Shorewall users - Apr 2008 - dnat or forwarding in a vserver environment

Hi,

i''m still here with my vserver problems :(

I''ve got access to internet working from the guest and the host.

So i''d routed the dynamic ip to the vserver-host in the dmz zone as
this:

DNAT    $FW     dmz:192.168.20.1     tcp     80      -   $ETH0_IP

and it woks perfectly but i want to get my webpage in the vserver-guest now,

192.168.30.1 = the guest and 192.168.20.1 = the host of the vserver.


shorewall is the firewall in the vserver-host (192.168.20.1).


How can i dnat or forward or whatsoever all what''s coming from $ETH_IP
to the vserver-guest ?


Changing dmz:192.168.20.1 to dmz:192.168.30.1 do not work and strange
enough the vserver continue receiving the requests in this case .


I know Martin said considering the vserver-host as the external ip  to
do it, but  can''t know how to do it.


Thanks


mess-mate





-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

mess-mate wrote:
> So i''d routed the dynamic ip to the vserver-host in the dmz zone
as this:
> 
> DNAT    $FW     dmz:192.168.20.1     tcp     80      -   $ETH0_IP
> 
> and it woks perfectly but i want to get my webpage in the vserver-guest
now,
> 
> 192.168.30.1 = the guest and 192.168.20.1 = the host of the vserver.
> 
> 
> shorewall is the firewall in the vserver-host (192.168.20.1).
> 
> 
> How can i dnat or forward or whatsoever all what''s coming from
$ETH_IP
> to the vserver-guest ?
> 
> 
> Changing dmz:192.168.20.1 to dmz:192.168.30.1 do not work and strange
> enough the vserver continue receiving the requests in this case .
> 
> 
> I know Martin said considering the vserver-host as the external ip  to
> do it, but  can''t know how to do it.


Hi!

I am by NO means an expert on vserver (since I haven''t even used it),
but if I
understand your setup from a networking perspective it looks _something_ like 
this now:

(Ascii is best read using constant width font.)

         |
+-----------------+
| 86.192.36.220   |
|   firewall      |
|192.168.20.254/24|
+-----------------+
         |
+-----------------+
| 192.168.20.1/24 |
|  vserver-host   |
+-----------------+
         |
+-----------------+
| 192.168.30.1/24 |
|  vserver-guest  |
+-----------------+

... which means that you have to use DNAT in both the "firewall"
machine as well
as in the "vserver-host" machine. That is unnecessary, brings more
work and ....
it is just bad.

I suggest you give the "vserver-guest" machine the ip
"192.168.20.2/24" instead
by doing this:
# cd /etc/vservers/$VSERVER/interfaces/0
echo eth0 > dev
echo 192.168.20.2 > ip
echo 2 > name
echo 24 > prefix

... as per <http://linux-vserver.org/Networking_vserver_guests>. Please
observe
that almost all of the rest of that article should be ignored though, if I am 
not mistaken, since it talks about DNAT:ting.

If you have more questions about vserver networking, I am sure that you would 
get better help on a mailing list or forum about vserver where the vserver 
experts hang out, than you get on this list. Remember, this is a list about the 
Shoreline Firewall (a.k.a. shorewall), not about general Linux or vserver 
networking issues.

(And I would like to repeat that I haven''t used vserver myself. The
above
information was gathered by some googling and browsing the vserver website 
<http://linux-vserver.org/>.)

Good luck!
/Martin


-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Martin Leben wrote:
> 
> If you have more questions about vserver networking, I am sure that you
would
> get better help on a mailing list or forum about vserver where the vserver 
> experts hang out, than you get on this list. Remember, this is a list about
the
> Shoreline Firewall (a.k.a. shorewall), not about general Linux or vserver 
> networking issues.
I agree. OS virtualization solutions like Vserver and OpenVZ don''t work
like
machine virtualization solutions like Xen and KVM. I use the latter, not the 
former.

