On Thu, May 13, 2010 at 11:45 AM, Ricardo Espinoza
<
ricardo....@gmail.com> wrote:
> Guido,
> Thanks for the comments. I actually tried that rule but didn't work. I per
> see think this is enough but it is a requirement because from time to time
> we accept instances from customers for a brief period of time,
> So I can secure the nodes all the infrastructure I handle.
> But for example.
> Lets say you have an instance running in 10.10.10.1, this is in node1. So,
> if someone with an instance in the same node changes the IP to 10.10.10.30,
> they cannot reach the internet but they can reach 10.10.10.1
> The physdev doesn't work because I suppose the traffic is local, so it never
> leaves the bridge. I can see the traffic in the OUTPUT chain but I cannot
> tell in anyway if the traffic from 10.10.10.30 is from the allowed tap.
I'm a bit lost here. Could you document what entity has what ip, and
what it is trying to do.
Let's make a supposition:
node (node1) has address 10.10.10.1
instance (instance1) has address 10.10.10.101
the filter rules are in place.
Now when the instance changes its address 10.10.10.30 it can't talk
anymore to the internet, nor it can talk to the node, due to the
rules. The node, though, not having an iptables OUTPUT rule, could
ping the instance on 10.10.10.30. So what you might want is to take a
look at arp tables, to filter the arp requests the instance can give.
If it arp replies for wrong IPs are filtered, the node won't even try
to contact it on the wrong address, and you should be fine.
> I am trying now with routed instances and they seem to work when not using a
> table ($LINK is blank). I tried changing the IP and as expected, you cannot
> get out of the instance. This should solve my problem, right?
Yes, it should. Then you need to use proxy arp on your main ethernet
or some other way to make sure the traffic is routed to the right
node, for the right instance (routing daemon, ganeti nbma project,
etc).
> Do you have any information about using the $LINK with tables? (first time
> doing it).
> Any tips to point me to the right direction would be awesome.
>
The link parameter is useful if you have different sets of instances
which should not talk to each other.
Each of them gets insulated in its own routing table. Then the routing
table can define different output path (perhaps tunnel their traffic
to an endpoint, using GRE encapsulation, this is what the nbma project
does) (but a separate ethernet interface could also be used). Please
note that enabling that you get into policy routing, which is at least
"tricky" to get right. (for example the nodes won't be able to talk to
the instances, unless you make ip rule changes in order to be able to
do so).
Basically you have three ways to use routed instances:
- normal routing (no link), the node has full communication with all instances
- policy routing (link), each routing table can direct instance
traffic its own way. different instances won't see each other. you can
add policies to make node traffic talk with all instances, if they
have separate ip spaces
- policy routing (link) and overlapping ip spaces: you can also run
this way, but this will break path mtu discovery from the node to the
instance, so you have to make sure not to need it, or to circumvent
the issue somehow.
Thanks,
Guido