[lxc-users] {Disarmed} Re: networking issue

Michael H. Warfield mhw at WittsEnd.com
Sun Jan 26 23:32:55 UTC 2014


On Mon, 2014-01-27 at 00:04 +0100, Tamas Papp wrote:
> It's all one single broadcast network 10/8.
> The hosts could be even 10.0.0.{1,2,3,4}.

That contradicts your original message...

On Sun, 2014-01-26 at 22:09 +0100, Tamas Papp wrote:
> Topology:
> 
> ---- inet ---- 1.2.3.4 firewall (DNAT) 10.0.0.1/8 ---- 10.1.0.0/8 lxc1
> +
> 10.2.0.0/8 lxc2

Which is, in and of itself contradictory, since 10.1.0.0/8 can't be a /8
and 10.2.0.0/8 can't be a /8.  Perhaps you need to clarify yoru network
topology in more explicit details.

> In other words the container cannot be access through PREROUTING if
> the source and target _physical_ machines are the same.
> 
> tamas
> 
> 
> On 01/26/2014 11:41 PM, Alvaro Miranda Aguilera wrote:
> 
> > for what I see, if you are using iptables prerouting, then you need
> > to use the IP that is on the same network for both machines. 
> > 
> > 
> > if you want to go from one network to other separate, you need to
> > set routes, otherwise, the packages will go out to 0.0.0.0 
> > 
> > 
> > From what I undestand in you network: 
> > 
> > 
> > host 10.0.0.0 
> > lxc1 10.1.0.0 
> > lxc2 10.2.0.0 
> > 

> > with /8 are separate networks, so you need to define a router ip,
> > and that ip should be visible 

You're running a flat /8 broadcast domain?  I personally control a
legacy (public) /16 and would never consider running even that space
"flat" (it's heavily subnetted).  The logistics for such is crazy.

Regards,
Mike 
> > so, say from lxc1, you want to reach IPs in 10.2.0.0, then lxc1
> > should have a leg on each network, and have a route rule. 
> > Alvaro 
> > 
> > 
> > On Mon, Jan 27, 2014 at 10:09 AM, Tamas Papp <tompos at martos.bme.hu>
> > wrote:
> >         hi All,
> >         
> >         The problem may not be LXC only but I don't what the keyword
> >         is to
> >         search for.
> >         
> >         
> >         Topology:
> >         
> >         ---- inet ---- 1.2.3.4 firewall (DNAT) MailScanner warning:
> >         numerical links are often malicious: 10.0.0.1/8 ----
> >         MailScanner warning: numerical links are often malicious:
> >         10.1.0.0/8 lxc1 +
> >         MailScanner warning: numerical links are often malicious:
> >         10.2.0.0/8 lxc2
> >         
> >         
> >         On firewall:
> >         
> >         $ iptables -t nat -A PREROUTING -d 1.2.3.4 --dport smtp -j
> >         DNAT --to
> >         MailScanner warning: numerical links are often malicious:
> >         10.1.0.2:25
> >         
> >         
> >         10.1.0.1 and 10.1.0.2 are containers on lxc01.
> >         10.2.0.2 is a container on lxc02.
> >         
> >         
> >         Test command:
> >         $ telnet 10.1.0.2 25
> >         
> >         
> >         It's failing from the MailScanner warning: numerical links
> >         are often malicious: 10.1.0.0/8 containers and lxc01.
> >         It's OK on containers on lxc02 (eg. 10.2.0.2).
> >         
> >         
> >         According to tcpdump packets reaching the iface 10.0.0.1 and
> >         they're gone.
> >         Changing proxy_arp and rp_filter on 10.0.0.1 iface doesn't
> >         help.
> >         
> >         
> >         Any idea?
> >         
> >         10x
> >         tamas
> >         
> >         _______________________________________________
> >         lxc-users mailing list
> >         lxc-users at lists.linuxcontainers.org
> >         http://lists.linuxcontainers.org/listinfo/lxc-users 
> > 
> > 
> > 
> > 
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
> 
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 465 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140126/0560ba4f/attachment.pgp>


More information about the lxc-users mailing list