From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Mon 05 Sep 2005 - 07:07:59 BST
On Sun, Sep 04, 2005 at 10:50:06PM -0700, Hilco Wijbenga wrote:
> Hi all,
>
> I've looked through the mailing list archives but couldn't find
> anything that appeared to explain the problem I'm having. I found a
> few references to a setup similar to mine but without the details.
> Maybe it's too simple? :-) Anyway, if the following has already been
> asked/answered I would really appreciate a link.
>
> I have a host with 2 network cards. Eth0 is my LAN and eth1 is the
> internet. This host functions as the gateway between my LAN and the
> internet. Using Firehol I've been able to set up a firewall and
> everything seems to be working, i.e. I can access the internet from
> the LAN.
>
> On the host I've set up a vserver (with more to follow). This vserver
> works properly (as far as I can tell) and I can SSH into it from the
> LAN. I can successfully ping the vserver from the LAN and vice versa.
> Note that the vserver only has eth0 (the LAN) as I didn't want it to
> directly connect to the internet (eth1). I thought I could handle that
> in the firewall?
>
> What doesn't work is accessing anything on the internet from the
> vserver. I'm having a hard time determining what the problem is. Is it
> the firewall? Or my routing table? Or should the vserver have an eth1
> as well, just like the host?
>
> /etc/firehole/firehol.conf: (on the host)
> version 5
> interface eth0+ intranet
> policy accept
> interface eth1 internet
> client all accept
> router intranet2internet inface eth0+ outface eth1
> masquerade
> route all accept
>
> ip route show: (on the host; A.B.C is the LAN and X.Y.Z is the internet)
> A.B.C.0/24 dev eth0 proto kernel scope link src A.B.C.1
> X.Y.Z.0/22 dev eth1 scope link
> 127.0.0.0/8 dev lo scope link
> default via X.Y.Z.1 dev eth1
>
> ip route show: (on the vserver)
> A.B.C.0/24 dev eth0 proto kernel scope link src A.B.C.1
> X.Y.Z.0/22 dev if3 scope link
> 127.0.0.0/8 dev if1 scope link
> default via X.Y.Z.1 dev if3
>
> One thing that strikes me as peculiar is the 'if3' in the 'ip route
> show' output for the vserver. Looks like the default gateway is wrong.
> Is that my problem? How would I solve it? I can't remove it in the
> vserver (right?) and removing it on the host has rather unpleasant
> consequences (i.e. no more internet access).
your problem is that the guest send packets with
a source IP in the private range, but the host does
not SNAT them to the public IP (and masquerading does
not apply to host generated packets)
verify that with 'tcpdump -vvnei eth1 icmp' on the
host and a 'ping -c 1 66.249.93.99' inside the guest
you can fix that with an SNAT rule like this:
iptables -t nat -I POSTROUTING -s A.B.C.1 -j SNAT --to X.Y.Z.W
HTH,
Herbert
> I'm running Gentoo GNU/Linux with the latest (on Gentoo) available 2.6
> (vserver capable) kernel.
>
> Thanks,
> Hilco
> _______________________________________________
> Vserver mailing list
> Vserver_at_list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver