My response intermingled below....
On Wed, Aug 17, 2011 at 8:52 AM, Herbert Poetzl <herbert@13thfloor.at> wrote:
<snip />
>> I'd like to run some vservers in my DMZ on eth0 and some
>> vservers in my LAN and route traffic between the vservers
>> which happen to run on the same host through the firewall
>> device I have.
> I presume the 'firewall device' is something sitting somewhere
> on both networks, the DMZ and the LAN, yes?
Yes, I have a firewall appliance running on my network that functions
also as my router between my DMZ and local LAN so I'd like to keep my
firewall rules on my firewall for controlling traffic between a
vserver in the DMZ and a vserver in the local LAN - and both of those
vservers run on the same VServer Host machine (by happens chance).
>> Good security design aside, I just happen to think for a small
>> lab that I'm running, I'd really like to be able to collapse
>> the technical requirement for two separate hosts to just one
>> VServer host with both DMZ and LAN NICs. But when I do that, of
>> course, the local Linux routing table takes over and traffic
>> from a DMZ vserver that needs to go to a backend LAN vserver
>> just doesn't leave the host machine like I'd want it to.
> you should be able to accomplish this with network namespace
> (which are already working with a recent Linux-VServer
> kernel and will probably be supported soon by util-vserver)
Okay - sounds interesting. I'll search around for what network
namespace actually is. I'm running Debian 6 with the standard
Linux-VServer kernel that's part of that distribution, so clearly I
need to get more current versions of the product to see what's going
on with it in this arena. Do you have a quick link you can provide
which details what network namespace actually is to see if it helps
me? Thx.
>> I've seen some articles about how to do this by patching the kernel.
>> See http://www.linuxquestions.org/questions/linux-networking-3/multihomed-machine-and-local-ip-addresses-597741/
>> and then see the patch called send-to-self here:
>> http://www.ssi.bg/~ja/#loop
>
>> Is it possible that this patch could be considered so that
>> VPS hosters like me could use a single VServer host and yet
>> still route the traffic off the machine to the network?
> the patch for 3.x looks rather trivial, so assuming that
> you will do extensive testing and report back your findings
> I would consider adding this to the experimental patch
> series at least (assuming it actually helps and maybe with
> some more ifdef magic for enabling/disabling it at buildtime)
Okay - I will add this to my punchlist of things to do. Do you think I
should only mess with 3.x series of the Linux kernel at this point?
> the first step (maybe already done on your side) would be
> to test the patch (which should apply fine to a Linux-VServer
> patched kernel) and let us know how it goes ...
> (e.g. make a wiki page with the steps required to set it up)
Will work on this - haven't done anything as of yet to test this patch
except for "exploratory googling" to see what others do to resolve
this issue.
> best,
> Herbert
Thanks Herbert for your quick response and guidance.
John
Received on Wed Aug 17 14:21:47 2011