Hello Community! as promised, here the second part, with some concepts about routing (I'll save the netfilter stuff for the next part)
I did some examples last time with QEMU and I will use it again to illustrate the internals (you can use UML or VMware or a real network to do this). ------------ most people know 'ifconfig' and 'route', not only because they are very old, but also because they are available on many different unix systems. linux also support them, but there are other, more kernel tailored tools, and I'm going to show 'ip' (from iproute2), and compare it to the 'old' tools, wherever possible ... [+] will mark the 'old' version and [#] the 'ip'-tool one first, a routing scenario: +----------+ +-------------+ | Host A | 10.0.0.0/24 | Host B | | 10.0.0.1 +------------------------+ 10.0.0.2 | | | |-------------| +----------+ | 192.168.0.1 | +-------------+ I'll simulate this with the following setup: on the host: [+] ifconfig tun0 10.0.0.1/24 route -n Kernel IP routing table Destination Gateway Genmask F M R Use Iface 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 [#] ip addr add 10.0.0.1/24 dev tun0 ip link set tun0 up ip route show 10.0.0.0/24 dev tun0 proto kernel scope link src 10.0.0.1 and on the (QEMU) client: [+] ifconfig eth0 10.0.0.2/24 ifconfig dummy0 192.168.0.1/24 route -n Kernel IP routing table Destination Gateway Genmask F M R Use Iface 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 dummy0 [#] ip addr add 10.0.0.2/24 dev eth0 ip link set eth0 up ip addr add 192.168.0.1/24 dev dummy0 ip link set dummy0 up ip route show 10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.2 192.168.0.0/24 dev dummy0 proto kernel scope link src 192.168.0.1 now we try to ping both IPs on the client, 10.0.0.2 and 192.168.0.1 from the host, and we see, that while the former can be reached without any issues, the latter gives 'Network is unreachable' or a timeout if you have a default gateway set on the host ... what we need is to add a specific route to reach the second ip address (192.168.0.1) on the host, so we do: [+] route add -net 192.168.0.0/24 gw 10.0.0.2 [#] ip route add 192.168.0.0/24 via 10.0.0.2 and from now on, the ping to 192.168.0.1 will succeed on the host as the one to 10.0.0.2 did before ... now let us take a look at the packet statistics: H# ping -c 10 10.0.0.2 --- 10.0.0.2 ping statistics --- 10 packets transmitted, 10 packets received, 0% packet loss round-trip min/avg/max/mdev = 0.134/1.132/8.557/2.480 ms tun0 Link encap:Ethernet HWaddr ... inet addr:10.0.0.1 Bcast: ... Mask:255.255.255.0 RX packets:12 errors:0 dropped:0 overruns:0 frame:0 TX packets:12 errors:0 dropped:0 overruns:0 carrier:0 RX bytes:1100 (1.0 Kb) TX bytes:1064 (1.0 Kb) eth0 Link encap:Ethernet HWaddr ... inet addr:10.0.0.2 Bcast: ... Mask:255.255.255.0 RX packets:12 errors:0 dropped:0 overruns:0 frame:0 TX packets:12 errors:0 dropped:0 overruns:0 carrier:0 RX bytes:1100 (1.0 KiB) TX bytes:1100 (1.0 KiB) H# ping -c 10 192.168.0.2 --- 192.168.0.1 ping statistics --- 10 packets transmitted, 10 packets received, 0% packet loss round-trip min/avg/max/mdev = 0.199/1.083/8.424/2.449 ms eth0 Link encap:Ethernet HWaddr ... inet addr:10.0.0.2 Bcast: ... Mask:255.255.255.0 RX packets:12 errors:0 dropped:0 overruns:0 frame:0 TX packets:12 errors:0 dropped:0 overruns:0 carrier:0 RX bytes:1100 (1.0 KiB) TX bytes:1100 (1.0 KiB) dummy0 Link encap:Ethernet HWaddr ... inet addr:192.168.0.1 Bcast: ... Mask:255.255.255.0 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) interesting things to spend a second thought on: - why does the second ping require an additional route? - is there a difference in how the packets travel? - should dummy0 receive or send any packets? - what would be required to reach the client from any other box in a local lan of the host? next part: netfilter best, Herbert PS: let me know if the level is too low/high and if you are interested in this stuff ... because if not, I skip to the questions without any further explanations ... _______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver