hi, what about this (need to verify, going to this evening)
ifconfig dummy0 10.10.10.10 up and then give two IPs to each guest, i.e. (vserver/interfaces) eth0 x.x.x.x - external IP dummy0 10.10.10.11 - internal IP guest's /etc/hosts x.x.x.x guest01 10.10.10.11 localhost unfortunatelly, most likely it is not a solution for Albert's problem. is there anything that needs to be done to firewall? it seems to me the dummy iface is some kind of internal device similar to lo. Would be good to hear mainteiners opinion about this approach. thanks --Shurik On 6/7/06, GarconDuMonde <[EMAIL PROTECTED]> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi, Alexander Kabanov wrote: > I have 5 guests on the server, each guest has own localhost IP, like > 127.0.0.5, 127.0.0.6 etc. (guests /etc/hosts has record like > "127.0.0.5 localhost") it seemed the only option available. can > someone tell me is it good approach? no. i experimented with this approach last year. after a while, i ran into difficulties (can't remember what exactly right now) and after digging came across the rfc about this [0]: 127.0.0.0/8 - This block is assigned for use as the Internet host loopback address. A datagram sent by a higher level protocol to an address anywhere within this block should loop back inside the host. This is ordinarily implemented using only 127.0.0.1/32 for loopback, but no addresses within this block should ever appear on any network anywhere [RFC1700, page 5]. so then, i tried looking at some alternatives. > is there anything else beside > this? i guess it depends on how you actually have your host, network and firewall set up. i'm only still learning the intricacies of firewalls, but my experience is that it's best to just learn the basics (i.e. iptables) rather than any "management" tool such as shorewall. then, there's stuff like NAT and SNAT and DNAT that i don't really understand yet, but you can use a 'private' network like 10.0.x.x if you like, or 192.168.x.x instead. this way, you can then bind to that address internally, but not from externally. of course, you can also ensure that you deny connections appropriately if your firewall is configured well. > The reason why I want to have a local IP inside a guest - to be > able to bind services to a local interface that are not accessible > from outside, for example: > > one can access IMAP (over ssl) using guest real IP > webmail app can access IMAP service bound to local IP > > thanks > > --Alex > [0] http://www.rfc-editor.org/rfc/rfc3330.txt - -- love and solidarity, --gdm http://docs.indymedia.org/view/Main/GarconDuMonde i have a NEW key: gpg --keyserver pgp.mit.edu --recv-keys 594B97C2 Key fingerprint = 7B70 F22D F275 D111 3A04 F9EE 0E25 4944 594B 97C2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (Darwin) iD8DBQFEh0U4DiVJRFlLl8IRAj4WAJ9GejzJzlWzRTnkfSBUsnZpNutNHQCfbINP oWLIEEBLf/pUgsO/41myrYA= =yHaI -----END PGP SIGNATURE----- _______________________________________________ Vserver mailing list [email protected] http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________ Vserver mailing list [email protected] http://list.linux-vserver.org/mailman/listinfo/vserver