The way I _thought_ Vserver works, you could do what you want by changing 
the rule on your router to:

	DNAT    $FW     dmz:192.168.30.1     tcp     80      -   $ETH0_IP

That doesn''t work?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Tom Eastep wrote:
> Martin Leben wrote:
>
>>
>> If you have more questions about vserver networking, I am sure that
>> you would get better help on a mailing list or forum about vserver
>> where the vserver experts hang out, than you get on this list.
>> Remember, this is a list about the Shoreline Firewall (a.k.a.
>> shorewall), not about general Linux or vserver networking issues.
>
> I agree. OS virtualization solutions like Vserver and OpenVZ don''t
> work like machine virtualization solutions like Xen and KVM. I use the
> latter, not the former.
>
> The way I _thought_ Vserver works, you could do what you want by
> changing the rule on your router to:
>
>     DNAT    $FW     dmz:192.168.30.1     tcp     80      -   $ETH0_IP
>
> That doesn''t work?
>
> -Tom
> ------------------------------------------------------------------------
>
>   
No, i tryed it
mess-mate



-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

mess-mate wrote:
> Tom Eastep wrote:
> 
>> Martin Leben wrote:
>>
>>> If you have more questions about vserver networking, I am sure that
>>> you would get better help on a mailing list or forum about vserver
>>> where the vserver experts hang out, than you get on this list.
>>> Remember, this is a list about the Shoreline Firewall (a.k.a.
>>> shorewall), not about general Linux or vserver networking issues.
>> I agree. OS virtualization solutions like Vserver and OpenVZ
don''t
>> work like machine virtualization solutions like Xen and KVM. I use the
>> latter, not the former.
>>
>> The way I _thought_ Vserver works, you could do what you want by
>> changing the rule on your router to:
>>
>>     DNAT    $FW     dmz:192.168.30.1     tcp     80      -   $ETH0_IP
>>
>> That doesn''t work?
>>
>> -Tom
>>
------------------------------------------------------------------------
>>
>>   
> No, i tryed it
> mess-mate
>
 From your other post:

192.168.20.0/24 dev eth1  proto kernel  scope link  src 192.168.20.1
192.168.30.0/24 dev eth1  proto kernel  scope link  src 192.168.30.1
default via 192.168.20.254 dev eth1

If this is the routing of the troubled guest system (is it?), then the 
default gateway is wrong .... Your dnat''ing to 30.1 but that address 
doesn''t have a route back to the internet. Change the default to 30.??
but your "router" doesn''t have an ipaddress on 192.168.30.xx.
just a route.

The rule that you first asked about:
iptables -t NAT -A POSTROUTING -s GUEST_IP -j SNAT --to-source HOST_IP

I believe that should be on the vserver host.... to hide the fact that 
the routing is really broken. In your case:
iptables -t NAT -A POSTROUTING -s 192.168.30.1 -j SNAT --to-source 
192.168.20.1
in shorewall:
eth1	192.168.30.1	192.168.20.1	tcp	80

You asked why when changing the dnat rule on the router the v-host still 
received the traffic, did you remember to bind the web servers to 
different ipaddresses?

Thanks, I now have a headache from reading and shaking it....

Jerry













-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

mess-mate wrote:
>>   
> No, i tryed it
> 
And given that you are unwilling to give us the details, we will be unable 
to help you further.

You _have_ to do that on the router. So the problem is on your Vserver.

