Re: [vserver] VServer with Host as Gateway

From: Nikolay Kichukov <hijacker_at_oldum.net>
Date: Wed 24 Oct 2007 - 11:57:55 BST
Message-ID: <471F2533.5070303@oldum.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,
Just a quick read of the problem brought me to those 3 lines:

iptables -P FORWARD DROP
iptables -A FORWARD -i ${LAN} -s 10.50.50.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 10.50.50.0/255.255.255.0 -j ACCEPT

What if you skip the -i option?

Packets that originate from the guest normally come out from the
loopback interface of the host.

HTH,
- -Nik

Stuart Lester wrote:
> Ladies and Gentlemen,
> I've spent the better part of the last 3 work days pouring over how to do
> what I'm about to ask. I feel that I'm a fairly strong admin, but this task
> has certainly revealed my weakness -- advanced routing!
> I've gone over the site docs, faqs, mailing lists, and spoken with some
> helpful people on the IRC channels, but to no avail.
>
> My situation is this. I'm trying to get together a Linux gateway that will
> also contain one or more vservers (so far just one). This gateway will go
> in front of our local network and interface with the external WAN on eth0,
> and will serve as the gateway for the LAN on eth1. This part I have working
> just fine. The problem is when I try to add a vserver guest into the mix.
>
> I-Net
> |
> Cable Modem
> |
> Linksys Router (will go away eventually)
> 192.168.100.1
> |
> 192.168.100.x subnet
> |
> eth0/192.168.100.254
> Gateway/VServer Host
> eth1/10.50.50.1
> |
> 10.50.50.x subnet --- PC's and such
> |
> eth1/10.50.50.10
> VServer Guest
>
> From a PC on the 10.50.50.x subnet, I can ping the WAN, the Gateway/Host (
> 10.50.50.1), and the Guest (10.50.50.10)
>
> From the Gateway/Host, I can ping the local IP (10.50.50.1), the Guest (
> 10.50.50.10), the PC on the LAN, and the WAN
>
> From the Vserver/Guest, I can ping the local IP (10.50.50.10), the
> Gateway/Host (10.50.50.1), and the local PC, but NOT anything outside of the
> 10.50.50.x subnet:
> GUEST ~ # ping 192.168.100.1
> connect: Invalid argument
>
> I'm fairly convinced that I need to set up some routes/rules with alternate
> tables, but I've been wholly unsuccessful in this endeavor. My most recent
> (and promising) lead was this mailing list message:
> http://archives.linux-vserver.org/200704/0030.html
> I have also tried: http://archives.linux-vserver.org/200311/0470.html
>
> Unfortunately, however, I believe that isn't quite the same setup as I am
> trying to have the host be a gateway rather than just have two different
> NICs.
>
> Finally, here is my (gentoo) network config:
>
> # /etc/conf.d/net
> config_eth0=( "192.168.100.254/24" )
> config_eth1=(
> "10.50.50.1/24"
> "10.50.50.10/24"
> )
> routes_eth0=( "192.168.100.0/24 src 192.168.100.254 table 192net1")
> routes_eth1=( "10.50.50.0/24 src 10.50.50.10 table 192net2")
> routes_eth1=( "10.50.50.0/24 src 10.50.50.1 table 192net2")
> routes_eth0=( "default via 192.168.100.1 table 192net1" )
> routes_eth1=( "default via 10.50.50.1 table 192net2" )
> routes_eth0=( "default via 192.168.100.1" )
> rules_eth0=( "from 192.168.100.0/24 table 192net1")
> rules_eth1=( "from 10.50.50.0/24 table 192net2"
>
> #/root/bin/iptables.sh
> export LAN=eth1
> export WAN=eth0
> iptables -F
> iptables -t nat -F
> iptables -P INPUT ACCEPT
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD DROP
> iptables -A FORWARD -i ${LAN} -s 10.50.50.0/255.255.255.0 -j ACCEPT
> iptables -A FORWARD -i ${WAN} -d 10.50.50.0/255.255.255.0 -j ACCEPT
> iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
> /etc/init.d/iptables save
>
> I'm going a little bit batty trying to get this working...I think I'm close,
> but this is just an odd/nonstandard config. Please, any assistance you can
> offer would be wonderful.
>
> Stu
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBRx8lMjFLYVOGGjgXAQKW4ggA3ACr0sWdZOrPUkJ0xzB1FgX02GLqlmq6
Q5MvDTmZWEWGy3x3crBHjKaJ42VuBd0nqaL0tzcSGy7CMtx1R5SOOTAwlStjettd
BsK4JMYtyt+cDMMR2Ke8hcYoCbYiRv7IeQxI+IEmabprDyN6kBbJ1UsTZwmqLWVt
uFhrK6uKEesWphiiX5bUK7mGopBBl+SySBmVeNcxVbfe1/L59xLwW4aYhbMbSMER
Np3/a+VBIzzsAxfPo4hF1FAZQh5GP3TCrmnKUGvu1/SwZv1El2/fqe5oKQ5MsxxI
NgOuQCDl4jSN0ykfiKL3DmfProx62Vjyb2VPvtz82xArcMRy4s7V0Q==
=I+5+
-----END PGP SIGNATURE-----
Received on Wed Oct 24 12:00:55 2007

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 24 Oct 2007 - 12:01:05 BST by hypermail 2.1.8