Re: [Vserver] Confused by routing

Sat, 04 Jun 2005 05:47:28 -0700 

Some more infos about that point.

> 
> (2)
> [...]
> The purpose is now to have traffic from Host 1 to vservers routed through the
> usual "direct" (lo) route.  So the question is:  Is it possible to limit the
> effect of the "indirect" route to selected networks?
> 

Without the "funny" routing rules in place, this is what "ip addr ls" outputs:

34: eth0.2: <BROADCAST,MULTICAST,UP> mtu 1496 qdisc noqueue
    link/ether 00:50:ba:31:61:68 brd ff:ff:ff:ff:ff:ff
    inet 172.83.0.1/16 brd 172.83.255.255 scope global eth0.2
35: eth0.3: <BROADCAST,MULTICAST,UP> mtu 1496 qdisc noqueue
    link/ether 00:50:ba:31:61:68 brd ff:ff:ff:ff:ff:ff
    inet 172.79.0.1/16 brd 172.79.255.255 scope global eth0.3

With the routing (and vservers "172.79.0.11" and "172.83.0.100" running):

34: eth0.2: <BROADCAST,MULTICAST,UP> mtu 1496 qdisc noqueue
    link/ether 00:50:ba:31:61:68 brd ff:ff:ff:ff:ff:ff
    inet 127.0.0.1/8 brd 127.255.255.255 scope host eth0.2
    inet 172.83.0.1/16 brd 172.83.255.255 scope global eth0.2
    inet 172.83.0.100/16 brd 172.83.255.255 scope global secondary eth0.2
35: eth0.3: <BROADCAST,MULTICAST,UP> mtu 1496 qdisc noqueue
    link/ether 00:50:ba:31:61:68 brd ff:ff:ff:ff:ff:ff
    inet 127.0.0.1/8 brd 127.255.255.255 scope host eth0.3
    inet 172.79.0.1/16 brd 172.79.255.255 scope global eth0.3
    inet 172.79.0.11/16 brd 172.79.255.255 scope global secondary eth0.3

And, in this situation, attempting to "ssh 172.79.0.11" from Host 1 results
in the firewall blocking the connection:

Jun  4 14:44:30 lestat kernel: Shorewall:FORWARD:REJECT:IN=eth0.3 OUT=eth0.3 
SRC=172.79.0.11 DST=172.79.0.11 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=65379 DF 
PROTO=TCP SPT=33264 DPT=22 WINDOW=32767 RES=0x00 SYN URGP=0

So, Host 1 (having address "172.83.0.1/16" associated to "eth0.2") and vservers
are not treated the same, as I can connect to Guest 2 ("172.79.0.11") from 
Guest 1 
("172.83.0.100").
Also, it seems strange that the firewall sees the request coming from and going 
to
the same interface and address.


Best regards,
Gilles
_______________________________________________
Vserver mailing list
[email protected]
http://list.linux-vserver.org/mailman/listinfo/vserver

Reply via email to