You seem determined to run Shorewall on the host (for some unknown reason). 
I assume that you tested with Shorewall cleared?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Martin Leben wrote:
> mess-mate wrote:
>   
>> So i''d routed the dynamic ip to the vserver-host in the dmz
zone as this:
>>
>> DNAT    $FW     dmz:192.168.20.1     tcp     80      -   $ETH0_IP
>>
>> and it woks perfectly but i want to get my webpage in the vserver-guest
now,
>>
>> 192.168.30.1 = the guest and 192.168.20.1 = the host of the vserver.
>>
>>
>> shorewall is the firewall in the vserver-host (192.168.20.1).
>>
>>
>> How can i dnat or forward or whatsoever all what''s coming from
$ETH_IP
>> to the vserver-guest ?
>>
>>
>> Changing dmz:192.168.20.1 to dmz:192.168.30.1 do not work and strange
>> enough the vserver continue receiving the requests in this case .
>>
>>
>> I know Martin said considering the vserver-host as the external ip  to
>> do it, but  can''t know how to do it.
>>     
>
>
>
> Hi!
>
> I am by NO means an expert on vserver (since I haven''t even used
it), but if I
> understand your setup from a networking perspective it looks _something_
like
> this now:
>
> (Ascii is best read using constant width font.)
>
>          |
> +-----------------+
> | 86.192.36.220   |
> |   firewall      |
> |192.168.20.254/24|
> +-----------------+
>          |
> +-----------------+
> | 192.168.20.1/24 |
> |  vserver-host   |
> +-----------------+
>          |
> +-----------------+
> | 192.168.30.1/24 |
> |  vserver-guest  |
> +-----------------+
>
> ... which means that you have to use DNAT in both the "firewall"
machine as well
> as in the "vserver-host" machine. That is unnecessary, brings
more work and ....
> it is just bad.
>
> I suggest you give the "vserver-guest" machine the ip
"192.168.20.2/24" instead
> by doing this:
> # cd /etc/vservers/$VSERVER/interfaces/0
> echo eth0 > dev
> echo 192.168.20.2 > ip
> echo 2 > name
> echo 24 > prefix
>
> ... as per <http://linux-vserver.org/Networking_vserver_guests>.
Please observe
> that almost all of the rest of that article should be ignored though, if I
am
> not mistaken, since it talks about DNAT:ting.
>
> If you have more questions about vserver networking, I am sure that you
would
> get better help on a mailing list or forum about vserver where the vserver 
> experts hang out, than you get on this list. Remember, this is a list about
the
> Shoreline Firewall (a.k.a. shorewall), not about general Linux or vserver 
> networking issues.
>
> (And I would like to repeat that I haven''t used vserver myself.
The above
> information was gathered by some googling and browsing the vserver website 
> <http://linux-vserver.org/>.)
>
> Good luck!
> /Martin
>
>
> -------------------------------------------------------------------------
>   
Thanks Martin,
i changed everything to option A (above) as last tryel.
And it doesn''t work.
I think the router/firewal do not DNAT to the guest.
DNAT    $FW     dmz:192.168.20.10     tcp     80      -   $ETH0_IP
and
ACCEPT          net     dmz:192.168.20.10       tcp     http

or i have to set the :


      Host as router

Configure the host to act as a router.

For internal packets going outside, pretend each packet came from our
external IP (put it in one line without backslash):

# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 \ 
  -d ! 192.168.1.0/24 -j SNAT --to-source $EXTIP

For each service that runs on a vserver, map it to an external port.
Vserver local address |$VHOST| and port |$INTPORT| you select one
external port |$EXTPORT| and run the following (put it in one line
without backslash):

# iptables -t nat -A PREROUTING -s ! 192.168.1.0/24 \
  -m tcp -p tcp --dport $EXTPORT 

  -j DNAT --to-destination $VHOST:$INTPORT

in this case i have to set shorewall on the vserver-host as above ?
And how can i do that with shorewall, dnat a second time ?

