Linux-VServer - User contributions [en]

Networking vserver guests

2008-02-21T13:39:57Z

Roth: /* Host as router */ format for printing

Setting up network access to and from your vserver guests.
__TOC__
==Introduction==

Lets imagine, you have only one external IP -- <code>$EXTIP</code>.

You want to have several vservers running without worrying about port overlapping.

Example:

Two vservers run a default webserver, running on port 80. If each "guest" vserver shares an IP with the host, then the two webservers will conflict.

One solution is:

* All vservers are contained in a "virtual lan", say 192.168.1.x
* Each vserver has its own IP
* Control port forwarding on "parent" host. That is, run a router.

==Configuration==
===Host===
Set up <code>dummy0</code> interface on the parent host
# /etc/network/interfaces on a Debian box,
# configure on other distros with your preferred way
auto dummy0
iface dummy0 inet static
address 192.168.1.250
netmask 255.255.255.0

===Guests===
Set up each guest vserver:
cd /etc/vservers/$VSERVER/interfaces/0
echo dummy0 > dev
echo 192.168.1.1 > ip
echo 1 > name
echo 24 > prefix
Consider using a value of <code>name</code> equal to the last digit of the IP for easy separation.

===Host as router===
Configure the host to act as a router.

For internal packets going outside, pretend each packet came from our external IP (put it in one line without backslash):
# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 \
-d ! 192.168.1.0/24 -j SNAT --to-source $EXTIP
For each service that runs on a vserver, map it to an external port. Vserver local address <code>$VHOST</code> and port <code>$INTPORT</code> you select one external port <code>$EXTPORT</code> and run the following (put it in one line without backslash):
# iptables -t nat -A PREROUTING -s ! 192.168.1.0/24 \
-m tcp -p tcp --dport $EXTPORT
-j DNAT --to-destination $VHOST:$INTPORT
That's all!

==Verifying==
Try <code>ping pool.ntp.org</code> from your vserver -- it should ping fine.

Try to connect to your <code>$EXTIP:$EXTPORT</code> (from another external host) -- you will successfully connect to service running on a guest vserver.
==See also==
* [[Frequently_Asked_Questions#If_my_host_has_only_one_a_single_public_IP.2C_can_I_use_RFC1918_IP_.28e.g._192.168.foo.bar.29_for_the_guest_vservers.3F |FAQ on private networking]]
* [[Frequently_Asked_Questions#When_I_try_to_ssh_to_the_guest.2C_I_log_into_the_host.2C_even_if_I_installed_sshd_on_the_guest._What.27s_wrong_here.3F |Permit guest sshd to bind to its IP address's port 22]]

Networking vserver guests

2008-02-21T13:29:05Z

Roth: /* Host as router */ format for printing

Setting up network access to and from your vserver guests.
__TOC__
==Introduction==

Lets imagine, you have only one external IP -- <code>$EXTIP</code>.

You want to have several vservers running without worrying about port overlapping.

Example:

Two vservers run a default webserver, running on port 80. If each "guest" vserver shares an IP with the host, then the two webservers will conflict.

One solution is:

* All vservers are contained in a "virtual lan", say 192.168.1.x
* Each vserver has its own IP
* Control port forwarding on "parent" host. That is, run a router.

==Configuration==
===Host===
Set up <code>dummy0</code> interface on the parent host
# /etc/network/interfaces on a Debian box,
# configure on other distros with your preferred way
auto dummy0
iface dummy0 inet static
address 192.168.1.250
netmask 255.255.255.0

===Guests===
Set up each guest vserver:
cd /etc/vservers/$VSERVER/interfaces/0
echo dummy0 > dev
echo 192.168.1.1 > ip
echo 1 > name
echo 24 > prefix
Consider using a value of <code>name</code> equal to the last digit of the IP for easy separation.

===Host as router===
Configure the host to act as a router.

For internal packets going outside, pretend each packet came from our external IP (put it in one line without backslash):
# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 \
-d ! 192.168.1.0/24 -j SNAT --to-source $EXTIP
For each service that runs on a vserver, map it to an external port. Vserver local address <code>$VHOST</code> and port <code>$INTPORT</code> you select one external port <code>$EXTPORT</code> and run the following (put it in one line without backslash):
# iptables -t nat -A PREROUTING -s ! 192.168.1.0/24 \
-m tcp -p tcp --dport $EXTPORT -j DNAT --to-destination $VHOST:$INTPORT
That's all!

==Verifying==
Try <code>ping pool.ntp.org</code> from your vserver -- it should ping fine.

Try to connect to your <code>$EXTIP:$EXTPORT</code> (from another external host) -- you will successfully connect to service running on a guest vserver.
==See also==
* [[Frequently_Asked_Questions#If_my_host_has_only_one_a_single_public_IP.2C_can_I_use_RFC1918_IP_.28e.g._192.168.foo.bar.29_for_the_guest_vservers.3F |FAQ on private networking]]
* [[Frequently_Asked_Questions#When_I_try_to_ssh_to_the_guest.2C_I_log_into_the_host.2C_even_if_I_installed_sshd_on_the_guest._What.27s_wrong_here.3F |Permit guest sshd to bind to its IP address's port 22]]

Networking vserver guests

2008-02-21T12:44:47Z

Roth: /* Introduction */

Setting up network access to and from your vserver guests.
__TOC__
==Introduction==

Lets imagine, you have only one external IP -- <code>$EXTIP</code>.

You want to have several vservers running without worrying about port overlapping.

Example:

Two vservers run a default webserver, running on port 80. If each "guest" vserver shares an IP with the host, then the two webservers will conflict.

One solution is:

* All vservers are contained in a "virtual lan", say 192.168.1.x
* Each vserver has its own IP
* Control port forwarding on "parent" host. That is, run a router.

==Configuration==
===Host===
Set up <code>dummy0</code> interface on the parent host
# /etc/network/interfaces on a Debian box,
# configure on other distros with your preferred way
auto dummy0
iface dummy0 inet static
address 192.168.1.250
netmask 255.255.255.0

===Guests===
Set up each guest vserver:
cd /etc/vservers/$VSERVER/interfaces/0
echo dummy0 > dev
echo 192.168.1.1 > ip
echo 1 > name
echo 24 > prefix
Consider using a value of <code>name</code> equal to the last digit of the IP for easy separation.

===Host as router===
Configure the host to act as a router.

For internal packets going outside, pretend each packet came from our external IP:
# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d ! 192.168.1.0/24 -j SNAT --to-source $EXTIP
For each service that runs on a vserver, map it to an external port. Vserver local address <code>$VHOST</code> and port <code>$INTPORT</code> you select one external port <code>$EXTPORT</code> and run the following:
# iptables -t nat -A PREROUTING -s ! 192.168.1.0/24 -m tcp -p tcp --dport $EXTPORT -j DNAT --to-destination $VHOST:$INTPORT
That's all!

==Verifying==
Try <code>ping pool.ntp.org</code> from your vserver -- it should ping fine.

Try to connect to your <code>$EXTIP:$EXTPORT</code> (from another external host) -- you will successfully connect to service running on a guest vserver.
==See also==
* [[Frequently_Asked_Questions#If_my_host_has_only_one_a_single_public_IP.2C_can_I_use_RFC1918_IP_.28e.g._192.168.foo.bar.29_for_the_guest_vservers.3F |FAQ on private networking]]
* [[Frequently_Asked_Questions#When_I_try_to_ssh_to_the_guest.2C_I_log_into_the_host.2C_even_if_I_installed_sshd_on_the_guest._What.27s_wrong_here.3F |Permit guest sshd to bind to its IP address's port 22]]