[Debian] VE network isolation
spameden
spameden at gmail.com
Mon Aug 19 16:53:23 EDT 2013
Yes, I have forwarding turned on.
# sysctl -a 2>/dev/null|grep ip_forward
net.ipv4.ip_forward = 1
Surely, I can try to ban this via iptables, but it's so much hassle to ban
each time.
I thought it should "work out out of the box"..
Anyways, thanks for your point, I will try to post this on forums.
2013/8/20 Ola Lundqvist <opal at debian.org>
> Hi
>
> This kind of question belong more on the openvz forum
> http://forum.openvz.org/.
>
> Please ask there.
>
> However I think it is not worwarded through "lo", instead I guess you
> have IP forwarding turned on in the kernel and as the kernel gets aware
> of those datagrams it will forward it to the correct place. To prevent
> that I guess you have to add some firewalling rules (see iptables).
>
> But again, this better belong on the forum, and I may be totally wrong.
>
> Cheers,
>
> // Ola
>
> On Tue, Aug 20, 2013 at 12:04:42AM +0400, spameden wrote:
> > Hi, list.
> > I'm sorry for copying 2 lists, but I really want to know what I'm
> doing
> > wrong.
> > I'm using Debian 6 Squeeze and OpenVZ CentOS kernel (converted from
> rpm
> > to deb).
> > I'm using veth as well as venet devices for networking.
> > To isolate multiple containers from each other I'm using vzbrXXX
> > devices on debian like this:
> > auto vzbr203
> > iface vzbr203 inet static
> > address 192.168.203.1
> > netmask 255.255.255.0
> > broadcast 192.168.203.255
> > bridge_ports none
> > bridge_fd 0
> > bridge_maxwait 0
> > auto vzbr202
> > iface vzbr202 inet static
> > address 192.168.202.1
> > netmask 255.255.255.0
> > broadcast 192.168.202.255
> > bridge_ports none
> > bridge_fd 0
> > bridge_maxwait 0
> > The problem I'm facing that in VE (for example with CTID 202) I can
> > ping or query 192.168.203.1 which is on HN of course, but I thought it
> > shouldn't be reachable.
> > Here is route table and ifconfig on CTID 202:
> > # ip r
> > default dev lo scope link
> > # ifconfig -a
> > lo Link encap:Local Loopback
> > inet addr:127.0.0.1 Mask:255.0.0.0
> > inet6 addr: ::1/128 Scope:Host
> > UP LOOPBACK RUNNING MTU:16436 Metric:1
> > RX packets:84021 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:84021 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:0
> > RX bytes:5045068 (4.8 MiB) TX bytes:5045068 (4.8 MiB)
> > venet0 Link encap:UNSPEC HWaddr
> > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
> > BROADCAST POINTOPOINT NOARP MTU:1500 Metric:1
> > RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:0
> > RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> > So I guess it's going through lo device? Why and how can I block this?
> > Many thanks.
>
> > _______________________________________________
> > Debian mailing list
> > Debian at openvz.org
> > https://lists.openvz.org/mailman/listinfo/debian
>
>
> --
> --------------------- Ola Lundqvist ---------------------------
> / opal at debian.org Annebergsslingan 37 \
> | ola at inguza.com 654 65 KARLSTAD |
> | http://inguza.com/ +46 (0)70-332 1551 |
> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
> ---------------------------------------------------------------
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/debian/attachments/20130820/3e0660b4/attachment.html>
More information about the Debian
mailing list