Hello Community!
as promised, here the second part, with some concepts about
routing (I'll save the netfilter stuff for the next part)
I did some examples last time with QEMU and I will use it
again to illustrate the internals (you can use UML or VMware
or a real network to do this).
------------
most people know 'ifconfig' and 'route', not only because
they are very old, but also because they are available on
many different unix systems. linux also support them, but
there are other, more kernel tailored tools, and I'm going
to show 'ip' (from iproute2), and compare it to the 'old'
tools, wherever possible ...
[+] will mark the 'old' version and [#] the 'ip'-tool one
first, a routing scenario:
+----------+ +-------------+
| Host A | 10.0.0.0/24 | Host B |
| 10.0.0.1 +------------------------+ 10.0.0.2 |
| | |-------------|
+----------+ | 192.168.0.1 |
+-------------+
I'll simulate this with the following setup:
on the host:
[+] ifconfig tun0 10.0.0.1/24
route -n
Kernel IP routing table
Destination Gateway Genmask F M R Use Iface
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
[#] ip addr add 10.0.0.1/24 dev tun0
ip link set tun0 up
ip route show
10.0.0.0/24 dev tun0 proto kernel scope link src 10.0.0.1
and on the (QEMU) client:
[+] ifconfig eth0 10.0.0.2/24
ifconfig dummy0 192.168.0.1/24
route -n
Kernel IP routing table
Destination Gateway Genmask F M R Use Iface
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 dummy0
[#] ip addr add 10.0.0.2/24 dev eth0
ip link set eth0 up
ip addr add 192.168.0.1/24 dev dummy0
ip link set dummy0 up
ip route show
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.2
192.168.0.0/24 dev dummy0 proto kernel scope link src 192.168.0.1
now we try to ping both IPs on the client, 10.0.0.2 and
192.168.0.1 from the host, and we see, that while the
former can be reached without any issues, the latter
gives 'Network is unreachable' or a timeout if you have
a default gateway set on the host ...
what we need is to add a specific route to reach the
second ip address (192.168.0.1) on the host, so we do:
[+] route add -net 192.168.0.0/24 gw 10.0.0.2
[#] ip route add 192.168.0.0/24 via 10.0.0.2
and from now on, the ping to 192.168.0.1 will succeed on
the host as the one to 10.0.0.2 did before ... now let us
take a look at the packet statistics:
H# ping -c 10 10.0.0.2
--- 10.0.0.2 ping statistics ---
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max/mdev = 0.134/1.132/8.557/2.480 ms
tun0 Link encap:Ethernet HWaddr ...
inet addr:10.0.0.1 Bcast: ... Mask:255.255.255.0
RX packets:12 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:1100 (1.0 Kb) TX bytes:1064 (1.0 Kb)
eth0 Link encap:Ethernet HWaddr ...
inet addr:10.0.0.2 Bcast: ... Mask:255.255.255.0
RX packets:12 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:1100 (1.0 KiB) TX bytes:1100 (1.0 KiB)
H# ping -c 10 192.168.0.2
--- 192.168.0.1 ping statistics ---
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max/mdev = 0.199/1.083/8.424/2.449 ms
eth0 Link encap:Ethernet HWaddr ...
inet addr:10.0.0.2 Bcast: ... Mask:255.255.255.0
RX packets:12 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:1100 (1.0 KiB) TX bytes:1100 (1.0 KiB)
dummy0 Link encap:Ethernet HWaddr ...
inet addr:192.168.0.1 Bcast: ... Mask:255.255.255.0
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
interesting things to spend a second thought on:
- why does the second ping require an additional route?
- is there a difference in how the packets travel?
- should dummy0 receive or send any packets?
- what would be required to reach the client from
any other box in a local lan of the host?
next part: netfilter
best,
Herbert
PS: let me know if the level is too low/high and if you are
interested in this stuff ... because if not, I skip to
the questions without any further explanations ...
_______________________________________________
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
