[Users] [Debian] VE network isolation
spameden
spameden at gmail.com
Tue Aug 20 16:42:25 EDT 2013
2013/8/20 Ola Lundqvist <ola at inguza.com>
> Could be so. I do not know the answer. users at openvz.org
> or the forum may know.
>
users at openvz.org is already copied here.
>
> However if you have two interfaces I actually think your
> messages go through the venet interface. I may be wrong
> however.
>
I've tested through lo device in VE without any additional veth devices or
venet IP addresses.
But I guess lo is going through venet0 as well in VE?
>
> I mean to 202 192.168.203.* is in another network and
> would be routed to the venet if. And the other way around.
> As you have ip_forwarding enabled it would then route it
> to the other network.
>
> Network isolation on the same machine can be tricky.
>
> In any case, you may find better answers on the forum.
>
> Also you probabably need to use wireshark or tcpdump to
> find out what actually happens. :-)
>
Thanks for the tip.
Actually its bit weird what I'm getting through lo device:
# ip r
default dev lo scope link
# ping 1.2.3.4
PING 1.2.3.4 (1.2.3.4) 56(84) bytes of data.
64 bytes from 1.2.3.4: icmp_req=1 ttl=64 time=0.036 ms
64 bytes from 1.2.3.4: icmp_req=2 ttl=64 time=0.027 ms
^C
--- 1.2.3.4 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.027/0.031/0.036/0.007 ms
# ping 3.3.3.3
PING 3.3.3.3 (3.3.3.3) 56(84) bytes of data.
64 bytes from 3.3.3.3: icmp_req=1 ttl=64 time=0.037 ms
^C
--- 3.3.3.3 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.037/0.037/0.037/0.000 ms
It means if I ping _ANY_ IP through lo device it gives me answer back? why?
>
> // Ola
>
> On Tue, Aug 20, 2013 at 01:23:29AM +0400, spameden wrote:
> > The problem here is actually much wider..
> > I can access any of the venet0 assigned IP address from the container
> > via lo interface.
> > E.g. if I have another container with an IP address of 1.2.3.4 I can
> > access it through lo interface from this container.
> >
> > 2013/8/20 spameden <[1]spameden at gmail.com>
> >
> > 2013/8/20 Ola Lundqvist <[2]ola at inguza.com>
> >
> > Hi
> > It all depends on how you have done things. There are a few things
> > that is not fully clear that you should probably add in a forum
> > question.
> > You mention that you use both venet and veth devices. It
> > is not clear what you use in this situation.
> > (To my knowledge only veth makes sense to use with vzbr).
> >
> > Yes, I'm using both devices.
> > I've added veth device to the vzbr201 device with private IP address,
> > e.g. 192.168.201.2.
> > venet0 is used for public internet address, e.g. 1.2.3.4
> >
> > It is also not clear how you add veth to the bridge.
> >
> > I'm adding it via /etc/vz/vznet.conf:
> > #!/bin/bash
> > EXTERNAL_SCRIPT="/usr/sbin/vznetaddbr"
> >
> > I guess you have read this article:
> > [3]http://openvz.org/Virtual_Ethernet_device
> >
> > Did already.
> >
> > Also it may be so that even though you have added them to
> > different bridges, then the bridges may be connected to something
> > common. It is not clear from the text below.
> >
> > How bridges can be connected to the same thing if they are different?
> >
> > Hope this helps for your forum question.
> > Cheers,
> > // Ola
> >
> > On Tue, Aug 20, 2013 at 12:53:23AM +0400, spameden wrote:
> > > Yes, I have forwarding turned on.
> > > # sysctl -a 2>/dev/null|grep ip_forward
> > > net.ipv4.ip_forward = 1
> > > Surely, I can try to ban this via iptables, but it's so much
> > hassle to
> > > ban each time.
> > > I thought it should "work out out of the box"..
> > > Anyways, thanks for your point, I will try to post this on
> forums.
> > >
> >
> > > 2013/8/20 Ola Lundqvist <[1][4]opal at debian.org>
> >
> > >
> > > Hi
> > > This kind of question belong more on the openvz forum
> >
> > > [2][5]http://forum.openvz.org/.
> >
> > > Please ask there.
> > > However I think it is not worwarded through "lo", instead I
> > guess
> > > you
> > > have IP forwarding turned on in the kernel and as the kernel
> > gets
> > > aware
> > > of those datagrams it will forward it to the correct place. To
> > > prevent
> > > that I guess you have to add some firewalling rules (see
> > iptables).
> > > But again, this better belong on the forum, and I may be
> totally
> > > wrong.
> > > Cheers,
> > > // Ola
> > >
> > > On Tue, Aug 20, 2013 at 12:04:42AM +0400, spameden wrote:
> > > > Hi, list.
> > > > I'm sorry for copying 2 lists, but I really want to know
> what
> > I'm
> > > doing
> > > > wrong.
> > > > I'm using Debian 6 Squeeze and OpenVZ CentOS kernel
> > (converted
> > > from rpm
> > > > to deb).
