mess-mate wrote:
> So i'd routed the dynamic ip to the vserver-host in the dmz zone as this:
>
> DNAT $FW dmz:192.168.20.1 tcp 80 - $ETH0_IP
>
> and it woks perfectly but i want to get my webpage in the vserver-guest now,
>
> 192.168.30.1 = the guest and 192.168.20.1 = the host of the vserver.
>
>
> shorewall is the firewall in the vserver-host (192.168.20.1).
>
>
> How can i dnat or forward or whatsoever all what's coming from $ETH_IP
> to the vserver-guest ?
>
>
> Changing dmz:192.168.20.1 to dmz:192.168.30.1 do not work and strange
> enough the vserver continue receiving the requests in this case .
>
>
> I know Martin said considering the vserver-host as the external ip to
> do it, but can't know how to do it.
Hi!
I am by NO means an expert on vserver (since I haven't even used it), but if I
understand your setup from a networking perspective it looks _something_ like
this now:
(Ascii is best read using constant width font.)
|
+-----------------+
| 86.192.36.220 |
| firewall |
|192.168.20.254/24|
+-----------------+
|
+-----------------+
| 192.168.20.1/24 |
| vserver-host |
+-----------------+
|
+-----------------+
| 192.168.30.1/24 |
| vserver-guest |
+-----------------+
... which means that you have to use DNAT in both the "firewall" machine as
well
as in the "vserver-host" machine. That is unnecessary, brings more work and
....
it is just bad.
I suggest you give the "vserver-guest" machine the ip "192.168.20.2/24" instead
by doing this:
# cd /etc/vservers/$VSERVER/interfaces/0
echo eth0 > dev
echo 192.168.20.2 > ip
echo 2 > name
echo 24 > prefix
... as per <http://linux-vserver.org/Networking_vserver_guests>. Please observe
that almost all of the rest of that article should be ignored though, if I am
not mistaken, since it talks about DNAT:ting.
If you have more questions about vserver networking, I am sure that you would
get better help on a mailing list or forum about vserver where the vserver
experts hang out, than you get on this list. Remember, this is a list about the
Shoreline Firewall (a.k.a. shorewall), not about general Linux or vserver
networking issues.
(And I would like to repeat that I haven't used vserver myself. The above
information was gathered by some googling and browsing the vserver website
<http://linux-vserver.org/>.)
Good luck!
/Martin
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
