Re: [Vserver] Multiple NICs, Multiple Networks; Revisited 2
On Sat, Aug 12, 2006 at 12:14:54AM -0700, Bob Predaina wrote: I'm having a problem with a fresh Gentoo vServer installation, related to network separation. I've built my vServer with 3 NICs, each of which will be attached to a different network. For example, here's what I'm trying to do: eth0 -- only available to the vServer host, used exclusively for administrative access to the server from a local PC via SSH. eth1 -- only available to a VPS guest running Samba, to provide Samba services on an isolated private LAN eth2 -- only available to two VPS guests, one running VSFTPD and one running Apache. This interface will be placed in a DMZ by an external firewall. eth0, eth1, eth2 and lo are all up and running on the host. the host is using eth0. as a test setup i have installed two guest servers that will be using eth1. both were created using the --interface eth1:192.168.18.252/24 parameter. The guests correctly report that they are using eth1 at 192.168.18.252. Even though the guest server's ifconfig information shows binding to the correct ethernet adapter and IP address (eth1:192.168.18.252), it appears that they are responding to incoming traffic on eth1:192.168.18.252, but their outgoing traffic is actually going out through eth0:192.168.18.251. there is no isolation of the network interfaces. Can anyone explain this, or how to fix the problem so that the processes are bound to the correct NIC interface and don't use an unauthorized NIC interface? with proper settings (not Linux-VServer related) you can configure a Linux machine to use more than one gateway and more important send through the proper interfaces with the assigned (primary) ips without producing crosstalk, the important hints here are 'multiple routing tables' and 'reverse path filter' My ultimate goal is to bind the guest servers to the NIC that exists in the appropriate firewall zone. FYI, here is a thread that summarized the problem in more detail: http://forums.gentoo.org/viewtopic-p-3495451.html#3495451 I've searched this list's archives regarding this problem, and i found two relevant threads. The first one mentioned having found a solution that was going to be posted to the recipies page, but the recipies page shown in the hyperlink is blank. The second thread contained a discussion about this improper behavior and whether this default behavior should be changed, but there was no follow-up. Its not clear to me if this is an error or if this is how things are supposed to work. Any insights would be appreciated! Thanks! check out this: http://archives.linux-vserver.org/200311/0470.html http://list.linux-vserver.org/archive/vserver/msg06615.html http://list.linux-vserver.org/archive/vserver/msg06631.html http://list.linux-vserver.org/archive/vserver/msg06667.html all linked from: http://linux-vserver.org/Documentation HTH, Herbert PS: if you still can't make it work (after giving it a hard try) contact me on the irc channel __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Multiple NICs, Multiple Networks; Revisited 2
On Sat August 12 2006 02:14, Bob Predaina wrote: eth0, eth1, eth2 and lo are all up and running on the host. the host is using eth0. as a test setup i have installed two guest servers that will be using eth1. both were created using the --interface eth1:192.168.18.252/24 parameter. Have you tried specifying a single address? --interface eth1:192.168.18.252/32 The guests correctly report that they are using eth1 at 192.168.18.252. Even though the guest server's ifconfig information shows binding to the correct ethernet adapter and IP address (eth1:192.168.18.252), it appears that they are responding to incoming traffic on eth1:192.168.18.252, but their outgoing traffic is actually going out through eth0:192.168.18.251. there is no isolation of the network interfaces. Both of those addresses are within the eth1:192.168.18.252/24 specification. Mike ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Multiple NICs, Multiple Networks; Revisited 2
Hi Bob. After reading both this thread and the one on the Gentoo forums that you posted, I see several problems. First, I would use seperate subnets for each of your eth0, eth1, and eth2 interfaces, and of course, seperate hubs/switches. I tried for a week to get 2 nics working on the same subnet and never got past the routing problems. For isolation reasons, I wouldn't expect that you would even really want them on the same subnet anyway. Second, it sounds like you are trying to use the same ip for your guest as the ip that you have set for your real interface. The guest os should have a unique address on the same subnet that the real interface is on. For instance, if eth1 has an ip of 192.168.18.252, then your guest os can have an ip of 192.168.18.100. Assuming that 192.168.18.100 is not already in use elsewhere. This leads to the third problem. Every guest os must have a unique ip address. In reading your posts, it sounds like you are trying to use the same ip for multiple guests. You can't do that. :) John On 8/13/06, Michael S. Zick [EMAIL PROTECTED] wrote: On Sat August 12 2006 02:14, Bob Predaina wrote: eth0, eth1, eth2 and lo are all up and running on the host. the host is using eth0. as a test setup i have installed two guest servers that will be using eth1. both were created using the --interface eth1:192.168.18.252/24 parameter. Have you tried specifying a single address? --interface eth1:192.168.18.252/32 The guests correctly report that they are using eth1 at 192.168.18.252. Even though the guest server's ifconfig information shows binding to the correct ethernet adapter and IP address (eth1:192.168.18.252), it appears that they are responding to incoming traffic on eth1:192.168.18.252, but their outgoing traffic is actually going out through eth0:192.168.18.251. there is no isolation of the network interfaces. Both of those addresses are within the eth1:192.168.18.252/24 specification. Mike ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Multiple NICs, Multiple Networks; Revisited 2
