On Saturday 12 August 2006 09:14, Bob Predaina wrote:
> Even though the guest server's ifconfig information
> shows binding to the correct ethernet adapter and IP
> address (eth1:192.168.18.252), it appears that they
> are responding to incoming traffic on
> eth1:192.168.18.252, but their outgoing traffic is
> actually going out through eth0:192.168.18.251. there
> is no isolation of the network interfaces.
>
> Can anyone explain this, or how to fix the problem so
> that the processes are bound to the correct NIC
> interface and don't use an unauthorized NIC interface?
> My ultimate goal is to bind the guest servers to the
> NIC that exists in the appropriate firewall zone.
>
When using the IP addresses of your interfaces on the host,
does the traffic always get output through the correct
interface?
A few notes on how vserver networking works:
- isolation is done at IP level, routing is always done by
the kernel/host.
- when a guest issues a connection without specifying source
address the kernel tries to find best match but there are
some cases when it selects an IP address not assigned to
the guest.
- linux-vserver does not care about interface except when
listing them (ifconfig, ip link list, /proc/...) where
those having no address visible to guest are hidden.
A good way to check if your traffic gets routed through the
correct interface in the best case is:
Inside guest, issue test connection (e.g. with netcat)
specifying source and target address
nc -s 192.168.18.252 192.168.18.123 80
and check that the given connection goes out on the right
interface.
If the check above is successful, then try again without
the -s <src addr> option to netcat and you will possibly
have the traffic leaving with wrong src address/interface.
Setting up the interfaces in different order can alter the
routing selection (and by that the interface used)
Your issue should possibly go away if you set non-overlapping
subnets on the 3 interfaces or set the IP addresses with
255.255.255.255 netmask. I'm not sure to understand kernel's
workflow for source address selection yet...
Maybe Herbert can tell you more on this.
If the source address is correct you can just blame the linux
kernel and try to prevent that the packets get out through
the wrong interface by using IPTables...
Having context-tag matching support in IPTables would be nice,
but that's only future dreams as far as I know.
Regards,
Bruno
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Sat Aug 12 22:43:28 2006