[vserver] [WISHLIST] Routing traffic through network when multiple vservers are in different vlans on the same vserver host

From: John Pierce <john_at_pierce.name>
Date: Wed 17 Aug 2011 - 02:33:55 BST
Message-ID: <CAAVVK0-0--gJZ-nShUSiVSf21nO8S=H7W=O_tZsoc3x8d61uWg@mail.gmail.com>

Hi all,

This may have been asked before so I apologize if so. I've just yet to
find an answer or possible solution.

I have a single VServer host that has multiple NICs in it. One NIC is
for "untrusted traffic" (think DMZ) and another NIC is for "trusted
traffic" (think LAN). I'd like to run some vservers in my DMZ on eth0
and some vservers in my LAN and route traffic between the vservers
which happen to run on the same host through the firewall device I
have. That way all my firewall rules exist in one place for my
network.

Well, if you haven't already guessed, this works just fine if you have
two VServer hosts, one dedicated for the DMZ vservers and one
dedicated for the trusted LAN vservers. Good security design aside, I
just happen to think for a small lab that I'm running, I'd really like
to be able to collapse the technical requirement for two separate
hosts to just one VServer host with both DMZ and LAN NICs. But when I
do that, of course, the local Linux routing table takes over and
traffic from a DMZ vserver that needs to go to a backend LAN vserver
just doesn't leave the host machine like I'd want it to.

I've seen some articles about how to do this by patching the kernel.
See http://www.linuxquestions.org/questions/linux-networking-3/multihomed-machine-and-local-ip-addresses-597741/
and then see the patch called send-to-self here:
http://www.ssi.bg/~ja/#loop

Is it possible that this patch could be considered so that VPS hosters
like me could use a single VServer host and yet still route the
traffic off the machine to the network? This is conceptually how
VMware ESXi works (i.e. a DMZ and a trusted LAN VM could be running on
the same host yet traffic between the two is isolated and controlled
via the network topology that has been established).

It'd really make my day and help me avoid security issues where
traffic between vservers that happen to run on the same VServer host
don't leak across the local routing table on the host.

Hoping for a favorable opinion from others....

Regards,

John

We can't solve problems by using the same kind of thinking we used
when we created them. -- Albert Einstein
Received on Wed Aug 17 02:35:35 2011

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 17 Aug 2011 - 02:35:35 BST by hypermail 2.1.8