Martin Leben wrote: > mess-mate wrote: >> In addition of my previous post; >> the vserver people said _'there is no DNAT:thing '_ >> So the only i can think is that the vserver-host have to dnat, do it ? >> That's twice, one's from the router/firewall and now again. And this >> with an $ETH0_IP ! > > Hi, > > Please re-read what I have written in earlier mails. If I understand vserver > networking correct (by just googling for fifteen minutes), you have three > choices: > 1) Use DNAT on the vserver host. > 2) Use routing on the vserver host. > 3) Don't do anything on the vserver host. > > ... and I have been trying to say that you shouldn't do anything at all on > the > vserver host. Definately not DNAT, because you have already DNAT:ted on the > firewall host. > > If I was you I'd want to use ip addresses in the same subnet as the vserver > host. If the vserver people can't help you achieve that, then I just have to > wish you good luck. So far nobody on this list have stepped forward and > claimed > to be a vserver expert. > > So, please go back to the vserver forum and try communicate your situation. > Something like this: > > I have an internet connected hosts that is using NAT. In the > DMZ I have a vserver host which has a guest. Is it possible > to configure the vserver host and client in a way that the > following three network interfaces has IP addresses in the > same subnet: > 1) firewall DMZ interface > 2) vserver host > 3) vserver guest > I don't want to DNAT again, because the firewall hosts > already does that. And I don't want to use routing, because > that also complicates things. > > Best regards, > /Martin
Hi again, In order to avoid being perceived as "just a big talker", I have now installed a new Debian Lenny machine named "vserver" on a fresh computer, mostly following the guide on <http://linux-vserver.org/Installation_on_Debian>. I gave it the IP address "10.0.0.99/24". On "vserver" I installed the following packages: vserver:~# aptitude install linux-image-2.6.22-3-vserver-686 util-vserver Then I created a vserver guest named "vguest": vserver:~# vserver vguest build -m debootstrap \ --hostname vguest.example.org \ --interface eth0:10.0.0.90/24 -- \ -d lenny \ -m http://ftp.sunet.se/pub/Linux/distributions/debian/ The guest network config looks like this: vserver:~# cat /etc/vservers/vguest/interfaces/0/dev eth0 vserver:~# cat /etc/vservers/vguest/interfaces/0/ip 10.0.0.90 vserver:~# cat /etc/vservers/vguest/interfaces/0/prefix 24 And then I started the guest machine "vguest", connected to the console, set root password, installed and configured locales, openssh-server and a webserver: vserver:~# vserver vguest start ... vguest:~# passwd ... vguest:~# aptitude install locales ... vguest:~# aptitude install openssh-server apache2 ... Everything worked as a charm. No NAT, no routing. Very simple. Best regards, /Martin ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