mess-mate





-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Martin Leben wrote:
> mess-mate wrote:
>   
>> So i''d routed the dynamic ip to the vserver-host in the dmz
zone as this:
>>
>> DNAT    $FW     dmz:192.168.20.1     tcp     80      -   $ETH0_IP
>>
>> and it woks perfectly but i want to get my webpage in the vserver-guest
now,
>>
>> 192.168.30.1 = the guest and 192.168.20.1 = the host of the vserver.
>>
>>
>> shorewall is the firewall in the vserver-host (192.168.20.1).
>>
>>
>> How can i dnat or forward or whatsoever all what''s coming from
$ETH_IP
>> to the vserver-guest ?
>>
>>
>> Changing dmz:192.168.20.1 to dmz:192.168.30.1 do not work and strange
>> enough the vserver continue receiving the requests in this case .
>>
>>
>> I know Martin said considering the vserver-host as the external ip  to
>> do it, but  can''t know how to do it.
>>     
>
>
>
> Hi!
>
> I am by NO means an expert on vserver (since I haven''t even used
it), but if I
> understand your setup from a networking perspective it looks _something_
like
> this now:
>
> (Ascii is best read using constant width font.)
>
>          |
> +-----------------+
> | 86.192.36.220   |
> |   firewall      |
> |192.168.20.254/24|
> +-----------------+
>          |
> +-----------------+
> | 192.168.20.1/24 |
> |  vserver-host   |
> +-----------------+
>          |
> +-----------------+
> | 192.168.30.1/24 |
> |  vserver-guest  |
> +-----------------+
>
> ... which means that you have to use DNAT in both the "firewall"
machine as well
> as in the "vserver-host" machine. That is unnecessary, brings
more work and ....
> it is just bad.
>
> I suggest you give the "vserver-guest" machine the ip
"192.168.20.2/24" instead
> by doing this:
> # cd /etc/vservers/$VSERVER/interfaces/0
> echo eth0 > dev
> echo 192.168.20.2 > ip
> echo 2 > name
> echo 24 > prefix
>
> ... as per <http://linux-vserver.org/Networking_vserver_guests>.
Please observe
> that almost all of the rest of that article should be ignored though, if I
am
> not mistaken, since it talks about DNAT:ting.
>
>
>
>   
In addition of my previous post;
the vserver people said _''there is no DNAT:thing ''_
So the only i can think is that the vserver-host have to dnat, do it ?
That''s twice, one''s from the router/firewall and now again.
And this
with an $ETH0_IP !

mess-mate




-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

mess-mate wrote:
> In addition of my previous post;
> the vserver people said _''there is no DNAT:thing ''_
> So the only i can think is that the vserver-host have to dnat, do it ?
The vserver people have told you not to DNAT so you think you should DNAT?
> That''s twice, one''s from the router/firewall and now
again. And this
> with an $ETH0_IP !
Why don''t you determine why it isn''t working rather than
guessing?

a) Apparently, you can''t connect from the net to your HTTP server
running in
the vserver guest, is that correct?
b) If so, is your HTTP server running in the guest listening on the 
correct 	IP address (192.168.30.1)? (hint: netstat -tnap)
c) If you run Wireshark or tcpdump on the guest looking for TCP port 80 
traffic, what do you see? How about on the host?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

mess-mate wrote:
> In addition of my previous post;
> the vserver people said _''there is no DNAT:thing ''_
> So the only i can think is that the vserver-host have to dnat, do it ?
> That''s twice, one''s from the router/firewall and now
again. And this
> with an $ETH0_IP !
Hi,

Please re-read what I have written in earlier mails. If I understand vserver 
networking correct (by just googling for fifteen minutes), you have three
choices:
1) Use DNAT on the vserver host.
2) Use routing on the vserver host.
3) Don''t do anything on the vserver host.

... and I have been trying to say that you shouldn''t do anything at all
on the
vserver host. Definately not DNAT, because you have already DNAT:ted on the 
firewall host.

If I was you I''d want to use ip addresses in the same subnet as the
vserver
host. If the vserver people can''t help you achieve that, then I just
have to
wish you good luck. So far nobody on this list have stepped forward and claimed 
to be a vserver expert.

So, please go back to the vserver forum and try communicate your situation. 
Something like this:

    I have an internet connected hosts that is using NAT. In the
    DMZ I have a vserver host which has a guest. Is it possible
    to configure the vserver host and client in a way that the
    following three network interfaces has IP addresses in the
    same subnet:
    1) firewall DMZ interface
    2) vserver host
    3) vserver guest
    I don''t want to DNAT again, because the firewall hosts
    already does that. And I don''t want to use routing, because
    that also complicates things.

