[Users] [Debian] VE network isolation
Ola Lundqvist
opal at debian.org
Mon Aug 19 16:40:08 EDT 2013
Hi
This kind of question belong more on the openvz forum
http://forum.openvz.org/.
Please ask there.
However I think it is not worwarded through "lo", instead I guess you
have IP forwarding turned on in the kernel and as the kernel gets aware
of those datagrams it will forward it to the correct place. To prevent
that I guess you have to add some firewalling rules (see iptables).
But again, this better belong on the forum, and I may be totally wrong.
Cheers,
// Ola
On Tue, Aug 20, 2013 at 12:04:42AM +0400, spameden wrote:
> Hi, list.
> I'm sorry for copying 2 lists, but I really want to know what I'm doing
> wrong.
> I'm using Debian 6 Squeeze and OpenVZ CentOS kernel (converted from rpm
> to deb).
> I'm using veth as well as venet devices for networking.
> To isolate multiple containers from each other I'm using vzbrXXX
> devices on debian like this:
> auto vzbr203
> iface vzbr203 inet static
> address 192.168.203.1
> netmask 255.255.255.0
> broadcast 192.168.203.255
> bridge_ports none
> bridge_fd 0
> bridge_maxwait 0
> auto vzbr202
> iface vzbr202 inet static
> address 192.168.202.1
> netmask 255.255.255.0
> broadcast 192.168.202.255
> bridge_ports none
> bridge_fd 0
> bridge_maxwait 0
> The problem I'm facing that in VE (for example with CTID 202) I can
> ping or query 192.168.203.1 which is on HN of course, but I thought it
> shouldn't be reachable.
> Here is route table and ifconfig on CTID 202:
> # ip r
> default dev lo scope link
> # ifconfig -a
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:84021 errors:0 dropped:0 overruns:0 frame:0
> TX packets:84021 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:5045068 (4.8 MiB) TX bytes:5045068 (4.8 MiB)
> venet0 Link encap:UNSPEC HWaddr
> 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
> BROADCAST POINTOPOINT NOARP MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> So I guess it's going through lo device? Why and how can I block this?
> Many thanks.
> _______________________________________________
> Debian mailing list
> Debian at openvz.org
> https://lists.openvz.org/mailman/listinfo/debian
--
--------------------- Ola Lundqvist ---------------------------
/ opal at debian.org Annebergsslingan 37 \
| ola at inguza.com 654 65 KARLSTAD |
| http://inguza.com/ +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
More information about the Users
mailing list