[Users] [Debian] VE network isolation
spameden
spameden at gmail.com
Mon Aug 19 17:23:29 EDT 2013
The problem here is actually much wider..
I can access any of the venet0 assigned IP address from the container via
lo interface.
E.g. if I have another container with an IP address of 1.2.3.4 I can access
it through lo interface from this container.
2013/8/20 spameden <spameden at gmail.com>
>
>
>
> 2013/8/20 Ola Lundqvist <ola at inguza.com>
>
>> Hi
>>
>> It all depends on how you have done things. There are a few things
>> that is not fully clear that you should probably add in a forum
>> question.
>>
>> You mention that you use both venet and veth devices. It
>> is not clear what you use in this situation.
>> (To my knowledge only veth makes sense to use with vzbr).
>>
>
> Yes, I'm using both devices.
>
> I've added veth device to the vzbr201 device with private IP address, e.g.
> 192.168.201.2.
>
> venet0 is used for public internet address, e.g. 1.2.3.4
>
>>
>> It is also not clear how you add veth to the bridge.
>>
>
> I'm adding it via /etc/vz/vznet.conf:
>
> #!/bin/bash
> EXTERNAL_SCRIPT="/usr/sbin/vznetaddbr"
>
>
>>
>> I guess you have read this article:
>> http://openvz.org/Virtual_Ethernet_device
>>
>
> Did already.
>
>
>>
>> Also it may be so that even though you have added them to
>> different bridges, then the bridges may be connected to something
>> common. It is not clear from the text below.
>>
>
> How bridges can be connected to the same thing if they are different?
>
>>
>> Hope this helps for your forum question.
>>
>> Cheers,
>>
>> // Ola
>>
>>
>> On Tue, Aug 20, 2013 at 12:53:23AM +0400, spameden wrote:
>> > Yes, I have forwarding turned on.
>> > # sysctl -a 2>/dev/null|grep ip_forward
>> > net.ipv4.ip_forward = 1
>> > Surely, I can try to ban this via iptables, but it's so much hassle
>> to
>> > ban each time.
>> > I thought it should "work out out of the box"..
>> > Anyways, thanks for your point, I will try to post this on forums.
>> >
>> > 2013/8/20 Ola Lundqvist <[1]opal at debian.org>
>> >
>> > Hi
>> > This kind of question belong more on the openvz forum
>> > [2]http://forum.openvz.org/.
>> > Please ask there.
>> > However I think it is not worwarded through "lo", instead I guess
>> > you
>> > have IP forwarding turned on in the kernel and as the kernel gets
>> > aware
>> > of those datagrams it will forward it to the correct place. To
>> > prevent
>> > that I guess you have to add some firewalling rules (see iptables).
>> > But again, this better belong on the forum, and I may be totally
>> > wrong.
>> > Cheers,
>> > // Ola
>> >
>> > On Tue, Aug 20, 2013 at 12:04:42AM +0400, spameden wrote:
>> > > Hi, list.
>> > > I'm sorry for copying 2 lists, but I really want to know what
>> I'm
>> > doing
>> > > wrong.
>> > > I'm using Debian 6 Squeeze and OpenVZ CentOS kernel (converted
>> > from rpm
>> > > to deb).
>> > > I'm using veth as well as venet devices for networking.
>> > > To isolate multiple containers from each other I'm using vzbrXXX
>> > > devices on debian like this:
>> > > auto vzbr203
>> > > iface vzbr203 inet static
>> > > address 192.168.203.1
>> > > netmask 255.255.255.0
>> > > broadcast 192.168.203.255
>> > > bridge_ports none
>> > > bridge_fd 0
>> > > bridge_maxwait 0
>> > > auto vzbr202
>> > > iface vzbr202 inet static
>> > > address 192.168.202.1
>> > > netmask 255.255.255.0
>> > > broadcast 192.168.202.255
>> > > bridge_ports none
>> > > bridge_fd 0
>> > > bridge_maxwait 0
>> > > The problem I'm facing that in VE (for example with CTID 202) I
>> > can
>> > > ping or query 192.168.203.1 which is on HN of course, but I
>> > thought it
>> > > shouldn't be reachable.
>> > > Here is route table and ifconfig on CTID 202:
>> > > # ip r
>> > > default dev lo scope link
>> > > # ifconfig -a
>> > > lo Link encap:Local Loopback
>> > > inet addr:127.0.0.1 Mask:255.0.0.0
>> > > inet6 addr: ::1/128 Scope:Host
>> > > UP LOOPBACK RUNNING MTU:16436 Metric:1
>> > > RX packets:84021 errors:0 dropped:0 overruns:0 frame:0
>> > > TX packets:84021 errors:0 dropped:0 overruns:0
>> carrier:0
>> > > collisions:0 txqueuelen:0
>> > > RX bytes:5045068 (4.8 MiB) TX bytes:5045068 (4.8 MiB)
>> > > venet0 Link encap:UNSPEC HWaddr
>> > > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
>> > > BROADCAST POINTOPOINT NOARP MTU:1500 Metric:1
>> > > RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>> > > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>> > > collisions:0 txqueuelen:0
>> > > RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
>> > > So I guess it's going through lo device? Why and how can I block
>> > this?
>> > > Many thanks.
>> >
>> > > _______________________________________________
>> > > Debian mailing list
>> > > [3]Debian at openvz.org
>> > > [4]https://lists.openvz.org/mailman/listinfo/debian
>> > --
>> > --------------------- Ola Lundqvist ---------------------------
>> > / [5]opal at debian.org Annebergsslingan 37
>> \
>> > | [6]ola at inguza.com 654 65 KARLSTAD
>> |
>> > | [7]http://inguza.com/ +46 (0)70-332 1551
>> |
>> > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
>> > ---------------------------------------------------------------
>> >
>> > Referenser
>> >
>> > 1. mailto:opal at debian.org
>> > 2. http://forum.openvz.org/
>> > 3. mailto:Debian at openvz.org
>> > 4. https://lists.openvz.org/mailman/listinfo/debian
>> > 5. mailto:opal at debian.org
>> > 6. mailto:ola at inguza.com
>> > 7. http://inguza.com/
>>
>> --
>> --- Inguza Technology AB --- MSc in Information Technology ----
>> / ola at inguza.com Annebergsslingan 37 \
>> | opal at debian.org 654 65 KARLSTAD |
>> | http://inguza.com/ Mobile: +46 (0)70-332 1551 |
>> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
>> ---------------------------------------------------------------
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/users/attachments/20130820/895d0f7a/attachment-0001.html>
More information about the Users
mailing list