Best regards,
/Martin


-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

I had sent this early this morning, but it never made it to the list.
It''s not the first time my ISP has ate my email. I wonder how many of
my
resumes didn''t get delivered, might explain a couple of things....

As a PS to the below mail:

1) Or go with what Martin suggested, use an ip address on 20.xx
2) Post a shorewall dump of the vserver box, the router seems to be fine.

Jerry Vonau wrote:
> mess-mate wrote:
>> Tom Eastep wrote:
>>
>>> Martin Leben wrote:
>>>
>>>> If you have more questions about vserver networking, I am sure
that
>>>> you would get better help on a mailing list or forum about
vserver
>>>> where the vserver experts hang out, than you get on this list.
>>>> Remember, this is a list about the Shoreline Firewall (a.k.a.
>>>> shorewall), not about general Linux or vserver networking
issues.
>>> I agree. OS virtualization solutions like Vserver and OpenVZ
don''t
>>> work like machine virtualization solutions like Xen and KVM. I use
the
>>> latter, not the former.
>>>
>>> The way I _thought_ Vserver works, you could do what you want by
>>> changing the rule on your router to:
>>>
>>>     DNAT    $FW     dmz:192.168.30.1     tcp     80      -  
$ETH0_IP
>>>
>>> That doesn''t work?
>>>
>>> -Tom
>>>
------------------------------------------------------------------------
>>>
>>>   
>> No, i tryed it
>> mess-mate
>>
> 
>  From your other post:
> 
> 192.168.20.0/24 dev eth1  proto kernel  scope link  src 192.168.20.1
> 192.168.30.0/24 dev eth1  proto kernel  scope link  src 192.168.30.1
> default via 192.168.20.254 dev eth1
> 
> If this is the routing of the troubled guest system (is it?), then the 
> default gateway is wrong .... Your dnat''ing to 30.1 but that
address
> doesn''t have a route back to the internet. Change the default to
30.??
> but your "router" doesn''t have an ipaddress on
192.168.30.xx. just a route.
> 
> The rule that you first asked about:
> iptables -t NAT -A POSTROUTING -s GUEST_IP -j SNAT --to-source HOST_IP
> 
> I believe that should be on the vserver host.... to hide the fact that 
> the routing is really broken. In your case:
> iptables -t NAT -A POSTROUTING -s 192.168.30.1 -j SNAT --to-source 
> 192.168.20.1
> in shorewall:
> eth1    192.168.30.1    192.168.20.1    tcp    80
> 
> You asked why when changing the dnat rule on the router the v-host still 
> received the traffic, did you remember to bind the web servers to 
> different ipaddresses?
> 
> 
> Jerry
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Martin Leben wrote:
> mess-mate wrote:
>> In addition of my previous post;
>> the vserver people said _''there is no DNAT:thing ''_
>> So the only i can think is that the vserver-host have to dnat, do it ?
>> That''s twice, one''s from the router/firewall and now
again. And this
>> with an $ETH0_IP !
> 
> Hi,
> 
> Please re-read what I have written in earlier mails. If I understand
vserver
> networking correct (by just googling for fifteen minutes), you have three
choices:
> 1) Use DNAT on the vserver host.
> 2) Use routing on the vserver host.
> 3) Don''t do anything on the vserver host.
> 
> ... and I have been trying to say that you shouldn''t do anything
at all on the
> vserver host. Definately not DNAT, because you have already DNAT:ted on the
> firewall host.
> 
> If I was you I''d want to use ip addresses in the same subnet as
the vserver
> host. If the vserver people can''t help you achieve that, then I
just have to
> wish you good luck. So far nobody on this list have stepped forward and
claimed
> to be a vserver expert.
> 
> So, please go back to the vserver forum and try communicate your situation.
> Something like this:
> 
>     I have an internet connected hosts that is using NAT. In the
>     DMZ I have a vserver host which has a guest. Is it possible
>     to configure the vserver host and client in a way that the
>     following three network interfaces has IP addresses in the
>     same subnet:
>     1) firewall DMZ interface
>     2) vserver host
>     3) vserver guest
>     I don''t want to DNAT again, because the firewall hosts
>     already does that. And I don''t want to use routing, because
>     that also complicates things.
> 
> Best regards,
> /Martin

