On Mon, 2014-01-27 at 00:04 +0100, Tamas Papp wrote:
> It's all one single broadcast network 10/8.
> The hosts could be even 10.0.0.{1,2,3,4}.That contradicts your original message... On Sun, 2014-01-26 at 22:09 +0100, Tamas Papp wrote: > Topology: > > ---- inet ---- 1.2.3.4 firewall (DNAT) 10.0.0.1/8 ---- 10.1.0.0/8 lxc1 > + > 10.2.0.0/8 lxc2 Which is, in and of itself contradictory, since 10.1.0.0/8 can't be a /8 and 10.2.0.0/8 can't be a /8. Perhaps you need to clarify yoru network topology in more explicit details. > In other words the container cannot be access through PREROUTING if > the source and target _physical_ machines are the same. > > tamas > > > On 01/26/2014 11:41 PM, Alvaro Miranda Aguilera wrote: > > > for what I see, if you are using iptables prerouting, then you need > > to use the IP that is on the same network for both machines. > > > > > > if you want to go from one network to other separate, you need to > > set routes, otherwise, the packages will go out to 0.0.0.0 > > > > > > From what I undestand in you network: > > > > > > host 10.0.0.0 > > lxc1 10.1.0.0 > > lxc2 10.2.0.0 > > > > with /8 are separate networks, so you need to define a router ip, > > and that ip should be visible You're running a flat /8 broadcast domain? I personally control a legacy (public) /16 and would never consider running even that space "flat" (it's heavily subnetted). The logistics for such is crazy. Regards, Mike > > so, say from lxc1, you want to reach IPs in 10.2.0.0, then lxc1 > > should have a leg on each network, and have a route rule. > > Alvaro > > > > > > On Mon, Jan 27, 2014 at 10:09 AM, Tamas Papp <[email protected]> > > wrote: > > hi All, > > > > The problem may not be LXC only but I don't what the keyword > > is to > > search for. > > > > > > Topology: > > > > ---- inet ---- 1.2.3.4 firewall (DNAT) MailScanner warning: > > numerical links are often malicious: 10.0.0.1/8 ---- > > MailScanner warning: numerical links are often malicious: > > 10.1.0.0/8 lxc1 + > > MailScanner warning: numerical links are often malicious: > > 10.2.0.0/8 lxc2 > > > > > > On firewall: > > > > $ iptables -t nat -A PREROUTING -d 1.2.3.4 --dport smtp -j > > DNAT --to > > MailScanner warning: numerical links are often malicious: > > 10.1.0.2:25 > > > > > > 10.1.0.1 and 10.1.0.2 are containers on lxc01. > > 10.2.0.2 is a container on lxc02. > > > > > > Test command: > > $ telnet 10.1.0.2 25 > > > > > > It's failing from the MailScanner warning: numerical links > > are often malicious: 10.1.0.0/8 containers and lxc01. > > It's OK on containers on lxc02 (eg. 10.2.0.2). > > > > > > According to tcpdump packets reaching the iface 10.0.0.1 and > > they're gone. > > Changing proxy_arp and rp_filter on 10.0.0.1 iface doesn't > > help. > > > > > > Any idea? > > > > 10x > > tamas > > > > _______________________________________________ > > lxc-users mailing list > > [email protected] > > http://lists.linuxcontainers.org/listinfo/lxc-users > > > > > > > > > > _______________________________________________ > > lxc-users mailing list > > [email protected] > > http://lists.linuxcontainers.org/listinfo/lxc-users > > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users -- Michael H. Warfield (AI4NB) | (770) 978-7061 | [email protected] /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
signature.asc
Description: This is a digitally signed message part
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
