[Users] [Debian] VE network isolation

Ola Lundqvist opal at debian.org
Mon Aug 19 16:40:08 EDT 2013 

Hi

This kind of question belong more on the openvz forum
http://forum.openvz.org/.

Please ask there.

However I think it is not worwarded through "lo", instead I guess you
have IP forwarding turned on in the kernel and as the kernel gets aware
of those datagrams it will forward it to the correct place. To prevent
that I guess you have to add some firewalling rules (see iptables).

But again, this better belong on the forum, and I may be totally wrong.

Cheers,

// Ola

On Tue, Aug 20, 2013 at 12:04:42AM +0400, spameden wrote:
>    Hi, list.
>    I'm sorry for copying 2 lists, but I really want to know what I'm doing
>    wrong.
>    I'm using Debian 6 Squeeze and OpenVZ CentOS kernel (converted from rpm
>    to deb).
>    I'm using veth as well as venet devices for networking.
>    To isolate multiple containers from each other I'm using vzbrXXX
>    devices on debian like this:
>    auto vzbr203
>    iface vzbr203 inet static
>            address 192.168.203.1
>            netmask       255.255.255.0
>            broadcast       192.168.203.255
>            bridge_ports none
>            bridge_fd 0
>            bridge_maxwait 0
>    auto vzbr202
>    iface vzbr202 inet static
>            address 192.168.202.1
>            netmask       255.255.255.0
>            broadcast       192.168.202.255
>            bridge_ports none
>            bridge_fd 0
>            bridge_maxwait 0
>    The problem I'm facing that in VE (for example with CTID 202) I can
>    ping or query 192.168.203.1 which is on HN of course, but I thought it
>    shouldn't be reachable.
>    Here is route table and ifconfig on CTID 202:
>    # ip r
>    default dev lo  scope link
>    # ifconfig -a
>    lo        Link encap:Local Loopback
>              inet addr:127.0.0.1  Mask:255.0.0.0
>              inet6 addr: ::1/128 Scope:Host
>              UP LOOPBACK RUNNING  MTU:16436  Metric:1
>              RX packets:84021 errors:0 dropped:0 overruns:0 frame:0
>              TX packets:84021 errors:0 dropped:0 overruns:0 carrier:0
>              collisions:0 txqueuelen:0
>              RX bytes:5045068 (4.8 MiB)  TX bytes:5045068 (4.8 MiB)
>    venet0    Link encap:UNSPEC  HWaddr
>    00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
>              BROADCAST POINTOPOINT NOARP  MTU:1500  Metric:1
>              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>              collisions:0 txqueuelen:0
>              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
>    So I guess it's going through lo device? Why and how can I block this?
>    Many thanks.

> _______________________________________________
> Debian mailing list
> Debian at openvz.org
> https://lists.openvz.org/mailman/listinfo/debian


-- 
 --------------------- Ola Lundqvist ---------------------------
/  opal at debian.org                     Annebergsslingan 37      \
|  ola at inguza.com                      654 65 KARLSTAD          |
|  http://inguza.com/                  +46 (0)70-332 1551       |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------

More information about the Users mailing list