[Debian] VE network isolation

spameden spameden at gmail.com
Mon Aug 19 16:53:23 EDT 2013 

Yes, I have forwarding turned on.

# sysctl -a 2>/dev/null|grep ip_forward
net.ipv4.ip_forward = 1

Surely, I can try to ban this via iptables, but it's so much hassle to ban
each time.

I thought it should "work out out of the box"..

Anyways, thanks for your point, I will try to post this on forums.




2013/8/20 Ola Lundqvist <opal at debian.org>

> Hi
>
> This kind of question belong more on the openvz forum
> http://forum.openvz.org/.
>
> Please ask there.
>
> However I think it is not worwarded through "lo", instead I guess you
> have IP forwarding turned on in the kernel and as the kernel gets aware
> of those datagrams it will forward it to the correct place. To prevent
> that I guess you have to add some firewalling rules (see iptables).
>
> But again, this better belong on the forum, and I may be totally wrong.
>
> Cheers,
>
> // Ola
>
> On Tue, Aug 20, 2013 at 12:04:42AM +0400, spameden wrote:
> >    Hi, list.
> >    I'm sorry for copying 2 lists, but I really want to know what I'm
> doing
> >    wrong.
> >    I'm using Debian 6 Squeeze and OpenVZ CentOS kernel (converted from
> rpm
> >    to deb).
> >    I'm using veth as well as venet devices for networking.
> >    To isolate multiple containers from each other I'm using vzbrXXX
> >    devices on debian like this:
> >    auto vzbr203
> >    iface vzbr203 inet static
> >            address 192.168.203.1
> >            netmask       255.255.255.0
> >            broadcast       192.168.203.255
> >            bridge_ports none
> >            bridge_fd 0
> >            bridge_maxwait 0
> >    auto vzbr202
> >    iface vzbr202 inet static
> >            address 192.168.202.1
> >            netmask       255.255.255.0
> >            broadcast       192.168.202.255
> >            bridge_ports none
> >            bridge_fd 0
> >            bridge_maxwait 0
> >    The problem I'm facing that in VE (for example with CTID 202) I can
> >    ping or query 192.168.203.1 which is on HN of course, but I thought it
> >    shouldn't be reachable.
> >    Here is route table and ifconfig on CTID 202:
> >    # ip r
> >    default dev lo  scope link
> >    # ifconfig -a
> >    lo        Link encap:Local Loopback
> >              inet addr:127.0.0.1  Mask:255.0.0.0
> >              inet6 addr: ::1/128 Scope:Host
> >              UP LOOPBACK RUNNING  MTU:16436  Metric:1
> >              RX packets:84021 errors:0 dropped:0 overruns:0 frame:0
> >              TX packets:84021 errors:0 dropped:0 overruns:0 carrier:0
> >              collisions:0 txqueuelen:0
> >              RX bytes:5045068 (4.8 MiB)  TX bytes:5045068 (4.8 MiB)
> >    venet0    Link encap:UNSPEC  HWaddr
> >    00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
> >              BROADCAST POINTOPOINT NOARP  MTU:1500  Metric:1
> >              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> >              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> >              collisions:0 txqueuelen:0
> >              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
> >    So I guess it's going through lo device? Why and how can I block this?
> >    Many thanks.
>
> > _______________________________________________
> > Debian mailing list
> > Debian at openvz.org
> > https://lists.openvz.org/mailman/listinfo/debian
>
>
> --
>  --------------------- Ola Lundqvist ---------------------------
> /  opal at debian.org                     Annebergsslingan 37      \
> |  ola at inguza.com                      654 65 KARLSTAD          |
> |  http://inguza.com/                  +46 (0)70-332 1551       |
> \  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
>  ---------------------------------------------------------------
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/debian/attachments/20130820/3e0660b4/attachment.html>

More information about the Debian mailing list