[Debian] VE network isolation

spameden spameden at gmail.com
Mon Aug 19 16:04:42 EDT 2013


Hi, list.

I'm sorry for copying 2 lists, but I really want to know what I'm doing
wrong.

I'm using Debian 6 Squeeze and OpenVZ CentOS kernel (converted from rpm to
deb).

I'm using veth as well as venet devices for networking.

To isolate multiple containers from each other I'm using vzbrXXX devices on
debian like this:

auto vzbr203
iface vzbr203 inet static
        address 192.168.203.1
        netmask       255.255.255.0
        broadcast       192.168.203.255
        bridge_ports none
        bridge_fd 0
        bridge_maxwait 0

auto vzbr202
iface vzbr202 inet static
        address 192.168.202.1
        netmask       255.255.255.0
        broadcast       192.168.202.255
        bridge_ports none
        bridge_fd 0
        bridge_maxwait 0

The problem I'm facing that in VE (for example with CTID 202) I can ping or
query 192.168.203.1 which is on HN of course, but I thought it shouldn't be
reachable.

Here is route table and ifconfig on CTID 202:

# ip r
default dev lo  scope link
# ifconfig -a
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:84021 errors:0 dropped:0 overruns:0 frame:0
          TX packets:84021 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:5045068 (4.8 MiB)  TX bytes:5045068 (4.8 MiB)

venet0    Link encap:UNSPEC  HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          BROADCAST POINTOPOINT NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)


So I guess it's going through lo device? Why and how can I block this?

Many thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/debian/attachments/20130820/0c2baaff/attachment.html>


More information about the Debian mailing list