[lxc-users] {Disarmed} Re: networking issue
Michael H. Warfield
mhw at WittsEnd.com
Sun Jan 26 23:32:55 UTC 2014
On Mon, 2014-01-27 at 00:04 +0100, Tamas Papp wrote:
> It's all one single broadcast network 10/8.
> The hosts could be even 10.0.0.{1,2,3,4}.
That contradicts your original message...
On Sun, 2014-01-26 at 22:09 +0100, Tamas Papp wrote:
> Topology:
>
> ---- inet ---- 1.2.3.4 firewall (DNAT) 10.0.0.1/8 ---- 10.1.0.0/8 lxc1
> +
> 10.2.0.0/8 lxc2
Which is, in and of itself contradictory, since 10.1.0.0/8 can't be a /8
and 10.2.0.0/8 can't be a /8. Perhaps you need to clarify yoru network
topology in more explicit details.
> In other words the container cannot be access through PREROUTING if
> the source and target _physical_ machines are the same.
>
> tamas
>
>
> On 01/26/2014 11:41 PM, Alvaro Miranda Aguilera wrote:
>
> > for what I see, if you are using iptables prerouting, then you need
> > to use the IP that is on the same network for both machines.
> >
> >
> > if you want to go from one network to other separate, you need to
> > set routes, otherwise, the packages will go out to 0.0.0.0
> >
> >
> > From what I undestand in you network:
> >
> >
> > host 10.0.0.0
> > lxc1 10.1.0.0
> > lxc2 10.2.0.0
> >
> > with /8 are separate networks, so you need to define a router ip,
> > and that ip should be visible
You're running a flat /8 broadcast domain? I personally control a
legacy (public) /16 and would never consider running even that space
"flat" (it's heavily subnetted). The logistics for such is crazy.
Regards,
Mike
> > so, say from lxc1, you want to reach IPs in 10.2.0.0, then lxc1
> > should have a leg on each network, and have a route rule.
> > Alvaro
> >
> >
> > On Mon, Jan 27, 2014 at 10:09 AM, Tamas Papp <tompos at martos.bme.hu>
> > wrote:
> > hi All,
> >
> > The problem may not be LXC only but I don't what the keyword
> > is to
> > search for.
> >
> >
> > Topology:
> >
> > ---- inet ---- 1.2.3.4 firewall (DNAT) MailScanner warning:
> > numerical links are often malicious: 10.0.0.1/8 ----
> > MailScanner warning: numerical links are often malicious:
> > 10.1.0.0/8 lxc1 +
> > MailScanner warning: numerical links are often malicious:
> > 10.2.0.0/8 lxc2
> >
> >
> > On firewall:
> >
> > $ iptables -t nat -A PREROUTING -d 1.2.3.4 --dport smtp -j
> > DNAT --to
> > MailScanner warning: numerical links are often malicious:
> > 10.1.0.2:25
> >
> >
> > 10.1.0.1 and 10.1.0.2 are containers on lxc01.
> > 10.2.0.2 is a container on lxc02.
> >
> >
> > Test command:
> > $ telnet 10.1.0.2 25
> >
> >
> > It's failing from the MailScanner warning: numerical links
> > are often malicious: 10.1.0.0/8 containers and lxc01.
> > It's OK on containers on lxc02 (eg. 10.2.0.2).
> >
> >
> > According to tcpdump packets reaching the iface 10.0.0.1 and
> > they're gone.
> > Changing proxy_arp and rp_filter on 10.0.0.1 iface doesn't
> > help.
> >
> >
> > Any idea?
> >
> > 10x
> > tamas
> >
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
> >
> >
> >
> >
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
--
Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 465 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140126/0560ba4f/attachment.pgp>
More information about the lxc-users
mailing list