Martin Leben wrote: > mess-mate wrote: > >> So i'd routed the dynamic ip to the vserver-host in the dmz zone as this: >> >> DNAT $FW dmz:192.168.20.1 tcp 80 - $ETH0_IP >> >> and it woks perfectly but i want to get my webpage in the vserver-guest now, >> >> 192.168.30.1 = the guest and 192.168.20.1 = the host of the vserver. >> >> >> shorewall is the firewall in the vserver-host (192.168.20.1). >> >> >> How can i dnat or forward or whatsoever all what's coming from $ETH_IP >> to the vserver-guest ? >> >> >> Changing dmz:192.168.20.1 to dmz:192.168.30.1 do not work and strange >> enough the vserver continue receiving the requests in this case . >> >> >> I know Martin said considering the vserver-host as the external ip to >> do it, but can't know how to do it. >> > > > > Hi! > > I am by NO means an expert on vserver (since I haven't even used it), but if > I > understand your setup from a networking perspective it looks _something_ like > this now: > > (Ascii is best read using constant width font.) > > | > +-----------------+ > | 86.192.36.220 | > | firewall | > |192.168.20.254/24| > +-----------------+ > | > +-----------------+ > | 192.168.20.1/24 | > | vserver-host | > +-----------------+ > | > +-----------------+ > | 192.168.30.1/24 | > | vserver-guest | > +-----------------+ > > ... which means that you have to use DNAT in both the "firewall" machine as > well > as in the "vserver-host" machine. That is unnecessary, brings more work and > .... > it is just bad. > > I suggest you give the "vserver-guest" machine the ip "192.168.20.2/24" > instead > by doing this: > # cd /etc/vservers/$VSERVER/interfaces/0 > echo eth0 > dev > echo 192.168.20.2 > ip > echo 2 > name > echo 24 > prefix > > ... as per <http://linux-vserver.org/Networking_vserver_guests>. Please > observe > that almost all of the rest of that article should be ignored though, if I am > not mistaken, since it talks about DNAT:ting. > > > > In addition of my previous post; the vserver people said _'there is no DNAT:thing '_ So the only i can think is that the vserver-host have to dnat, do it ? That's twice, one's from the router/firewall and now again. And this with an $ETH0_IP !
mess-mate ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
