Hi,
Thanks again but I have a problem :
I've made two table :
- rt1 : One route 192.168.2.0/ 24 dev eth1
- rt2 : One route 192.168.3.0/34 dev eth0
The rules has been made too :
0: from all lookup local
32764: from 192.168.3.0/24 lookup rt2
32765: from 192.168.2.0/24 lookup rt1
The main table is empty.
Works greats, guests are isolated but when I want to add default route with :
ip route add default via 192.168.2.1 table rt1 or ip route add 192.168.3.0/24 via 192.168.2.1 table rt1
I've the error :
RTNETLINK answers: No such process
Thanks for your help
Le 12 janv. 2010 à 23:56, Laurent Spagnol a écrit :
> Hi,
>
> Message de Olivier BATARD <obatard@gmail.com>:
>
>> Hello,
>>
>> We're trying to build a vserver infrastructure on Debian Lenny with
>> following parameter :
>>
>> OS :
>>
>> - One host with the kernel 2.6.26 / Debian lenny
> The usage of the Lenny Kernel is not a good idea.
>
> with the debian tools
>> - 3 guests, each one runs on a logical volume in reiserfs
>>
>> Network :
>>
>> - 2 Vlan, one for the the lan, one for the dmz
>> - some guests's ip are one the dmz, some on the lan
>> - on the hosts we have an /etc/interface with two interfaces with bonding
>> (balance-rr mode)
>> - Vlan have been set up in the network configuration, each guest interfaces
>> as bond0.vlan as device.
>>
>>
>> Here's my problem,
>>
>> On a dmz guest, when I run a ip route show, I see the routes of the host, so
>> a route to the lan ...
> Linux-Vserver doesn't virtualize the network layer, so all the routes are seen by all the guests.
>
> which is not good for security ...
> I think it's not really a problem. You can use iptables on the host side for isolating your networks.
>
>>
>> What is the best solution to isolate the guest and controlling routing ? . I
>> googled it and I found some answers by using ip route with alternate
>> table ...
> Sure. I use 802.1Q VLANs and alternate routing tables.
>
> Is it the best and easiest solution now ?
> In my opinion, it is the most simplest and cleanest way to do that.
>
> How can I set up that
>> correctly in Debian ?
> The solution is not specific to Debian.
>
> An example:
> vconfig add eth0 7
> ip rule add from 10.7.0.0/16 table 7
> ip route add 10.7.0.0/16 dev eth0.7 table 7
> ip route add default via 10.7.0.1 table 7
> echo eth0.7 > /etc/vservers/vs_7/interfaces/0/dev
> echo 10.0.7.0.2 > /etc/vservers/vs_7/interfaces/0/ip
>
> Google => "presentation-vserver.odp" for the full example.
>
> But the author has forgotten two details:
> - a routing table can be enabled only when at less one IP is available on the matching network
> - you must force "automatic promotion of secondary addresses to primary"
> echo "net.ipv4.conf.all.promote_secondaries=1">>/etc/sysctl.conf
>
> In fact, i wrote a script that handle routes during the start sequence of the Vservers.
>
> An example is available here:
> http://dokuwicri.univ-reims.fr/files/vs-tools2/vs-tools/scripts/
>
> You can get some ideas here for firewalling:
> http://dokuwicri.univ-reims.fr/wiki/doku.php?id=public:projets:vs-tools:configuration_du_firewall
> My old ugly scripts are available here:
> https://listes.univ-reims.fr/sympa/d_read/vs-tools/Sources/
> (http://dokuwicri.univ-reims.fr/wiki/doku.php?id=public:projets:vs-tools:start)
>
> Regards,
>
> L.S.
>
>
>
>
>>
>> Thanks by advance ...
>>
>
>
>
> --
> Laurent Spagnol
> Administrateur système Linux
>
> CRI - Université de Reims
>
> Campus du Moulin de la Housse
> BP 1039 - 51687 Reims cedex 2
>
> Tel: 03.26.91.88.32
> Fax: 03.26.91.31.87
>
>
>
Received on Thu Jan 14 20:27:14 2010