On 4/27/2012 5:05 PM, Bob Hoffman wrote: > dropping IPs by host machine, protecting the vms. > would something like this work > > -A PREROUTING -s 66.77.65.128/26 -j DROP > > > or would my server die upon testing it...lol > _______________________________________________ > okay, after about 400 atempts and some hour or so of reading, I find that red hat auto disables the ability to use the host iptables rules to protect the virtual machines. # Disable netfilter on bridges. net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 not sure which would be turned on, bottom two or just the middle net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-arptables = 1 There is a lot of talk about making this change but no real talk of any security or performance issue. I imagine with multiple bridges this could be an issue, but my machine is just a host with one bridge going to all the VMs... but is it safe to change this? It seems like until rhel 6 it was set on by default. anyone got a clue on dangers or issues of this? _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos