[Debian] VE network isolation
spameden
spameden at gmail.com
Mon Aug 19 16:04:42 EDT 2013
Hi, list.
I'm sorry for copying 2 lists, but I really want to know what I'm doing
wrong.
I'm using Debian 6 Squeeze and OpenVZ CentOS kernel (converted from rpm to
deb).
I'm using veth as well as venet devices for networking.
To isolate multiple containers from each other I'm using vzbrXXX devices on
debian like this:
auto vzbr203
iface vzbr203 inet static
address 192.168.203.1
netmask 255.255.255.0
broadcast 192.168.203.255
bridge_ports none
bridge_fd 0
bridge_maxwait 0
auto vzbr202
iface vzbr202 inet static
address 192.168.202.1
netmask 255.255.255.0
broadcast 192.168.202.255
bridge_ports none
bridge_fd 0
bridge_maxwait 0
The problem I'm facing that in VE (for example with CTID 202) I can ping or
query 192.168.203.1 which is on HN of course, but I thought it shouldn't be
reachable.
Here is route table and ifconfig on CTID 202:
# ip r
default dev lo scope link
# ifconfig -a
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:84021 errors:0 dropped:0 overruns:0 frame:0
TX packets:84021 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:5045068 (4.8 MiB) TX bytes:5045068 (4.8 MiB)
venet0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
BROADCAST POINTOPOINT NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
So I guess it's going through lo device? Why and how can I block this?
Many thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/debian/attachments/20130820/0c2baaff/attachment.html>
More information about the Debian
mailing list