[Users] [Debian] VE network isolation
Ola Lundqvist
ola at inguza.com
Mon Aug 19 23:10:48 EDT 2013
Could be so. I do not know the answer. users at openvz.org
or the forum may know.
However if you have two interfaces I actually think your
messages go through the venet interface. I may be wrong
however.
I mean to 202 192.168.203.* is in another network and
would be routed to the venet if. And the other way around.
As you have ip_forwarding enabled it would then route it
to the other network.
Network isolation on the same machine can be tricky.
In any case, you may find better answers on the forum.
Also you probabably need to use wireshark or tcpdump to
find out what actually happens. :-)
// Ola
On Tue, Aug 20, 2013 at 01:23:29AM +0400, spameden wrote:
> The problem here is actually much wider..
> I can access any of the venet0 assigned IP address from the container
> via lo interface.
> E.g. if I have another container with an IP address of 1.2.3.4 I can
> access it through lo interface from this container.
>
> 2013/8/20 spameden <[1]spameden at gmail.com>
>
> 2013/8/20 Ola Lundqvist <[2]ola at inguza.com>
>
> Hi
> It all depends on how you have done things. There are a few things
> that is not fully clear that you should probably add in a forum
> question.
> You mention that you use both venet and veth devices. It
> is not clear what you use in this situation.
> (To my knowledge only veth makes sense to use with vzbr).
>
> Yes, I'm using both devices.
> I've added veth device to the vzbr201 device with private IP address,
> e.g. 192.168.201.2.
> venet0 is used for public internet address, e.g. 1.2.3.4
>
> It is also not clear how you add veth to the bridge.
>
> I'm adding it via /etc/vz/vznet.conf:
> #!/bin/bash
> EXTERNAL_SCRIPT="/usr/sbin/vznetaddbr"
>
> I guess you have read this article:
> [3]http://openvz.org/Virtual_Ethernet_device
>
> Did already.
>
> Also it may be so that even though you have added them to
> different bridges, then the bridges may be connected to something
> common. It is not clear from the text below.
>
> How bridges can be connected to the same thing if they are different?
>
> Hope this helps for your forum question.
> Cheers,
> // Ola
>
> On Tue, Aug 20, 2013 at 12:53:23AM +0400, spameden wrote:
> > Yes, I have forwarding turned on.
> > # sysctl -a 2>/dev/null|grep ip_forward
> > net.ipv4.ip_forward = 1
> > Surely, I can try to ban this via iptables, but it's so much
> hassle to
> > ban each time.
> > I thought it should "work out out of the box"..
> > Anyways, thanks for your point, I will try to post this on forums.
> >
>
> > 2013/8/20 Ola Lundqvist <[1][4]opal at debian.org>
>
> >
> > Hi
> > This kind of question belong more on the openvz forum
>
> > [2][5]http://forum.openvz.org/.
>
> > Please ask there.
> > However I think it is not worwarded through "lo", instead I
> guess
> > you
> > have IP forwarding turned on in the kernel and as the kernel
> gets
> > aware
> > of those datagrams it will forward it to the correct place. To
> > prevent
> > that I guess you have to add some firewalling rules (see
> iptables).
> > But again, this better belong on the forum, and I may be totally
> > wrong.
> > Cheers,
> > // Ola
> >
> > On Tue, Aug 20, 2013 at 12:04:42AM +0400, spameden wrote:
> > > Hi, list.
> > > I'm sorry for copying 2 lists, but I really want to know what
> I'm
> > doing
> > > wrong.
> > > I'm using Debian 6 Squeeze and OpenVZ CentOS kernel
> (converted
> > from rpm
> > > to deb).
> > > I'm using veth as well as venet devices for networking.
