From: Liam Helmer (linuxlists_at_thevenue.org)
Date: Wed 28 Apr 2004 - 18:35:07 BST
On Wed, 2004-04-28 at 16:55, Alex Lyashkov wrote:
> ² ÁàÔ, 28.04.2004, Ò 19:45, Liam Helmer ßØèÕâ:
> > This question came up on the list a week or two ago, and the answer was
> > that IPtables rules were changing the source address of outgoing
> > connections. Did you check those to make sure that packets coming from
> > your vserver addresses aren't being SNAT-ed to something?
> using ip routing rules not fix all issues.
> if me have packet exchange with some address from host and try send
> packet from vps - kernel select source address from routing cache and
> not use routing tables/rules.
> If you use SNAT for change address you must add NAT local connections
> but it not light process for kernel, and I not sure it help.
I wasn't saying he should put any in: I was saying that his problem
might be that there's a rule there that's changing the address. Also,
I'm talking about iptables (i.e. netfilter), not ip routing tables.
Actually, you could fix a lot of it with ip routing tables, if you use
policy routing (from x to y route to z with source a). I was considering
playing around with this, but it's more complex. This is yet another
place where having an netfilter_ctx patch would be helpful: for marking
packets so they correspond to ip routing rules (from context q route to
z with source a).
What I'm currently doing is doing SNAT on all vserver packets: that
gives the most flexibility, with the vservers residing on a private
internal ip. It also lets me share IPs better for vservers: I can have
one vserver doing port 80, and one doing port 25 on the same ip, but I
don't have to worry about one of them accidentally turning on a service
and interfering with another one, 'cause they have different private
IPs. It's not ideal for all setups, but then I'm not doing virtual
hosting really, so I have differnet needs.
Cheers,
Liam
>
>
> > Cheers,
> > Liam
> >
> > On Wed, 2004-04-28 at 16:12, Alex Lyashkov wrote:
> > > ² ÁàÔ, 28.04.2004, Ò 18:46, ryanmh_at_comcast.net ßØèÕâ:
> > > > Howdy all:
> > > >
> > > > Incoming connections from a virtual server I'm running are appearing as if they are coming from the host. For example, on a third server (completely separate from the host/vserver), the httpd access_log shows entries from the host IP, and not the vserver IP, when accesses are coming from an app running in the vserver context.
> > > >
> > > > Is this expected behavior? Is there a way I can make vserver connections appears as if they are from the vserver? I saw a similar question in the IRC logs, but the answer appeared to be truncated.
> > > >
> > > > Thanks,
> > > > Ryan
> > > >
> > > > p.s. Running vs1.3.8 and alpha util-vserver. The host and the vserver have been assigned different IP addresses on the same subnet.
> > > >
> > > >
> > > > _______________________________________________
> > > see archive this list.
> > > Correctly select source address without complete separate routing caches
> > > and routing tables not possible. and Vserver not have it.
> > > I report about this bug to list, because freevps have same problem at
> > > one of old snapshot.
> >
> > _______________________________________________
> > Vserver mailing list
> > Vserver_at_list.linux-vserver.org
> > http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver