AW: AW: AW: [vserver] Using loopback for guest-guest and guest-host communication but still remapping:
 vserver development mailing list 
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]

AW: AW: AW: [vserver] Using loopback for guest-guest and guest-host communication but still remapping

From: Fiedler Roman <Roman.Fiedler_at_ait.ac.at>
Date: Wed 29 Feb 2012 - 14:00:45 GMT
Message-ID: <9F69795E29C890408AC2DAF646C89BB379D13A74A0@MAILBOX.arc.local>

> -----Ursprüngliche Nachricht-----
> Von: Gordan Bobic [mailto:gordan@bobich.net]
>
> Fiedler Roman wrote:
> >> -----Ursprüngliche Nachricht-----
> >> Von: Gordan Bobic [mailto:gordan@bobich.net]
> >>
> >> Fiedler Roman wrote:
> >>>> -----Ursprüngliche Nachricht-----
> >>>> Von: Gordan Bobic [mailto:gordan@bobich.net]
> >>>>
> >>>>> Fiedler Roman wrote:
> >>>>> ....
> >>>>> I'm trying to configure networking on a machine, where we cannot use
> any
> >>>>> private network for internal communication because I might need to
> receive
> >>>>> traffic from that network. So I can only use loopback, one private IP-
> Range IP
> >>>>> (server external IP) and I do not want to grab one public IP-range for
> internal
> >>>>> communication if avoidable.
> >> ....
> >>> Connect from guest to 127.0.1.1:80 is still remapped to 127.0.2.1, which
> is
> >>> guest itself. So no connection to host via lo possible.
> >> You are using 127/8 subnet on the dummy device - that won't work. You
> >> need a non-loopback IP range on the dummy interface, e.g. 192.168/16.
> >
> > Thanks for your reply. I already used configuration with non-127 dummy
> interface
> > and they are working. In current use case (description above), I have the
> problem,
> > that organization cannot tell me, which private network is not in use at their
> > location. Since I cannot handle requests from their network if I bind IPs to
> local
> > interface, I was trying to do it without need of any other IPs than from range
> > 127.0.0.0/8.
>
> That is most unfortunate, but I don't see a workaround - they will have
> to find a suitable small private subnet in 10/8, 172.16/12 or 192.168/16
> that you can use. But since that subnet will never be routable outside
> the machine itself, you can re-use it on all similar servers.
>
> > Things I could try:
> > ...
> > * Use iptables mangle or nat and mark to remap external requests from IP-
> Range also bound to local interface.
>
> Sorry, not sure I quite follow what you think you can do here. Can you
> elaborate?

When I have some client with IP x accessing the machine and machine knows IP x on dummy interface, routing table entry to dummy interface will be used for e.g. tcp response packets, thus sending them to nirvana.

If I mark connections depending on the interface, I should be possible to do policy routing, thus sending responses to connections from external-x back via external interface, while keeping internal-x connections internal.

Roman
Received on Wed Feb 29 14:00:57 2012

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 29 Feb 2012 - 14:00:57 GMT by hypermail 2.1.8