> > > To isolate multiple containers from each other I'm using
> vzbrXXX
> > > devices on debian like this:
> > > auto vzbr203
> > > iface vzbr203 inet static
> > > address 192.168.203.1
> > > netmask 255.255.255.0
> > > broadcast 192.168.203.255
> > > bridge_ports none
> > > bridge_fd 0
> > > bridge_maxwait 0
> > > auto vzbr202
> > > iface vzbr202 inet static
> > > address 192.168.202.1
> > > netmask 255.255.255.0
> > > broadcast 192.168.202.255
> > > bridge_ports none
> > > bridge_fd 0
> > > bridge_maxwait 0
> > > The problem I'm facing that in VE (for example with CTID 202)
> I
> > can
> > > ping or query 192.168.203.1 which is on HN of course, but I
> > thought it
> > > shouldn't be reachable.
> > > Here is route table and ifconfig on CTID 202:
> > > # ip r
> > > default dev lo scope link
> > > # ifconfig -a
> > > lo Link encap:Local Loopback
> > > inet addr:127.0.0.1 Mask:255.0.0.0
> > > inet6 addr: ::1/128 Scope:Host
> > > UP LOOPBACK RUNNING MTU:16436 Metric:1
> > > RX packets:84021 errors:0 dropped:0 overruns:0
> frame:0
> > > TX packets:84021 errors:0 dropped:0 overruns:0
> carrier:0
> > > collisions:0 txqueuelen:0
> > > RX bytes:5045068 (4.8 MiB) TX bytes:5045068 (4.8
> MiB)
> > > venet0 Link encap:UNSPEC HWaddr
> > > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
> > > BROADCAST POINTOPOINT NOARP MTU:1500 Metric:1
> > > RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> > > TX packets:0 errors:0 dropped:0 overruns:0
> carrier:0
> > > collisions:0 txqueuelen:0
> > > RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> > > So I guess it's going through lo device? Why and how can I
> block
> > this?
> > > Many thanks.
> >
> > > _______________________________________________
> > > Debian mailing list
>
> > > [3][6]Debian at openvz.org
> > > [4][7]https://lists.openvz.org/mailman/listinfo/debian
>
> > --
> > --------------------- Ola Lundqvist ---------------------------
>
> > / [5][8]opal at debian.org Annebergsslingan
> 37 \
> > | [6][9]ola at inguza.com 654 65 KARLSTAD
> |
> > | [7][10]http://inguza.com/ +46 (0)70-332
> 1551 |
>
> > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9
> /
> > ---------------------------------------------------------------
> >
>
> > Referenser
> >
> > 1. mailto:[11]opal at debian.org
> > 2. [12]http://forum.openvz.org/
> > 3. mailto:[13]Debian at openvz.org
> > 4. [14]https://lists.openvz.org/mailman/listinfo/debian
> > 5. mailto:[15]opal at debian.org
> > 6. mailto:[16]ola at inguza.com
> > 7. [17]http://inguza.com/
> --
> --- Inguza Technology AB --- MSc in Information Technology ----
> / [18]ola at inguza.com Annebergsslingan 37
> \
> | [19]opal at debian.org 654 65 KARLSTAD
> |
> | [20]http://inguza.com/ Mobile: +46 (0)70-332 1551
> |
>
> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
> ---------------------------------------------------------------
>
> Referenser
>
> 1. mailto:spameden at gmail.com
> 2. mailto:ola at inguza.com
> 3. http://openvz.org/Virtual_Ethernet_device
> 4. mailto:opal at debian.org
> 5. http://forum.openvz.org/
> 6. mailto:Debian at openvz.org
> 7. https://lists.openvz.org/mailman/listinfo/debian
> 8. mailto:opal at debian.org
> 9. mailto:ola at inguza.com
> 10. http://inguza.com/
> 11. mailto:opal at debian.org
> 12. http://forum.openvz.org/
> 13. mailto:Debian at openvz.org
> 14. https://lists.openvz.org/mailman/listinfo/debian
> 15. mailto:opal at debian.org
> 16. mailto:ola at inguza.com
> 17. http://inguza.com/
> 18. mailto:ola at inguza.com
> 19. mailto:opal at debian.org
> 20. http://inguza.com/
--
--- Inguza Technology AB --- MSc in Information Technology ----
/ ola at inguza.com Annebergsslingan 37 \
| opal at debian.org 654 65 KARLSTAD |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
More information about the Users
mailing list