> > > > I'm using veth as well as venet devices for networking.
> > > > To isolate multiple containers from each other I'm using
> > vzbrXXX
> > > > devices on debian like this:
> > > > auto vzbr203
> > > > iface vzbr203 inet static
> > > > address 192.168.203.1
> > > > netmask 255.255.255.0
> > > > broadcast 192.168.203.255
> > > > bridge_ports none
> > > > bridge_fd 0
> > > > bridge_maxwait 0
> > > > auto vzbr202
> > > > iface vzbr202 inet static
> > > > address 192.168.202.1
> > > > netmask 255.255.255.0
> > > > broadcast 192.168.202.255
> > > > bridge_ports none
> > > > bridge_fd 0
> > > > bridge_maxwait 0
> > > > The problem I'm facing that in VE (for example with CTID
> 202)
> > I
> > > can
> > > > ping or query 192.168.203.1 which is on HN of course, but I
> > > thought it
> > > > shouldn't be reachable.
> > > > Here is route table and ifconfig on CTID 202:
> > > > # ip r
> > > > default dev lo scope link
> > > > # ifconfig -a
> > > > lo Link encap:Local Loopback
> > > > inet addr:127.0.0.1 Mask:255.0.0.0
> > > > inet6 addr: ::1/128 Scope:Host
> > > > UP LOOPBACK RUNNING MTU:16436 Metric:1
> > > > RX packets:84021 errors:0 dropped:0 overruns:0
> > frame:0
> > > > TX packets:84021 errors:0 dropped:0 overruns:0
> > carrier:0
> > > > collisions:0 txqueuelen:0
> > > > RX bytes:5045068 (4.8 MiB) TX bytes:5045068 (4.8
> > MiB)
> > > > venet0 Link encap:UNSPEC HWaddr
> > > > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
> > > > BROADCAST POINTOPOINT NOARP MTU:1500 Metric:1
> > > > RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> > > > TX packets:0 errors:0 dropped:0 overruns:0
> > carrier:0
> > > > collisions:0 txqueuelen:0
> > > > RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> > > > So I guess it's going through lo device? Why and how can I
> > block
> > > this?
> > > > Many thanks.
> > >
> > > > _______________________________________________
> > > > Debian mailing list
> >
> > > > [3][6]Debian at openvz.org
> > > > [4][7]https://lists.openvz.org/mailman/listinfo/debian
> >
> > > --
> > > --------------------- Ola Lundqvist
> ---------------------------
> >
> > > / [5][8]opal at debian.org
> Annebergsslingan
> > 37 \
> > > | [6][9]ola at inguza.com 654 65 KARLSTAD
> > |
> > > | [7][10]http://inguza.com/ +46 (0)70-332
> > 1551 |
> >
> > > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9
> > /
> > >
> ---------------------------------------------------------------
> > >
> >
> > > Referenser
> > >
> > > 1. mailto:[11]opal at debian.org
> > > 2. [12]http://forum.openvz.org/
> > > 3. mailto:[13]Debian at openvz.org
> > > 4. [14]https://lists.openvz.org/mailman/listinfo/debian
> > > 5. mailto:[15]opal at debian.org
> > > 6. mailto:[16]ola at inguza.com
> > > 7. [17]http://inguza.com/
> > --
> > --- Inguza Technology AB --- MSc in Information Technology ----
> > / [18]ola at inguza.com Annebergsslingan 37
> > \
> > | [19]opal at debian.org 654 65 KARLSTAD
> > |
> > | [20]http://inguza.com/ Mobile: +46 (0)70-332 1551
> > |
> >
> > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
> > ---------------------------------------------------------------
> >
> > Referenser
> >
> > 1. mailto:spameden at gmail.com
> > 2. mailto:ola at inguza.com
> > 3. http://openvz.org/Virtual_Ethernet_device
> > 4. mailto:opal at debian.org
> > 5. http://forum.openvz.org/
> > 6. mailto:Debian at openvz.org
> > 7. https://lists.openvz.org/mailman/listinfo/debian
> > 8. mailto:opal at debian.org
> > 9. mailto:ola at inguza.com
> > 10. http://inguza.com/
> > 11. mailto:opal at debian.org
> > 12. http://forum.openvz.org/
> > 13. mailto:Debian at openvz.org
> > 14. https://lists.openvz.org/mailman/listinfo/debian
> > 15. mailto:opal at debian.org
> > 16. mailto:ola at inguza.com
> > 17. http://inguza.com/
> > 18. mailto:ola at inguza.com
> > 19. mailto:opal at debian.org
> > 20. http://inguza.com/
>
> --
> --- Inguza Technology AB --- MSc in Information Technology ----
> / ola at inguza.com Annebergsslingan 37 \
> | opal at debian.org 654 65 KARLSTAD |
> | http://inguza.com/ Mobile: +46 (0)70-332 1551 |
> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
> ---------------------------------------------------------------
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/users/attachments/20130821/bdc7d535/attachment-0001.html>
More information about the Users
mailing list