On Sunday 13 August 2006 16:52, John Alberts wrote: This leads to the third problem. Every guest os must have a unique ip address. In reading your posts, it sounds like you are trying to use the same ip for multiple guests. You can't do that. :) You CAN share IP addresses between multiple guests, but unless you have a good reason to do so you shouldn't. The reason why it is discuraged is because each guest can disturb the other one by taking over ports. E.g. in first guest you start sshd, in second guest you can't do so anymore unless you run sshd on different ports for both guests. Regards, Bruno ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Multiple NICs, Multiple Networks; Revisited 2
I'm having a problem with a fresh Gentoo vServer installation, related to network separation. I've built my vServer with 3 NICs, each of which will be attached to a different network. For example, here's what I'm trying to do: eth0 -- only available to the vServer host, used exclusively for administrative access to the server from a local PC via SSH. eth1 -- only available to a VPS guest running Samba, to provide Samba services on an isolated private LAN eth2 -- only available to two VPS guests, one running VSFTPD and one running Apache. This interface will be placed in a DMZ by an external firewall. eth0, eth1, eth2 and lo are all up and running on the host. the host is using eth0. as a test setup i have installed two guest servers that will be using eth1. both were created using the --interface eth1:192.168.18.252/24 parameter. The guests correctly report that they are using eth1 at 192.168.18.252. Even though the guest server's ifconfig information shows binding to the correct ethernet adapter and IP address (eth1:192.168.18.252), it appears that they are responding to incoming traffic on eth1:192.168.18.252, but their outgoing traffic is actually going out through eth0:192.168.18.251. there is no isolation of the network interfaces. Can anyone explain this, or how to fix the problem so that the processes are bound to the correct NIC interface and don't use an unauthorized NIC interface? My ultimate goal is to bind the guest servers to the NIC that exists in the appropriate firewall zone. FYI, here is a thread that summarized the problem in more detail: http://forums.gentoo.org/viewtopic-p-3495451.html#3495451 I've searched this list's archives regarding this problem, and i found two relevant threads. The first one mentioned having found a solution that was going to be posted to the recipies page, but the recipies page shown in the hyperlink is blank. The second thread contained a discussion about this improper behavior and whether this default behavior should be changed, but there was no follow-up. Its not clear to me if this is an error or if this is how things are supposed to work. Any insights would be appreciated! Thanks! __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Multiple NICs, Multiple Networks; Revisited 2
On Saturday 12 August 2006 09:14, Bob Predaina wrote: Even though the guest server's ifconfig information shows binding to the correct ethernet adapter and IP address (eth1:192.168.18.252), it appears that they are responding to incoming traffic on eth1:192.168.18.252, but their outgoing traffic is actually going out through eth0:192.168.18.251. there is no isolation of the network interfaces. Can anyone explain this, or how to fix the problem so that the processes are bound to the correct NIC interface and don't use an unauthorized NIC interface? My ultimate goal is to bind the guest servers to the NIC that exists in the appropriate firewall zone. When using the IP addresses of your interfaces on the host, does the traffic always get output through the correct interface? A few notes on how vserver networking works: - isolation is done at IP level, routing is always done by the kernel/host. - when a guest issues a connection without specifying source address the kernel tries to find best match but there are some cases when it selects an IP address not assigned to the guest. - linux-vserver does not care about interface except when listing them (ifconfig, ip link list, /proc/...) where those having no address visible to guest are hidden. A good way to check if your traffic gets routed through the correct interface in the best case is: Inside guest, issue test connection (e.g. with netcat) specifying source and target address nc -s 192.168.18.252 192.168.18.123 80 and check that the given connection goes out on the right interface. If the check above is successful, then try again without the -s src addr option to netcat and you will possibly have the traffic leaving with wrong src address/interface. Setting up the interfaces in different order can alter the routing selection (and by that the interface used) Your issue should possibly go away if you set non-overlapping subnets on the 3 interfaces or set the IP addresses with 255.255.255.255 netmask. I'm not sure to understand kernel's workflow for source address selection yet... Maybe Herbert can tell you more on this. If the source address is correct you can just blame the linux kernel and try to prevent that the packets get out through the wrong interface by using IPTables... Having context-tag matching support in IPTables would be nice, but that's only future dreams as far as I know. Regards, Bruno ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Multiple NICs, multiple networks: Revisited
Roderick A. Anderson wrote: I have looked at http://linux-vserver.org/Recipes; -- configuring routing for a server with two network interfaces and it makes sense but since I use sysv ( Redhat/Fedora/CentOS ) systems I'm not sure how to accomplish the same thing. That is at boot or network restart time without user intervention. Any R/F/C users that are doing multiple networks and routing on the list that can share their knowledge? I have found the answer but still have to test it. Once I do I'll add to the Recipes page. Rod -- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Multiple NICs, multiple networks: Revisited
I have looked at http://linux-vserver.org/Recipes; -- configuring routing for a server with two network interfaces and it makes sense but since I use sysv ( Redhat/Fedora/CentOS ) systems I'm not sure how to accomplish the same thing. That is at boot or network restart time without user intervention. Any R/F/C users that are doing multiple networks and routing on the list that can share their knowledge? TIA, Rod -- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
