| Leaking private IPs of container? [message #50605] |
Fri, 20 September 2013 15:08  |
rala
Messages: 3
Registered: September 2013
|
Junior Member |
|
|
I've just been informed that apparently my OpenVZ server in the datacenter leaks private IP addresses and announces them to the rest of the network.
What did I do wrong?
iptables
*nat
:PREROUTING ACCEPT [0:0]
## forward ports to container
-A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.5
# [...]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.1.0/25 -o eth0 -j SNAT --to-source <publicip>
COMMIT
sysctl
net.ipv4.conf.all.forwarding=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.conf.default.forwarding=1
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.all.promote_secondaries = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1
[Updated on: Fri, 20 September 2013 23:02] Report message to a moderator |
|
|
|
|
|
|
|
|
|
| Re: Leaking private IPs of container? [message #51747 is a reply to message #50605] |
Thu, 06 November 2014 10:08  |
prabhus
Messages: 1
Registered: November 2014
|
Junior Member |
|
|
Hello,
My provider has complained about the same problem too. My sysctl entry is below.
> sysctl -a | grep proxy_arp
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.all.proxy_arp_pvlan = 0
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.default.proxy_arp_pvlan = 0
net.ipv4.conf.lo.proxy_arp = 0
net.ipv4.conf.lo.proxy_arp_pvlan = 0
net.ipv4.conf.eth0.proxy_arp = 1
net.ipv4.conf.eth0.proxy_arp_pvlan = 0
net.ipv4.conf.venet0.proxy_arp = 1
net.ipv4.conf.venet0.proxy_arp_pvlan = 0
net.ipv4.conf.veth104/0.proxy_arp = 1
net.ipv4.conf.veth104/0.proxy_arp_pvlan = 0
In my case I need the proxy_arp setting to allow the containers access the internet. As shown in the config, I use veth for the containers with a private IP range. Any pointers?
|
|
|
|
OpenVZ Forum
Members
Search
Help
Register
Login
Home
