On Tue, Aug 07, 2007 at 11:04:28PM +0200, Thomas Weber wrote:
> Am Dienstag, den 07.08.2007, 12:05 +0200 schrieb Rik Bobbaers:
> > i don't know if this will work but...
> >
> > if you make a routing table for each ip of a virtual server, with routes
> > to your gateway, wouldn't that work?
> > in /etc/rt_tables:
> > 100 vs1
> > 101 vs2
> > etc...
> >
> > and then for each table, a different/same route:
> > ip route add <hostip>/32 dev $IF table vs1
> > ip route add default via $GW dev $IF table vs1
> > ip rule add from $IP/32 table vs1 pref 1000
> >
> > something like that? (i made sort of the same routing stuff, but i want
> > only 1 route for each subnet ;))
>
> That was like the first thing i've tried. Routing to anything thats
> not locally hosted works just fine. But once you try to reach another
> vserver on another subnet that happens to be hosted on the same host
> it will route internally and not hit the wire at all - which is bad
which is actually quite good, as it avoids flooding
the net (even a local network) with unnecessary
packets ...
> and actually makes vservers unusable if you want to move vservers among
> different hosts.
why do you think so? at least exactly this setup
works perfectly fine here ...
> Firewalling between the vserver clients for example is not manageable.
you just make the firewall rules for ethX _and_ lo
and you are perfectly fine, wherever the guest is
> IDS would be another issue.
assuming that IDS stands for Intrusion-Detection System
what problem do you see with that?
best,
Herbert
> Tom
Received on Wed Aug 8 00:48:14 2007