[Debian] VE network isolation

Ola Lundqvist ola at inguza.com
Mon Aug 19 17:07:15 EDT 2013 

Hi

It all depends on how you have done things. There are a few things
that is not fully clear that you should probably add in a forum
question.

You mention that you use both venet and veth devices. It
is not clear what you use in this situation.
(To my knowledge only veth makes sense to use with vzbr).

It is also not clear how you add veth to the bridge.

I guess you have read this article:
http://openvz.org/Virtual_Ethernet_device

Also it may be so that even though you have added them to
different bridges, then the bridges may be connected to something
common. It is not clear from the text below.

Hope this helps for your forum question.

Cheers,

// Ola


On Tue, Aug 20, 2013 at 12:53:23AM +0400, spameden wrote:
>    Yes, I have forwarding turned on.
>    # sysctl -a 2>/dev/null|grep ip_forward
>    net.ipv4.ip_forward = 1
>    Surely, I can try to ban this via iptables, but it's so much hassle to
>    ban each time.
>    I thought it should "work out out of the box"..
>    Anyways, thanks for your point, I will try to post this on forums.
> 
>    2013/8/20 Ola Lundqvist <[1]opal at debian.org>
> 
>      Hi
>      This kind of question belong more on the openvz forum
>      [2]http://forum.openvz.org/.
>      Please ask there.
>      However I think it is not worwarded through "lo", instead I guess
>      you
>      have IP forwarding turned on in the kernel and as the kernel gets
>      aware
>      of those datagrams it will forward it to the correct place. To
>      prevent
>      that I guess you have to add some firewalling rules (see iptables).
>      But again, this better belong on the forum, and I may be totally
>      wrong.
>      Cheers,
>      // Ola
> 
>    On Tue, Aug 20, 2013 at 12:04:42AM +0400, spameden wrote:
>    >    Hi, list.
>    >    I'm sorry for copying 2 lists, but I really want to know what I'm
>    doing
>    >    wrong.
>    >    I'm using Debian 6 Squeeze and OpenVZ CentOS kernel (converted
>    from rpm
>    >    to deb).
>    >    I'm using veth as well as venet devices for networking.
>    >    To isolate multiple containers from each other I'm using vzbrXXX
>    >    devices on debian like this:
>    >    auto vzbr203
>    >    iface vzbr203 inet static
>    >            address 192.168.203.1
>    >            netmask       255.255.255.0
>    >            broadcast       192.168.203.255
>    >            bridge_ports none
>    >            bridge_fd 0
>    >            bridge_maxwait 0
>    >    auto vzbr202
>    >    iface vzbr202 inet static
>    >            address 192.168.202.1
>    >            netmask       255.255.255.0
>    >            broadcast       192.168.202.255
>    >            bridge_ports none
>    >            bridge_fd 0
>    >            bridge_maxwait 0
>    >    The problem I'm facing that in VE (for example with CTID 202) I
>    can
>    >    ping or query 192.168.203.1 which is on HN of course, but I
>    thought it
>    >    shouldn't be reachable.
>    >    Here is route table and ifconfig on CTID 202:
>    >    # ip r
>    >    default dev lo  scope link
>    >    # ifconfig -a
>    >    lo        Link encap:Local Loopback
>    >              inet addr:127.0.0.1  Mask:255.0.0.0
>    >              inet6 addr: ::1/128 Scope:Host
>    >              UP LOOPBACK RUNNING  MTU:16436  Metric:1
>    >              RX packets:84021 errors:0 dropped:0 overruns:0 frame:0
>    >              TX packets:84021 errors:0 dropped:0 overruns:0 carrier:0
>    >              collisions:0 txqueuelen:0
>    >              RX bytes:5045068 (4.8 MiB)  TX bytes:5045068 (4.8 MiB)
>    >    venet0    Link encap:UNSPEC  HWaddr
>    >    00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
>    >              BROADCAST POINTOPOINT NOARP  MTU:1500  Metric:1
>    >              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>    >              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>    >              collisions:0 txqueuelen:0
>    >              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
>    >    So I guess it's going through lo device? Why and how can I block
>    this?
>    >    Many thanks.
> 
>      > _______________________________________________
>      > Debian mailing list
>      > [3]Debian at openvz.org
>      > [4]https://lists.openvz.org/mailman/listinfo/debian
>      --
>       --------------------- Ola Lundqvist ---------------------------
>      /  [5]opal at debian.org                     Annebergsslingan 37      \
>      |  [6]ola at inguza.com                      654 65 KARLSTAD          |
>      |  [7]http://inguza.com/                  +46 (0)70-332 1551       |
>      \  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
>       ---------------------------------------------------------------
> 
> Referenser
> 
>    1. mailto:opal at debian.org
>    2. http://forum.openvz.org/
>    3. mailto:Debian at openvz.org
>    4. https://lists.openvz.org/mailman/listinfo/debian
>    5. mailto:opal at debian.org
>    6. mailto:ola at inguza.com
>    7. http://inguza.com/

-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola at inguza.com                    Annebergsslingan 37        \
|  opal at debian.org                   654 65 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

More information about the Debian mailing list