Hi again,

In order to avoid being perceived as "just a big talker", I have now
installed a
new Debian Lenny machine named "vserver" on a fresh computer, mostly
following
the guide on <http://linux-vserver.org/Installation_on_Debian>. I gave it
the IP
address "10.0.0.99/24". On "vserver" I installed the
following packages:

vserver:~# aptitude install linux-image-2.6.22-3-vserver-686 util-vserver

Then I created a vserver guest named "vguest":

vserver:~# vserver vguest build -m debootstrap \
--hostname vguest.example.org \
--interface eth0:10.0.0.90/24 -- \
-d lenny \
-m http://ftp.sunet.se/pub/Linux/distributions/debian/


The guest network config looks like this:
vserver:~# cat /etc/vservers/vguest/interfaces/0/dev
eth0
vserver:~# cat /etc/vservers/vguest/interfaces/0/ip
10.0.0.90
vserver:~# cat /etc/vservers/vguest/interfaces/0/prefix
24


And then I started the guest machine "vguest", connected to the
console, set
root password, installed and configured locales, openssh-server and a webserver:

vserver:~# vserver vguest start
...
vguest:~# passwd
...
vguest:~# aptitude install locales
...
vguest:~# aptitude install openssh-server apache2
...


Everything worked as a charm. No NAT, no routing. Very simple.

Best regards,
/Martin


-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Martin Leben wrote:
> Martin Leben wrote:
>   
>> mess-mate wrote:
>>     
>>> In addition of my previous post;
>>> the vserver people said _''there is no DNAT:thing
''_
>>> So the only i can think is that the vserver-host have to dnat, do
it ?
>>> That''s twice, one''s from the router/firewall and
now again. And this
>>> with an $ETH0_IP !
>>>       
>> Hi,
>>
>> Please re-read what I have written in earlier mails. If I understand
vserver
>> networking correct (by just googling for fifteen minutes), you have
three choices:
>> 1) Use DNAT on the vserver host.
>> 2) Use routing on the vserver host.
>> 3) Don''t do anything on the vserver host.
>>
>> ... and I have been trying to say that you shouldn''t do
anything at all on the
>> vserver host. Definately not DNAT, because you have already DNAT:ted on
the
>> firewall host.
>>
>> If I was you I''d want to use ip addresses in the same subnet
as the vserver
>> host. If the vserver people can''t help you achieve that, then
I just have to
>> wish you good luck. So far nobody on this list have stepped forward and
claimed
>> to be a vserver expert.
>>
>> So, please go back to the vserver forum and try communicate your
situation.
>> Something like this:
>>
>>     I have an internet connected hosts that is using NAT. In the
>>     DMZ I have a vserver host which has a guest. Is it possible
>>     to configure the vserver host and client in a way that the
>>     following three network interfaces has IP addresses in the
>>     same subnet:
>>     1) firewall DMZ interface
>>     2) vserver host
>>     3) vserver guest
>>     I don''t want to DNAT again, because the firewall hosts
>>     already does that. And I don''t want to use routing,
because
>>     that also complicates things.
>>
>> Best regards,
>> /Martin
>>     
>
>
> Hi again,
>
> In order to avoid being perceived as "just a big talker", I have
now installed a
> new Debian Lenny machine named "vserver" on a fresh computer,
mostly following
> the guide on <http://linux-vserver.org/Installation_on_Debian>. I
gave it the IP
> address "10.0.0.99/24". On "vserver" I installed the
following packages:
>
> vserver:~# aptitude install linux-image-2.6.22-3-vserver-686 util-vserver
>
> Then I created a vserver guest named "vguest":
>
> vserver:~# vserver vguest build -m debootstrap \
> --hostname vguest.example.org \
> --interface eth0:10.0.0.90/24 -- \
> -d lenny \
> -m http://ftp.sunet.se/pub/Linux/distributions/debian/
>
>
> The guest network config looks like this:
> vserver:~# cat /etc/vservers/vguest/interfaces/0/dev
> eth0
> vserver:~# cat /etc/vservers/vguest/interfaces/0/ip
> 10.0.0.90
> vserver:~# cat /etc/vservers/vguest/interfaces/0/prefix
> 24
>
>
> And then I started the guest machine "vguest", connected to the
console, set
> root password, installed and configured locales, openssh-server and a
webserver:
>
> vserver:~# vserver vguest start
> ...
> vguest:~# passwd
> ...
> vguest:~# aptitude install locales
> ...
> vguest:~# aptitude install openssh-server apache2
> ...
>
>
> Everything worked as a charm. No NAT, no routing. Very simple.
>
> Best regards,
> /Martin
>
>
> -------------------------------------------------------------------------
>   
Thanks Martin, i didn''t consider yoy as ''a big
talker'' :)
But as a helpfull person.
For any raesen i don''t know my ISP considered some shorewal messages as
spam ?
( maeby because i receive the messages twice ?)
So i didn''t receive them and corrected that problem now.

