OpenVZ Forum


Home » General » Support » Leaking private IPs of container? (ISP complaint)
Leaking private IPs of container? [message #50605] Fri, 20 September 2013 15:08 Go to next message
rala is currently offline  rala
Messages: 3
Registered: September 2013
Junior Member
From: *superkabel.de
I've just been informed that apparently my OpenVZ server in the datacenter leaks private IP addresses and announces them to the rest of the network.

What did I do wrong?

iptables

*nat
:PREROUTING ACCEPT [0:0]
## forward ports to container
-A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.5
# [...]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.1.0/25 -o eth0 -j SNAT --to-source <publicip>
COMMIT


sysctl

net.ipv4.conf.all.forwarding=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.conf.default.forwarding=1
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.all.promote_secondaries = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1

[Updated on: Fri, 20 September 2013 23:02]

Report message to a moderator

Re: Leaking private IPs of container? [message #50610 is a reply to message #50605] Sat, 21 September 2013 14:48 Go to previous messageGo to next message
Paparaciz
Messages: 302
Registered: August 2009
Senior Member
From: 78.60.233*
show sysctl settings of:

net.ipv4.conf.eth0.proxy_arp

or other interfaces
Re: Leaking private IPs of container? [message #50612 is a reply to message #50605] Sat, 21 September 2013 16:13 Go to previous messageGo to next message
rala is currently offline  rala
Messages: 3
Registered: September 2013
Junior Member
From: *superkabel.de
# sysctl -a | grep proxy_arp
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.all.proxy_arp_pvlan = 0
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.default.proxy_arp_pvlan = 0
net.ipv4.conf.lo.proxy_arp = 0
net.ipv4.conf.lo.proxy_arp_pvlan = 0
net.ipv4.conf.eth0.proxy_arp = 0
net.ipv4.conf.eth0.proxy_arp_pvlan = 0
net.ipv4.conf.venet0.proxy_arp = 0
net.ipv4.conf.venet0.proxy_arp_pvlan = 0


I am still on Proxmox 2.3. vzctl 4.0-4.git.162dded. I use Debian and Ubuntu in CTs, and venet exclusively.
Re: Leaking private IPs of container? [message #50849 is a reply to message #50612] Sat, 16 November 2013 18:22 Go to previous messageGo to next message
rala is currently offline  rala
Messages: 3
Registered: September 2013
Junior Member
From: *superkabel.de
I haven't solved this yet. Any suggestions?
Re: Leaking private IPs of container? [message #51747 is a reply to message #50605] Thu, 06 November 2014 10:08 Go to previous message
prabhus is currently offline  prabhus
Messages: 1
Registered: November 2014
Junior Member
From: *177-44-82.static.virginmediabusiness.co.uk
Hello,

My provider has complained about the same problem too. My sysctl entry is below.

> sysctl -a | grep proxy_arp

net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.all.proxy_arp_pvlan = 0
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.default.proxy_arp_pvlan = 0
net.ipv4.conf.lo.proxy_arp = 0
net.ipv4.conf.lo.proxy_arp_pvlan = 0
net.ipv4.conf.eth0.proxy_arp = 1
net.ipv4.conf.eth0.proxy_arp_pvlan = 0
net.ipv4.conf.venet0.proxy_arp = 1
net.ipv4.conf.venet0.proxy_arp_pvlan = 0
net.ipv4.conf.veth104/0.proxy_arp = 1
net.ipv4.conf.veth104/0.proxy_arp_pvlan = 0


In my case I need the proxy_arp setting to allow the containers access the internet. As shown in the config, I use veth for the containers with a private IP range. Any pointers?
Previous Topic: How to set disk size? (CentOS 6.5)
Next Topic: Kernel panic when booting with Ubuntu OpenVZ kernel
Goto Forum:
  


Current Time: Sat Nov 17 22:09:32 GMT 2018