<div dir="ltr"><div><div><div>Yes, I have forwarding turned on.<br><br># sysctl -a 2>/dev/null|grep ip_forward<br>net.ipv4.ip_forward = 1<br><br></div>Surely, I can try to ban this via iptables, but it's so much hassle to ban each time.<br>
<br></div>I thought it should "work out out of the box"..<br><br></div>Anyways, thanks for your point, I will try to post this on forums.<br><div><div><div><br><br></div></div></div></div><div class="gmail_extra">
<br><br><div class="gmail_quote">2013/8/20 Ola Lundqvist <span dir="ltr"><<a href="mailto:opal@debian.org" target="_blank">opal@debian.org</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi<br>
<br>
This kind of question belong more on the openvz forum<br>
<a href="http://forum.openvz.org/" target="_blank">http://forum.openvz.org/</a>.<br>
<br>
Please ask there.<br>
<br>
However I think it is not worwarded through "lo", instead I guess you<br>
have IP forwarding turned on in the kernel and as the kernel gets aware<br>
of those datagrams it will forward it to the correct place. To prevent<br>
that I guess you have to add some firewalling rules (see iptables).<br>
<br>
But again, this better belong on the forum, and I may be totally wrong.<br>
<br>
Cheers,<br>
<br>
// Ola<br>
<div><div class="h5"><br>
On Tue, Aug 20, 2013 at 12:04:42AM +0400, spameden wrote:<br>
> Hi, list.<br>
> I'm sorry for copying 2 lists, but I really want to know what I'm doing<br>
> wrong.<br>
> I'm using Debian 6 Squeeze and OpenVZ CentOS kernel (converted from rpm<br>
> to deb).<br>
> I'm using veth as well as venet devices for networking.<br>
> To isolate multiple containers from each other I'm using vzbrXXX<br>
> devices on debian like this:<br>
> auto vzbr203<br>
> iface vzbr203 inet static<br>
> address 192.168.203.1<br>
> netmask 255.255.255.0<br>
> broadcast 192.168.203.255<br>
> bridge_ports none<br>
> bridge_fd 0<br>
> bridge_maxwait 0<br>
> auto vzbr202<br>
> iface vzbr202 inet static<br>
> address 192.168.202.1<br>
> netmask 255.255.255.0<br>
> broadcast 192.168.202.255<br>
> bridge_ports none<br>
> bridge_fd 0<br>
> bridge_maxwait 0<br>
> The problem I'm facing that in VE (for example with CTID 202) I can<br>
> ping or query 192.168.203.1 which is on HN of course, but I thought it<br>
> shouldn't be reachable.<br>
> Here is route table and ifconfig on CTID 202:<br>
> # ip r<br>
> default dev lo scope link<br>
> # ifconfig -a<br>
> lo Link encap:Local Loopback<br>
> inet addr:127.0.0.1 Mask:255.0.0.0<br>
> inet6 addr: ::1/128 Scope:Host<br>
> UP LOOPBACK RUNNING MTU:16436 Metric:1<br>
> RX packets:84021 errors:0 dropped:0 overruns:0 frame:0<br>
> TX packets:84021 errors:0 dropped:0 overruns:0 carrier:0<br>
> collisions:0 txqueuelen:0<br>
> RX bytes:5045068 (4.8 MiB) TX bytes:5045068 (4.8 MiB)<br>
> venet0 Link encap:UNSPEC HWaddr<br>
> 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00<br>
> BROADCAST POINTOPOINT NOARP MTU:1500 Metric:1<br>
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0<br>
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0<br>
> collisions:0 txqueuelen:0<br>
> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)<br>
> So I guess it's going through lo device? Why and how can I block this?<br>
> Many thanks.<br>
<br>
</div></div>> _______________________________________________<br>
> Debian mailing list<br>
> <a href="mailto:Debian@openvz.org">Debian@openvz.org</a><br>
> <a href="https://lists.openvz.org/mailman/listinfo/debian" target="_blank">https://lists.openvz.org/mailman/listinfo/debian</a><br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
--<br>
--------------------- Ola Lundqvist ---------------------------<br>
/ <a href="mailto:opal@debian.org">opal@debian.org</a> Annebergsslingan 37 \<br>
| <a href="mailto:ola@inguza.com">ola@inguza.com</a> 654 65 KARLSTAD |<br>
| <a href="http://inguza.com/" target="_blank">http://inguza.com/</a> +46 (0)70-332 1551 |<br>
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /<br>
---------------------------------------------------------------<br>
</font></span></blockquote></div><br></div>