[Debian] VE network isolation
spameden
spameden at gmail.com
Mon Aug 19 17:09:58 EDT 2013
2013/8/20 Ola Lundqvist <ola at inguza.com>
> Hi
>
> It all depends on how you have done things. There are a few things
> that is not fully clear that you should probably add in a forum
> question.
>
> You mention that you use both venet and veth devices. It
> is not clear what you use in this situation.
> (To my knowledge only veth makes sense to use with vzbr).
>
Yes, I'm using both devices.
I've added veth device to the vzbr201 device with private IP address, e.g.
192.168.201.2.
venet0 is used for public internet address, e.g. 1.2.3.4
>
> It is also not clear how you add veth to the bridge.
>
I'm adding it via /etc/vz/vznet.conf:
#!/bin/bash
EXTERNAL_SCRIPT="/usr/sbin/vznetaddbr"
>
> I guess you have read this article:
> http://openvz.org/Virtual_Ethernet_device
>
Did already.
>
> Also it may be so that even though you have added them to
> different bridges, then the bridges may be connected to something
> common. It is not clear from the text below.
>
How bridges can be connected to the same thing if they are different?
>
> Hope this helps for your forum question.
>
> Cheers,
>
> // Ola
>
>
> On Tue, Aug 20, 2013 at 12:53:23AM +0400, spameden wrote:
> > Yes, I have forwarding turned on.
> > # sysctl -a 2>/dev/null|grep ip_forward
> > net.ipv4.ip_forward = 1
> > Surely, I can try to ban this via iptables, but it's so much hassle to
> > ban each time.
> > I thought it should "work out out of the box"..
> > Anyways, thanks for your point, I will try to post this on forums.
> >
> > 2013/8/20 Ola Lundqvist <[1]opal at debian.org>
> >
> > Hi
> > This kind of question belong more on the openvz forum
> > [2]http://forum.openvz.org/.
> > Please ask there.
> > However I think it is not worwarded through "lo", instead I guess
> > you
> > have IP forwarding turned on in the kernel and as the kernel gets
> > aware
> > of those datagrams it will forward it to the correct place. To
> > prevent
> > that I guess you have to add some firewalling rules (see iptables).
> > But again, this better belong on the forum, and I may be totally
> > wrong.
> > Cheers,
> > // Ola
> >
> > On Tue, Aug 20, 2013 at 12:04:42AM +0400, spameden wrote:
> > > Hi, list.
> > > I'm sorry for copying 2 lists, but I really want to know what I'm
> > doing
> > > wrong.
> > > I'm using Debian 6 Squeeze and OpenVZ CentOS kernel (converted
> > from rpm
> > > to deb).
> > > I'm using veth as well as venet devices for networking.
> > > To isolate multiple containers from each other I'm using vzbrXXX
> > > devices on debian like this:
> > > auto vzbr203
> > > iface vzbr203 inet static
> > > address 192.168.203.1
> > > netmask 255.255.255.0
> > > broadcast 192.168.203.255
> > > bridge_ports none
> > > bridge_fd 0
> > > bridge_maxwait 0
> > > auto vzbr202
> > > iface vzbr202 inet static
> > > address 192.168.202.1
> > > netmask 255.255.255.0
> > > broadcast 192.168.202.255
> > > bridge_ports none
> > > bridge_fd 0
> > > bridge_maxwait 0
> > > The problem I'm facing that in VE (for example with CTID 202) I
> > can
> > > ping or query 192.168.203.1 which is on HN of course, but I
> > thought it
> > > shouldn't be reachable.
> > > Here is route table and ifconfig on CTID 202:
> > > # ip r
> > > default dev lo scope link
> > > # ifconfig -a
> > > lo Link encap:Local Loopback
> > > inet addr:127.0.0.1 Mask:255.0.0.0
> > > inet6 addr: ::1/128 Scope:Host
> > > UP LOOPBACK RUNNING MTU:16436 Metric:1
> > > RX packets:84021 errors:0 dropped:0 overruns:0 frame:0
> > > TX packets:84021 errors:0 dropped:0 overruns:0
> carrier:0
> > > collisions:0 txqueuelen:0
> > > RX bytes:5045068 (4.8 MiB) TX bytes:5045068 (4.8 MiB)
> > > venet0 Link encap:UNSPEC HWaddr
> > > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
> > > BROADCAST POINTOPOINT NOARP MTU:1500 Metric:1
> > > RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> > > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> > > collisions:0 txqueuelen:0
> > > RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> > > So I guess it's going through lo device? Why and how can I block
> > this?
> > > Many thanks.
> >
> > > _______________________________________________
> > > Debian mailing list
> > > [3]Debian at openvz.org
> > > [4]https://lists.openvz.org/mailman/listinfo/debian
> > --
> > --------------------- Ola Lundqvist ---------------------------
> > / [5]opal at debian.org Annebergsslingan 37
> \
> > | [6]ola at inguza.com 654 65 KARLSTAD
> |
> > | [7]http://inguza.com/ +46 (0)70-332 1551
> |
> > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
> > ---------------------------------------------------------------
> >
> > Referenser
> >
> > 1. mailto:opal at debian.org
> > 2. http://forum.openvz.org/
> > 3. mailto:Debian at openvz.org
> > 4. https://lists.openvz.org/mailman/listinfo/debian
> > 5. mailto:opal at debian.org
> > 6. mailto:ola at inguza.com
> > 7. http://inguza.com/
>
> --
> --- Inguza Technology AB --- MSc in Information Technology ----
> / ola at inguza.com Annebergsslingan 37 \
> | opal at debian.org 654 65 KARLSTAD |
> | http://inguza.com/ Mobile: +46 (0)70-332 1551 |
> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
> ---------------------------------------------------------------
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/debian/attachments/20130820/e8d7d4bd/attachment.html>
More information about the Debian
mailing list