On Friday 29 September 2006 11:48, Roderick A. Anderson wrote:
looks like you are doing what i did in the beginning.. using ifconfig.. wont
work.. you must install iproute2 and use the rules and tables in order for it
to work.
my config is similar to what would be needed for iproute statements to make 3
or 4 or more nics work in one machine
> Taking this a step further I'm trying to do something similar and
> getting _strange_ results. Using totally fake IPs here is what I'm
> trying to set up. ( As typing this I see Chuck just posted to the
> thread with similar information. )
>
> Host system with three NICs: eth0, eth1, eth2. Fedora Core 5 and all
> guests are FC5 using Daniel's excellent RPMs and was just updated this AM.
>
>
> eth0 is connected to a switch/router for one up-stream provider and has
> a block of 16 addresses designated for it: 123.45.67.192/28.
>
> eth1 is connected to different switch/router for a different upstream
> provider with a block of 16 addresses designated for it: 98.76.54.192/28.
>
> eth2 is connected to a switch which is the private in-house network for
> connection to the backup server, fileserver, and other non-public
> resources and can use any address in the 192.168.254.0/24 network. IT
> currently isn't configured or activated. I'll cross that bridge later.
>
>
> I've configured four guests so far. Three use the eth0 connection and
> one uses the eth1.
>
> I have created two files in /etc/sysconfig/network-scripts:
>
> route-eth0
> route-eth1
>
> They are using what I think is the current ( Redhat approved ) format.
>
> GATEWAY0=123.45.67.1
> NETMASK0=255.255.255.240
> ADDRESS0=123.45.67.192
>
> and
>
> GATEWAY1=98.76.54.1
> NETMASK1=255.255.255.240
> ADDRESS1=98.76.54.192
>
> I have assigned the IPs 123.45.67.193 and 98.76.54.193 to the two NICs
> for the host to use. ( Enforcement of the classless subnet isn't being
> enforced as the company the server is at has the full C Class for both
> IP ranges -- they're an ISP. )
>
> ifcfg-eth0 contains:
>
> DEVICE=eth0
> BOOTPROTO=static
> BROADCAST=66.193.36.255
> HWADDR=00:00:00:00:00:00 # faked up
> IPADDR=123.45.67.193
> NETMASK=255.255.255.0
> NETWORK=123.45.67.0
> ONBOOT=yes
>
> and ifcfg-eth1 contains:
>
> DEVICE=eth1
> BOOTPROTO=static
> HWADDR=01:01:01:01:01:01 # faked up
> BROADCAST=98.76.54.255
> IPADDR=98.76.54.193
> NETMASK=255.255.255.240
> NETWORK=98.76.54.192
> ONBOOT=yes
>
> Lastly iptables is pretty open.
>
> The problem is that though I can ping from a different network to both
> of the host's to IPs and I can ping out from the three guests that use
> eth0 and I can ping the eth1 guest from a eth0 guest I can't ping from
> the eth1 guest to the outside world. The cursor just sits there
> blinking at me. #$%^&* computers. :-)
>
> All the guests were created using the same set of commands with only the
> contexts, IPs, interface etc. different.
>
> So I'm hoping it is just something really stupid or overlooked on my part.
>
> Hope this is hijacking hte thread too much.
>
>
> Rod
> --
>
> Herbert Poetzl wrote:
> > On Thu, Sep 28, 2006 at 07:35:09PM -0400, Chuck wrote:
> >
> >>my 32 net guests cannot contact outside 39 net machines on our same
> >>network. they can contact other 39 net guests on the same host.
> >>conversely, the external 39 net machine cannot contact any 32 net ip
> >>on the vserver host or any guest..
> >
> >
> > I assume you mean something like 10.32.0.x/24 and 10.39.0.y/24
> > here (well, at least it sounds like that is what you mean)
> >
> >
> >>the problem i had was when within a 32net guest if i ping a 39 net
> >>external host, it goes out our 39 net card to the external host gets
> >>answered and routed back into our host on 32net since the source ip
> >>header in the packet is 32 net and the system ignores it.
> >
> >
> > yes, by default, the host is allowed to choose any network
> > address which is assigned to an interface, the reverse path
> > filter basically blocks packets which could not have originated
> > from that interface, because it does not hold that ip
> >
> >
> >>setting below to 0 cures that.
> >
> >
> > so, what you basically did, is to allow the packets to leave
> > the interfaces with an ip from a different interface/routing
> > too (which is harmless, but probably not what you actually
> > wanted)
> >
> >
> >>am i doing something extremely stupid by disabling this or is it
> >>secure enough not to worry?
> >>
> >> we are protected by tons of acls in various routers plus a very
> >>strict iptables on the host.
> >
> >
> > the better approach would be to set up two routing tables,
> > (given that there are two nics/routes on the host), and
> > use source based routing to figure the proper interface
> >
> > but if that 'works for you' then it is no big deal, as I
> > said, it's usually off by default ...
> >
> > HTH,
> > Herbert
> >
> >
> >>i found below in sysctl.conf was set to 1. if i set it to 0 as shown
> >>everything works properly..
> >>
> >># Enables source route verification. 0 disables
> >>net.ipv4.conf.default.rp_filter = 0
> >>
> >>--
> >>
> >>Chuck
> >>
> >>"...and the hordes of M$*ft users descended upon me in their anger,
> >>and asked 'Why do you not get the viruses or the BlueScreensOfDeath
> >>or insecure system troubles and slowness or pay through the nose
> >>for an OS as *we* do?!!', and I answered...'I use Linux'. "
> >>The Book of John, chapter 1, page 1, and end of book
> >>
> >>
> >>_______________________________________________
> >>Vserver mailing list
> >>Vserver@list.linux-vserver.org
> >>http://list.linux-vserver.org/mailman/listinfo/vserver
> >
> > _______________________________________________
> > Vserver mailing list
> > Vserver@list.linux-vserver.org
> > http://list.linux-vserver.org/mailman/listinfo/vserver
>
> _______________________________________________
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
>
-- Chuck "...and the hordes of M$*ft users descended upon me in their anger, and asked 'Why do you not get the viruses or the BlueScreensOfDeath or insecure system troubles and slowness or pay through the nose for an OS as *we* do?!!', and I answered...'I use Linux'. " The Book of John, chapter 1, page 1, and end of book _______________________________________________ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserverReceived on Fri Sep 29 16:54:46 2006