j DROP
    $tbls -A Vlan-for  -j DROP


# Allow my local interface to work
$tbls  -A INPUT   -i lo  -j ACCEPT
$tbls  -A OUTPUT  -o lo  -j ACCEPT
$tbls  -A FORWARD -i lo  -j ACCEPT