Re: [vserver] VServer with Host as Gateway

Stuart Lester wrote:
> Ladies and Gentlemen,
> I've spent the better part of the last 3 work days pouring over how to do
> what I'm about to ask. I feel that I'm a fairly strong admin, but this task
> has certainly revealed my weakness -- advanced routing!
> I've gone over the site docs, faqs, mailing lists, and spoken with some
> helpful people on the IRC channels, but to no avail.
>
> My situation is this. I'm trying to get together a Linux gateway that will
> also contain one or more vservers (so far just one). This gateway will go
> in front of our local network and interface with the external WAN on eth0,
> and will serve as the gateway for the LAN on eth1. This part I have working
> just fine. The problem is when I try to add a vserver guest into the mix.
>
> I-Net
> |
> Cable Modem
> |
> Linksys Router (will go away eventually)
> 192.168.100.1
> |
> 192.168.100.x subnet
> |
> eth0/192.168.100.254
> Gateway/VServer Host
> eth1/10.50.50.1
> |
> 10.50.50.x subnet --- PC's and such
> |
> eth1/10.50.50.10
> VServer Guest
>
>>From a PC on the 10.50.50.x subnet, I can ping the WAN, the Gateway/Host (
> 10.50.50.1), and the Guest (10.50.50.10)
>
>>From the Gateway/Host, I can ping the local IP (10.50.50.1), the Guest (
> 10.50.50.10), the PC on the LAN, and the WAN
>
>>From the Vserver/Guest, I can ping the local IP (10.50.50.10), the
> Gateway/Host (10.50.50.1), and the local PC, but NOT anything outside of the
> 10.50.50.x subnet:
> GUEST ~ # ping 192.168.100.1
> connect: Invalid argument
>
> I'm fairly convinced that I need to set up some routes/rules with alternate
> tables, but I've been wholly unsuccessful in this endeavor. My most recent
> (and promising) lead was this mailing list message:
> http://archives.linux-vserver.org/200704/0030.html
> I have also tried: http://archives.linux-vserver.org/200311/0470.html
>
> Unfortunately, however, I believe that isn't quite the same setup as I am
> trying to have the host be a gateway rather than just have two different
> NICs.
>
> Finally, here is my (gentoo) network config:
>
> # /etc/conf.d/net
> config_eth0=( "192.168.100.254/24" )
> config_eth1=(
> "10.50.50.1/24"
> "10.50.50.10/24"
> )
> routes_eth0=( "192.168.100.0/24 src 192.168.100.254 table 192net1")
> routes_eth1=( "10.50.50.0/24 src 10.50.50.10 table 192net2")
> routes_eth1=( "10.50.50.0/24 src 10.50.50.1 table 192net2")
> routes_eth0=( "default via 192.168.100.1 table 192net1" )
> routes_eth1=( "default via 10.50.50.1 table 192net2" )
> routes_eth0=( "default via 192.168.100.1" )
> rules_eth0=( "from 192.168.100.0/24 table 192net1")
> rules_eth1=( "from 10.50.50.0/24 table 192net2"

I assume this is not the config that kind of works, since you're missing
a ) on the last line, and any traffic would get stuck in a loop. For the
kind of setup you're interested in, you really shouldn't need to do
anything special with regard to the routing, so just removing those
routes and rules should make everything behave...

> #/root/bin/iptables.sh
> export LAN=eth1
> export WAN=eth0
> iptables -F
> iptables -t nat -F
> iptables -P INPUT ACCEPT
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD DROP
> iptables -A FORWARD -i ${LAN} -s 10.50.50.0/255.255.255.0 -j ACCEPT
> iptables -A FORWARD -i ${WAN} -d 10.50.50.0/255.255.255.0 -j ACCEPT
> iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

... assuming this actually works for locally generated packets on your
kernel. Just to rule it out, try changing it to -j SNAT --to 192.168.100.254

> /etc/init.d/iptables save
>
> I'm going a little bit batty trying to get this working...I think I'm close,
> but this is just an odd/nonstandard config. Please, any assistance you can
> offer would be wonderful.
>
> Stu
>

-- 
Daniel Hokka Zakrisson