Re: [Vserver] having a routing problem from guests

[Roderick A. Anderson]

Chuck wrote:
On Friday 29 September 2006 11:53, Chuck wrote:
[snip]
Lastly iptables is pretty open.

The problem is that though I can ping from a different network to both 
of the host's to IPs and I can ping out from the three guests that use 
eth0 and I can ping the eth1 guest from a eth0 guest I can't ping from 
the eth1 guest to the outside world.  The cursor just sits there 
blinking at me.  #$%^&* computers.  :-)



i had exactly the same symptoms when i first started this .. it only worked 
after switching to iproute2 and setting up tables and rules.. suddenly 
everything started working with the exception of my current problem of a /23 
network not talking to a specific /24 network off the host... it is working 
now although i consider it a bandaid until i am assured this is how it is 
supposed to work internally.

for redhat-style systems i do not know if iproute2 package replaces the init 
scripts and how the syntax works for setting routes and rules... it may have 
to be a separate script created with the proper ip route or ip rule 
commands.. 

Yes, recent Redhat-ian systems use iproute2 and the sysv script 
(ifup-route) _seems_ to beat the route-eth? files into submission.

I'm beginning to think I've done something odd to this guest or am 
completely confused as to the values I'm using.

I'm going to try another later today of this evening.


Thanks Chuck.
Rod
--



All the guests were created using the same set of commands with only the 
contexts, IPs, interface etc. different.

So I'm hoping it is just something really stupid or overlooked on my part.

Hope this is hijacking hte thread too much.


Rod
--

Herbert Poetzl wrote:

On Thu, Sep 28, 2006 at 07:35:09PM -0400, Chuck wrote:


my 32 net guests cannot contact outside 39 net machines on our same
network. they can contact other 39 net guests on the same host.
conversely, the external 39 net machine cannot contact any 32 net ip
on the vserver host or any guest..


I assume you mean something like 10.32.0.x/24 and 10.39.0.y/24
here (well, at least it sounds like that is what you mean)



the problem i had was when within a 32net guest if i ping a 39 net
external host, it goes out our 39 net card to the external host gets
answered and routed back into our host on 32net since the source ip
header in the packet is 32 net and the system ignores it. 


yes, by default, the host is allowed to choose any network
address which is assigned to an interface, the reverse path
filter basically blocks packets which could not have originated
from that interface, because it does not hold that ip



setting below to 0 cures that.


so, what you basically did, is to allow the packets to leave
the interfaces with an ip from a different interface/routing
too (which is harmless, but probably not what you actually
wanted)



am i doing something extremely stupid by disabling this or is it
secure enough not to worry?

we are protected by tons of acls in various routers plus a very
strict iptables on the host.


the better approach would be to set up two routing tables,
(given that there are two nics/routes on the host), and
use source based routing to figure the proper interface

but if that 'works for you' then it is no big deal, as I
said, it's usually off by default ...

HTH,
Herbert



i found below in sysctl.conf was set to 1. if i set it to 0 as shown 
everything works properly..

# Enables source route verification. 0 disables
net.ipv4.conf.default.rp_filter = 0

--

Chuck

"...and the hordes of M$*ft users descended upon me in their anger,
and asked 'Why do you not get the viruses or the BlueScreensOfDeath
or insecure system troubles and slowness or pay through the nose 
for an OS as *we* do?!!', and I answered...'I use Linux'. "
The Book of John, chapter 1, page 1, and end of book


_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


--

Chuck

"...and the hordes of M$*ft users descended upon me in their anger,
and asked 'Why do you not get the viruses or the BlueScreensOfDeath
or insecure system troubles and slowness or pay through the nose 
for an OS as *we* do?!!', and I answered...'I use Linux'. "
The Book of John, chapter 1, page 1, and end of book


_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver




_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver