Re: [Vserver] Multiple NICs, Multiple Networks; Revisited 2
On Sat, Aug 12, 2006 at 12:14:54AM -0700, Bob Predaina wrote: > I'm having a problem with a fresh Gentoo vServer > installation, related to network separation. I've > built my vServer with 3 NICs, each of which will be > attached to a different network. For example, here's > what I'm trying to do: > > eth0 -- only available to the vServer host, used > exclusively for administrative access to the server > from a local PC via SSH. > > eth1 -- only available to a VPS guest running Samba, > to provide Samba services on an isolated private LAN > > eth2 -- only available to two VPS guests, one running > VSFTPD and one running Apache. This interface will be > placed in a DMZ by an external firewall. > > eth0, eth1, eth2 and lo are all up and running on the > host. the host is using eth0. as a test setup i have > installed two guest servers that will be using eth1. > both were created using the --interface > eth1:192.168.18.252/24 parameter. The guests correctly > report that they are using eth1 at 192.168.18.252. > > Even though the guest server's ifconfig information > shows binding to the correct ethernet adapter and IP > address (eth1:192.168.18.252), it appears that they > are responding to incoming traffic on > eth1:192.168.18.252, but their outgoing traffic is > actually going out through eth0:192.168.18.251. there > is no isolation of the network interfaces. > > Can anyone explain this, or how to fix the problem so > that the processes are bound to the correct NIC > interface and don't use an unauthorized NIC interface? with proper settings (not Linux-VServer related) you can configure a Linux machine to use more than one gateway and more important send through the proper interfaces with the assigned (primary) ips without producing crosstalk, the important hints here are 'multiple routing tables' and 'reverse path filter' > My ultimate goal is to bind the guest servers to the > NIC that exists in the appropriate firewall zone. > > FYI, here is a thread that summarized the problem in > more detail: > > http://forums.gentoo.org/viewtopic-p-3495451.html#3495451 > > I've searched this list's archives regarding this > problem, and i found two relevant threads. The first > one mentioned having found a solution that was going > to be posted to the "recipies" page, but the recipies > page shown in the hyperlink is blank. The second > thread contained a discussion about this improper > behavior and whether this default behavior should be > changed, but there was no follow-up. Its not clear to > me if this is an error or if this is how things are > supposed to work. > Any insights would be appreciated! Thanks! check out this: http://archives.linux-vserver.org/200311/0470.html http://list.linux-vserver.org/archive/vserver/msg06615.html http://list.linux-vserver.org/archive/vserver/msg06631.html http://list.linux-vserver.org/archive/vserver/msg06667.html all linked from: http://linux-vserver.org/Documentation HTH, Herbert PS: if you still can't make it work (after giving it a hard try) contact me on the irc channel > __ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Multiple NICs, Multiple Networks; Revisited 2
On Sunday 13 August 2006 16:52, John Alberts wrote: > This leads to the third problem. Every guest os must have a unique ip > address. In reading your posts, it sounds like you are trying to use > the same ip for multiple guests. You can't do that. :) You CAN share IP addresses between multiple guests, but unless you have a good reason to do so you shouldn't. The reason why it is discuraged is because each guest can disturb the other one by taking over ports. E.g. in first guest you start sshd, in second guest you can't do so anymore unless you run sshd on different ports for both guests. Regards, Bruno ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Multiple NICs, Multiple Networks; Revisited 2
Hi Bob. After reading both this thread and the one on the Gentoo forums that you posted, I see several problems. First, I would use seperate subnets for each of your eth0, eth1, and eth2 interfaces, and of course, seperate hubs/switches. I tried for a week to get 2 nics working on the same subnet and never got past the routing problems. For isolation reasons, I wouldn't expect that you would even really want them on the same subnet anyway. Second, it sounds like you are trying to use the same ip for your guest as the ip that you have set for your real interface. The guest os should have a unique address on the same subnet that the real interface is on. For instance, if eth1 has an ip of 192.168.18.252, then your guest os can have an ip of 192.168.18.100. Assuming that 192.168.18.100 is not already in use elsewhere. This leads to the third problem. Every guest os must have a unique ip address. In reading your posts, it sounds like you are trying to use the same ip for multiple guests. You can't do that. :) John On 8/13/06, Michael S. Zick <[EMAIL PROTECTED]> wrote: On Sat August 12 2006 02:14, Bob Predaina wrote: > > eth0, eth1, eth2 and lo are all up and running on the > host. the host is using eth0. as a test setup i have > installed two guest servers that will be using eth1. > both were created using the --interface > eth1:192.168.18.252/24 parameter. > Have you tried specifying a single address? --interface eth1:192.168.18.252/32 > The guests correctly > report that they are using eth1 at 192.168.18.252. > > Even though the guest server's ifconfig information > shows binding to the correct ethernet adapter and IP > address (eth1:192.168.18.252), it appears that they > are responding to incoming traffic on > eth1:192.168.18.252, but their outgoing traffic is > actually going out through eth0:192.168.18.251. there > is no isolation of the network interfaces. > Both of those addresses are within the eth1:192.168.18.252/24 specification. Mike ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Multiple NICs, Multiple Networks; Revisited 2
On Sat August 12 2006 02:14, Bob Predaina wrote: > > eth0, eth1, eth2 and lo are all up and running on the > host. the host is using eth0. as a test setup i have > installed two guest servers that will be using eth1. > both were created using the --interface > eth1:192.168.18.252/24 parameter. > Have you tried specifying a single address? --interface eth1:192.168.18.252/32 > The guests correctly > report that they are using eth1 at 192.168.18.252. > > Even though the guest server's ifconfig information > shows binding to the correct ethernet adapter and IP > address (eth1:192.168.18.252), it appears that they > are responding to incoming traffic on > eth1:192.168.18.252, but their outgoing traffic is > actually going out through eth0:192.168.18.251. there > is no isolation of the network interfaces. > Both of those addresses are within the eth1:192.168.18.252/24 specification. Mike ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Multiple NICs, Multiple Networks; Revisited 2
On Saturday 12 August 2006 09:14, Bob Predaina wrote: > Even though the guest server's ifconfig information > shows binding to the correct ethernet adapter and IP > address (eth1:192.168.18.252), it appears that they > are responding to incoming traffic on > eth1:192.168.18.252, but their outgoing traffic is > actually going out through eth0:192.168.18.251. there > is no isolation of the network interfaces. > > Can anyone explain this, or how to fix the problem so > that the processes are bound to the correct NIC > interface and don't use an unauthorized NIC interface? > My ultimate goal is to bind the guest servers to the > NIC that exists in the appropriate firewall zone. > When using the IP addresses of your interfaces on the host, does the traffic always get output through the correct interface? A few notes on how vserver networking works: - isolation is done at IP level, routing is always done by the kernel/host. - when a guest issues a connection without specifying source address the kernel tries to find best match but there are some cases when it selects an IP address not assigned to the guest. - linux-vserver does not care about interface except when listing them (ifconfig, ip link list, /proc/...) where those having no address visible to guest are hidden. A good way to check if your traffic gets routed through the correct interface in the best case is: Inside guest, issue test connection (e.g. with netcat) specifying source and target address nc -s 192.168.18.252 192.168.18.123 80 and check that the given connection goes out on the right interface. If the check above is successful, then try again without the -s option to netcat and you will possibly have the traffic leaving with wrong src address/interface. Setting up the interfaces in different order can alter the routing selection (and by that the interface used) Your issue should possibly go away if you set non-overlapping subnets on the 3 interfaces or set the IP addresses with 255.255.255.255 netmask. I'm not sure to understand kernel's workflow for source address selection yet... Maybe Herbert can tell you more on this. If the source address is correct you can just blame the linux kernel and try to prevent that the packets get out through the wrong interface by using IPTables... Having context-tag matching support in IPTables would be nice, but that's only future dreams as far as I know. Regards, Bruno ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Multiple NICs, Multiple Networks; Revisited 2
I'm having a problem with a fresh Gentoo vServer installation, related to network separation. I've built my vServer with 3 NICs, each of which will be attached to a different network. For example, here's what I'm trying to do: eth0 -- only available to the vServer host, used exclusively for administrative access to the server from a local PC via SSH. eth1 -- only available to a VPS guest running Samba, to provide Samba services on an isolated private LAN eth2 -- only available to two VPS guests, one running VSFTPD and one running Apache. This interface will be placed in a DMZ by an external firewall. eth0, eth1, eth2 and lo are all up and running on the host. the host is using eth0. as a test setup i have installed two guest servers that will be using eth1. both were created using the --interface eth1:192.168.18.252/24 parameter. The guests correctly report that they are using eth1 at 192.168.18.252. Even though the guest server's ifconfig information shows binding to the correct ethernet adapter and IP address (eth1:192.168.18.252), it appears that they are responding to incoming traffic on eth1:192.168.18.252, but their outgoing traffic is actually going out through eth0:192.168.18.251. there is no isolation of the network interfaces. Can anyone explain this, or how to fix the problem so that the processes are bound to the correct NIC interface and don't use an unauthorized NIC interface? My ultimate goal is to bind the guest servers to the NIC that exists in the appropriate firewall zone. FYI, here is a thread that summarized the problem in more detail: http://forums.gentoo.org/viewtopic-p-3495451.html#3495451 I've searched this list's archives regarding this problem, and i found two relevant threads. The first one mentioned having found a solution that was going to be posted to the "recipies" page, but the recipies page shown in the hyperlink is blank. The second thread contained a discussion about this improper behavior and whether this default behavior should be changed, but there was no follow-up. Its not clear to me if this is an error or if this is how things are supposed to work. Any insights would be appreciated! Thanks! __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
