Re: [vserver] [WISHLIST] Routing traffic through network when multiple vservers are in different vlans on the same vserver host:
 vserver development mailing list 
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]

Re: [vserver] [WISHLIST] Routing traffic through network when multiple vservers are in different vlans on the same vserver host

From: Rik Bobbaers <rik_at_enzoverder.be>
Date: Wed 17 Aug 2011 - 09:47:48 BST
Message-ID: <55748.193.178.209.214.1313570868.squirrel@www.enzoverder.be>

I used to do that at my previous job. It's called advanced routing.

I even created some scripts that should give you an idea on how to tackle
the "problem"
but i can't seem to find them anymore :(

sorry

anyway: advanced routing should fix your problem!

Rik Bobbaers

-- http://harry.enzoverder.be

> Hi all,
>
> This may have been asked before so I apologize if so. I've just yet to
> find an answer or possible solution.
>
> I have a single VServer host that has multiple NICs in it. One NIC is
> for "untrusted traffic" (think DMZ) and another NIC is for "trusted
> traffic" (think LAN). I'd like to run some vservers in my DMZ on eth0
> and some vservers in my LAN and route traffic between the vservers
> which happen to run on the same host through the firewall device I
> have. That way all my firewall rules exist in one place for my
> network.
>
> Well, if you haven't already guessed, this works just fine if you have
> two VServer hosts, one dedicated for the DMZ vservers and one
> dedicated for the trusted LAN vservers. Good security design aside, I
> just happen to think for a small lab that I'm running, I'd really like
> to be able to collapse the technical requirement for two separate
> hosts to just one VServer host with both DMZ and LAN NICs. But when I
> do that, of course, the local Linux routing table takes over and
> traffic from a DMZ vserver that needs to go to a backend LAN vserver
> just doesn't leave the host machine like I'd want it to.
>
> I've seen some articles about how to do this by patching the kernel.
> See
> http://www.linuxquestions.org/questions/linux-networking-3/multihomed-machine-and-local-ip-addresses-597741/
> and then see the patch called send-to-self here:
> http://www.ssi.bg/~ja/#loop
>
> Is it possible that this patch could be considered so that VPS hosters
> like me could use a single VServer host and yet still route the
> traffic off the machine to the network? This is conceptually how
> VMware ESXi works (i.e. a DMZ and a trusted LAN VM could be running on
> the same host yet traffic between the two is isolated and controlled
> via the network topology that has been established).
>
> It'd really make my day and help me avoid security issues where
> traffic between vservers that happen to run on the same VServer host
> don't leak across the local routing table on the host.
>
> Hoping for a favorable opinion from others....
>
> Regards,
>
> John
>
> We can't solve problems by using the same kind of thinking we used
> when we created them. -- Albert Einstein
>
Received on Wed Aug 17 09:48:24 2011

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 17 Aug 2011 - 09:48:24 BST by hypermail 2.1.8