Re: [Vserver] routing between host and guest
From what i got it seems that the traffic from host to guest goes by the lo interface. The logs indicate that it does not DNAT from lo : Feb 9 12:30:30 server kernel: OUTROUTEIN= OUT=lo SRC=my.pub.lic.ip DST=my.pub.lic.ip LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=14753 DF PROTO=TCP SPT=42145 DPT=80 SEQ=3647414246 ACK=0 WINDOW=32792 RES=0x00 SYN URGP=0 Feb 9 12:30:30 server kernel: OUTPUTIN= OUT=lo SRC=my.pub.lic.ip DST=my.pub.lic.ip LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=14753 DF PROTO=TCP SPT=42145 DPT=80 SEQ=3647414246 ACK=0 WINDOW=32792 RES=0x00 SYN URGP=0 Feb 9 12:30:30 server kernel: POSTROUTEIN= OUT=lo SRC=my.pub.lic.ip DST=my.pub.lic.ip LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=14753 DF PROTO=TCP SPT=42145 DPT=80 SEQ=3647414246 ACK=0 WINDOW=32792 RES=0x00 SYN URGP=0 Feb 9 12:30:30 server kernel: INPUTIN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=my.pub.lic.ip DST=my.pub.lic.ip LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=14753 DF PROTO=TCP SPT=42145 DPT=80 SEQ=3647414246 ACK=0 WINDOW=32792 RES=0x00 SYN URGP=0 Feb 9 12:30:30 server kernel: OUTPUTIN= OUT=lo SRC=my.pub.lic.ip DST=my.pub.lic.ip LEN=40 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=42145 SEQ=0 ACK=3647414247 WINDOW=0 RES=0x00 ACK RST URGP=0 Feb 9 12:30:30 server kernel: INPUTIN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=my.pub.lic.ip DST=my.pub.lic.ip LEN=40 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=42145 SEQ=0 ACK=3647414247 WINDOW=0 RES=0x00 ACK RST URGP=0 my log rule in postroute is triggered bu not he one i put in prerouting is it normal that traffic on lo bypass PREROUTING or do i made a mistake here ? Chain PREROUTING (policy ACCEPT 4601 packets, 239K bytes) pkts bytes target prot opt in out source destination 0 0 pre10.11.1.1 all -- lo * 0.0.0.0/0 my.pub.lic.ip 1389 79355 pre10.11.1.1 all -- * * 0.0.0.0/0 my.pub.lic.ip regards, Ghislain. server:/usr/local/.aqadmin/home%(aqadmin) ifconfig eth0 Lien encap:Ethernet HWaddr 00:30:48:80:35:98 inet adr:my.pub.lic.ip Bcast:my.public.net.255 Masque:255.255.255.240 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:50547354 errors:0 dropped:0 overruns:0 frame:0 TX packets:46120605 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 lg file transmission:100 RX bytes:967618327 (922.7 MiB) TX bytes:208844340 (199.1 MiB) Adresse de base:0xb000 Mémoire:f000-f002 eth0: Lien encap:Ethernet HWaddr 00:30:48:80:35:98 inet adr:10.11.1.1 Bcast:0.0.0.0 Masque:255.255.255.255 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Adresse de base:0xb000 Mémoire:f000-f002 loLien encap:Boucle locale inet adr:127.0.0.1 Masque:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:188383 errors:0 dropped:0 overruns:0 frame:0 TX packets:188383 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 lg file transmission:0 RX bytes:24591743 (23.4 MiB) TX bytes:24591743 (23.4 MiB) server:/usr/local/.aqadmin/home%(aqadmin) sudo iptables -L -vn Chain INPUT (policy ACCEPT 51M packets, 30G bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 46M packets, 3496M bytes) pkts bytes target prot opt in out source destination server:/usr/local/.aqadmin/home%(aqadmin) sudo iptables -L -vn -t nat Chain PREROUTING (policy ACCEPT 4601 packets, 239K bytes) pkts bytes target prot opt in out source destination 666 34304 pre10.11.1.1 all -- * * 0.0.0.0/0 my.pub.lic.ip Chain POSTROUTING (policy ACCEPT 9432 packets, 644K bytes) pkts bytes target prot opt in out source destination 8 518 post10.11.1.1 all -- * * 10.11.1.1 !10.11.1.1 Chain OUTPUT (policy ACCEPT 34439 packets, 2175K bytes) pkts bytes target prot opt in out source destination Chain post10.11.1.1 (1 references) pkts bytes target prot opt in out source destination 74 4562 SNAT all -- * * 0.0.0.0/00.0.0.0/0 to:my.pub.lic.ip Chain pre10.11.1.1 (1 references) pkts bytes target prot opt in out source destination 666 34304 DNAT all -- * * 0.0.0.0/00.0.0.0/0 to:10.11.1.1 server:/usr/local/.aqadmin/home%(aqadmin) telnet my.pub.lic.ip 80 Trying my.pub.lic.ip... telnet: Unable to connect to remote host: Connection refused server:/usr/local/.aqadmin/home%(aqadmin) telnet 10.11.1.1 80 Trying 10.11.1.1... Connected to
Re: [Vserver] routing between host and guest
ok found, dnat for lo goes by -t nat -A OUTPUT and not -t nat -A prostrouting :) -- Cordialement, Ghislain smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] routing between host and guest
On Tue, Feb 06, 2007 at 02:20:40PM +0100, ADNET Ghislain wrote: Hello, I have some trouble with the routing between host and guest. I doubt that, as there is none :) I have guest having a 10.x ip and a public ip different from the host public IP. in the same network, or on different networks? I have setup DNAT and SNAT between the 10.x and guest publicip and it works from outside hmm, the guest has been assigned both ips? why would you do NAT on the guest then? but i cannot telnet port 80 into my guest from the host port 80 is usually used for http, so 'telnet in' is probably the wrong approach ... nor telnet on my guest public ip from inside the guest itself. check on the host with tcpdump for details on the traffic Anyone can point a little how-to on this i googled but failed to find one ? the general rule is, it is a linux system, with all networking 'on the host' and ip isolation for the guests, nothing more, nothing less I'd suggest to remove the NAT if the guest already has a public IP (as it is not very useful then) HTH, Herbert using 2.16.19.2 with 2.2.0rc10 patch on debian -- Cordialement, Ghislain ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
