On Sat, Aug 12, 2006 at 12:14:54AM -0700, Bob Predaina wrote:
> I'm having a problem with a fresh Gentoo vServer
> installation, related to network separation. I've
> built my vServer with 3 NICs, each of which will be
> attached to a different network. For example, here's
> what I'm trying to do:
>
> eth0 -- only available to the vServer host, used
> exclusively for administrative access to the server
> from a local PC via SSH.
>
> eth1 -- only available to a VPS guest running Samba,
> to provide Samba services on an isolated private LAN
>
> eth2 -- only available to two VPS guests, one running
> VSFTPD and one running Apache. This interface will be
> placed in a DMZ by an external firewall.
>
> eth0, eth1, eth2 and lo are all up and running on the
> host. the host is using eth0. as a test setup i have
> installed two guest servers that will be using eth1.
> both were created using the --interface
> eth1:192.168.18.252/24 parameter. The guests correctly
> report that they are using eth1 at 192.168.18.252.
>
> Even though the guest server's ifconfig information
> shows binding to the correct ethernet adapter and IP
> address (eth1:192.168.18.252), it appears that they
> are responding to incoming traffic on
> eth1:192.168.18.252, but their outgoing traffic is
> actually going out through eth0:192.168.18.251. there
> is no isolation of the network interfaces.
>
> Can anyone explain this, or how to fix the problem so
> that the processes are bound to the correct NIC
> interface and don't use an unauthorized NIC interface?
with proper settings (not Linux-VServer related)
you can configure a Linux machine to use more than
one gateway and more important send through the proper
interfaces with the assigned (primary) ips without
producing crosstalk, the important hints here are
'multiple routing tables' and 'reverse path filter'
> My ultimate goal is to bind the guest servers to the
> NIC that exists in the appropriate firewall zone.
>
> FYI, here is a thread that summarized the problem in
> more detail:
>
> http://forums.gentoo.org/viewtopic-p-3495451.html#3495451
>
> I've searched this list's archives regarding this
> problem, and i found two relevant threads. The first
> one mentioned having found a solution that was going
> to be posted to the "recipies" page, but the recipies
> page shown in the hyperlink is blank. The second
> thread contained a discussion about this improper
> behavior and whether this default behavior should be
> changed, but there was no follow-up. Its not clear to
> me if this is an error or if this is how things are
> supposed to work.
> Any insights would be appreciated! Thanks!
check out this:
http://archives.linux-vserver.org/200311/0470.html
http://list.linux-vserver.org/archive/vserver/msg06615.html
http://list.linux-vserver.org/archive/vserver/msg06631.html
http://list.linux-vserver.org/archive/vserver/msg06667.html
all linked from:
http://linux-vserver.org/Documentation
HTH,
Herbert
PS: if you still can't make it work (after giving it
a hard try) contact me on the irc channel
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> _______________________________________________
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Tue Aug 15 01:09:58 2006