Herbert Poetzl wrote:
On Thu, Dec 08, 2005 at 08:09:19PM +0200, Etienne Pretorius wrote:
Herbert Poetzl wrote:
On Thu, Dec 08, 2005 at 06:42:00PM +0200, Etienne Pretorius wrote:
Hello all,
I would just like to know how do I make my ppp0 (pppoe) interface
visible and thus routable inside the vserver. I have this interface
on the main server and sofar using the new style configs with
bcapabilities set to CAP_SYS_ADMIN,CAP_NET_ADMIN,CAP_NET_RAW I still
can't see the interface and so I can't route through it.
well, you are jumping to conclusions here .. first
a few words to clarify ...
- networking happens on the host (for now), the guest
does not interfere with that
- guests are restricted to IPs, not to interfaces
- interfaces which do not carry IPs assigned to a guest
are hidden inside a guest
- routing is placed on the host and is _not_ affected
by any guest setups
- giving CAP_SYS_ADMIN,CAP_NET_ADMIN or CAP_NET_RAW
is compromising your guest security, and is seldom
what you really want ...
now for your situation:
- the interface hiding can be controlled via the (by
default enabled) hide_netif flag. turn it off and
you will see all interfaces
Exactly where do you specify this flag?
No info on the flower pages.....
it's there, just check the link to lib/cflags-v13.c
I did an 'updatedb' then 'locate flags | less', nothing..... I am using
Debian Sarge, Kernel 2.6.8 vserver util 1.9
- you probably do not 'route' through that interface
because the host routing does not specify any route
through that interface for the IP(s) assigned to
your guest
Correct, except that this interface is my default route....
no internet access for the guests.
well, if it _is_ your default route, I'm pretty
sure the packets _are_ routed there ...
but I suspect that you got the NATing wrong, so
that the packets are sent with the (probably private)
IP address of the guest ...
The NATing is done like so:
iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
- assigning the/a ppp IP to the guest will have two
effects: a) ppp will become visible and b) packets
routed through ppp might use that IP (which is
probably what you want)
A) /etc/vservers/<vservername>/interfaces/3/
- nodev
- ip
- dev
- prefix
nodev and dev are exclusive, they do not make much
sense together ...
Then how would I tell the vserver to include a already configured
interface and use it without giving it a new ip.
eg, dev:br0, ip:192.168.5.1, prefix:24
B) I actually need the ip that already exists on
that interface accessible to the vserver,
dynamic ip assignment....
then you have to 'dynamically' change the IP for
the guest (which is pretty easy with SNAT)
Well, even specifying the assigned IP on the ppp0 interface correctly
- plus the netmask - yealded no effect on the visibility issue.
I somewhat doubt that ...
Later, perhaps give you SSH access...
Herbert, I have read some of your previous posts - ppl have asked
about the '*' under interface names when executing 'route -n' and 'ip
route'. You said it is because the inteface is not availible on the
guest, but if it was then it is a exact copy of the host system. BTW
the host system can communticate with the internet - and using 'ping
-I <dev> <ipaddr>' resulting in 'Destination Unreachable', gives me
the idea that I require that interface.
try the following pings _on the host_
ping -c 1 -I <guest ip> www.google.com
ping -c 1 -I <host ip> www.google.com
ping -c 1 -I <ppp ip> www.google.com
make the first one work, and the guest will
have proper internet access ...
a possible way to do so is:
iptables -t nat -I POSTROUTING -s <guest ip> -j SNAT --to <ppp ip>
iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE,
Is the first and only rule in that chain.
Communtication with the host system is 100%, I can communicate via 'lo'
or the 'br0' no problem.
I'll explain a bit more on what I am trying to adchieve here:
Host System: Only has debain defauilts and it's services are bound to
127.0.0.1/8
Has interfaces:Eth0 <part of bridge br0>,
connected to internal network
Tap0 <part of bridge
br0>, virtual device for OpenVPN
Br0 <ip addr:
192.168.5.1, netmask 255.255.255.0>, no gw
Eth1 <part of ppp+>
ppp0 <added default gw
to other point>
Vserver: Has a 'lo' configured with an ip of 127.0.0.2
Has br0 configured - using above ip addr and network
mask
Need ppp+
Inside this Vserver I have Bind9-server working, Apache, Frox, Squid,
Proftpd, Postfix, Courier.
I have setup a test machine as part of the Internal Network and
everything works (DHCP,NTP)
When I had the router configured in routed mode and using the eth1
device everything worked 100%.
But an issue arrived when I need to service connections from the
internet and realised that I need ppp
interface to correctly preform these services. I had setup a test
machine with ppp and the required
services and successfully overcome my 'routed' setup limitation.
Routed setup limitation:
Not A single packet was arriving into the host machine from
outside [when the request originated from outside] -
and the Zyxel manual did not help at all. I did tcpdumps /
switched off the firewall... changed all the policies to accept.
Open ports 1 to 65535 and did SNAT/DNAT and nothing changed.
HTH,
Herbert
Thank you,
Etienne
_______________________________________________
Vserver mailing list
[email protected]
http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
[email protected]
http://list.linux-vserver.org/mailman/listinfo/vserver
|