Back to the point:
I had also no problem for the installation of a vserver.
The problem resides in the fact that the guest do not receive the
requests from the router/firewall.
The vserver-host receive them with a dnat rule to him in the
router/firewall.
But when changing the dnat rule to sent the request to the vserver-guest
, the guest don''t receive them.
So, or the router/firewall has to be a complementairy rule or the
vserver-host has to be somewhat i don''t know.
A tcdump in the vserver-host give nothing when the dnat-ing from the
router/firewall is set to the guest but it works when dnat-ing to the host.

In first instance it thougt me very simple: change the dnat to the guest
and it''s done.
So it isn''t. That dnat -ing is there for my dynamic IP redirection to
the domain when requested.
Communicating between the guest and internet works because it has
nothing to do with the guest webserver.

I''ll see further and let know if i found the solution.

Best Regards.

mess-mate



-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

mess-mate wrote:
> Thanks Martin, i didn''t consider yoy as ''a big
talker'' :)
> But as a helpfull person.
:-) You''re welcome. Actually I did it more to make sure that what I
said was
true than anything else.

> For any raesen i don''t know my ISP considered some shorewal
messages as
> spam ?
> ( maeby because i receive the messages twice ?)
> So i didn''t receive them and corrected that problem now.
I would like to recommend reading (and writing!) the list through Gmane. It is a
mail to news gateway that carries thousands of mailing lists on different 
topics. This list is carried as "gmane.comp.security.shorewall".

> Back to the point:
> I had also no problem for the installation of a vserver.
> The problem resides in the fact that the guest do not receive the
> requests from the router/firewall.
> The vserver-host receive them with a dnat rule to him in the
> router/firewall.
Please try to simplify the problem by reducing as many potential problems as 
possible:

1) Do you have shorewall on the vserver host? If so, remove it. When things work
you can reinstall it again and go from there.

2) Disconnect the firewall from the internet and run "shorewall clear"
on the
firewall.

3) Can you ping the guest from the firewall?

4) Try to connect to the guest webserver from the firewall. (If you only have a 
shell on the firewall you can use lynx or links.)

I believe the above things are the most basic tests you can do. And maybe you 
noticed that shorewall is not in the picture anymore. That is why both me and 
Tom Eastep (the shorewall author) recommends that you turn to a vserver forum 
for help.

Please don''t hesitate to let us know how things are progressing, but
don''t
expect vserver expert help from us, because we are not. :-)

Good luck!

/Martin


-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Hi,
my troubles are solved and it works perfectly now.
I never know what happen exactly, a linux-server guy  did it without my
intervention.
So can''t submit  the solution :(
Thanks for the help.
mess-mate
 


-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone