| Re: DMZ VPS on LAN HN ? [message #9628 is a reply to message #9626] |
Sun, 14 January 2007 11:58  |
bards1888
Messages: 10
Registered: January 2006
|
Junior Member |
|
|
I appear to have fixed this and answered my own questions by doing this;
vzctl set 112 --netdev_add eth1 --save
This passed the eth1 interface directly into the VE. I then used the standard CENTOS network interface file /etc/sysconfig/network-scripts/ifcfg-eth1 and brought the interface up with a DMZ address. However, the default gateway was always being set. I found this address in two places;
/etc/sysconfig/network
and
/etc/sysconfig/network-scripts/route-venet0
I commented those bits out of each file and then had to add a 'GATEWAY=' section in my;
/etc/sysconfig/network-scripts/ifcfg-eth1
This worked a treat and the VE comes up perfectly.
Now, eth1 on the HN is deliberately not configured, it does not have an IP and is not UP. In fact a 'ifconfig -a' doesn't show the device and an 'ifconfig eth1' produces;
eth1: error fetching interface information: Device not found
I did some tests with tcpdump and and the VE cannot, as you would expect, see any traffic on HN eth0. Also, as eth1 is sort of invisible the HN cannot see any traffic on it.
I added a firewall rule that allows by VE to talk SMTP to a server on my LAN. This connection came from the DMZ to the LAN server, it did not use any local interface on the HN.
This is exactly what I wanted.
Another thing, I did not have to set proxy_arp sysctl variables to 1 or do anything with ipfilter.
Can anyone see any issues with this setup ?
Cheers,
Bards.
|
|
|
|
OpenVZ Forum
Members
Search
Help
Register
Login
Home
