Re: [Vserver] Multiple NICs, Multiple Networks; Revisited 2

From: Bruno <bonbons67_at_internet.lu>
Date: Sat 12 Aug 2006 - 22:43:02 BST
Message-Id: <200608122343.03703.bonbons67@internet.lu>

On Saturday 12 August 2006 09:14, Bob Predaina wrote:
> Even though the guest server's ifconfig information
> shows binding to the correct ethernet adapter and IP
> address (eth1:192.168.18.252), it appears that they
> are responding to incoming traffic on
> eth1:192.168.18.252, but their outgoing traffic is
> actually going out through eth0:192.168.18.251. there
> is no isolation of the network interfaces.
>
> Can anyone explain this, or how to fix the problem so
> that the processes are bound to the correct NIC
> interface and don't use an unauthorized NIC interface?
> My ultimate goal is to bind the guest servers to the
> NIC that exists in the appropriate firewall zone.
>

When using the IP addresses of your interfaces on the host,
does the traffic always get output through the correct
interface?

A few notes on how vserver networking works:
- isolation is done at IP level, routing is always done by
  the kernel/host.
- when a guest issues a connection without specifying source
  address the kernel tries to find best match but there are
  some cases when it selects an IP address not assigned to
  the guest.
- linux-vserver does not care about interface except when
  listing them (ifconfig, ip link list, /proc/...) where
  those having no address visible to guest are hidden.

A good way to check if your traffic gets routed through the
correct interface in the best case is:

  Inside guest, issue test connection (e.g. with netcat)
  specifying source and target address
    nc -s 192.168.18.252 192.168.18.123 80
  and check that the given connection goes out on the right
  interface.

  If the check above is successful, then try again without
  the -s <src addr> option to netcat and you will possibly
  have the traffic leaving with wrong src address/interface.

Setting up the interfaces in different order can alter the
routing selection (and by that the interface used)

Your issue should possibly go away if you set non-overlapping
subnets on the 3 interfaces or set the IP addresses with
255.255.255.255 netmask. I'm not sure to understand kernel's
workflow for source address selection yet...

Maybe Herbert can tell you more on this.

If the source address is correct you can just blame the linux
kernel and try to prevent that the packets get out through
the wrong interface by using IPTables...
Having context-tag matching support in IPTables would be nice,
but that's only future dreams as far as I know.

Regards,
Bruno
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Sat Aug 12 22:43:28 2006

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Sat 12 Aug 2006 - 22:43:33 BST by hypermail 2.1.8