1399338773 Q * funnel Remote host closed the connection 1399338780 J * funnel ~funnel@0001c7d4.user.oftc.net 1399343309 J * fisted_ ~fisted@xdsl-84-44-221-81.netcologne.de 1399343762 Q * fisted Ping timeout: 480 seconds 1399343762 N * fisted_ fisted 1399348514 N * l0kit Guest9673 1399348520 J * l0kit ~1oxT@0001b54e.user.oftc.net 1399348924 Q * Guest9673 Ping timeout: 480 seconds 1399349439 M * Bertl off to bed now ... have a good one everyone! 1399349447 N * Bertl Bertl_zZ 1399357834 J * Ghislain ~aqueos@adsl1.aqueos.com 1399362136 J * AbyssOne ~jelle@62.27.85.48 1399367176 J * JelleB ~jelle3@62.27.85.48 1399369703 Q * macmaN Read error: Connection reset by peer 1399373612 J * subzero ~pop@vpn.blackhat.enterprises 1399375037 Q * subzero Remote host closed the connection 1399375131 N * Bertl_zZ Bertl 1399375140 M * Bertl morning folks! 1399375309 J * Guest9702 ~pop@vpn.blackhat.enterprises 1399375710 J * beng_ ~BenG@cpc29-aztw22-2-0-cust128.18-1.cable.virginm.net 1399376015 J * BlackPanx ~kvirc@cpe-31-15-133-178.cable.telemach.net 1399376036 Q * Aiken Remote host closed the connection 1399376052 Q * Guest9702 Remote host closed the connection 1399376158 Q * fosco Ping timeout: 480 seconds 1399376261 J * Guest9704 ~lol@vpn.blackhat.enterprises 1399378910 J * fosco fosco@91.208.40.1 1399380065 J * thierryp ~thierry@2620:3b:0:1010:81d:4a3:93c6:281a 1399381194 Q * fosco Ping timeout: 480 seconds 1399381281 J * thierryp_ ~thierry@192.1.18.143 1399381286 Q * thierryp Read error: Connection reset by peer 1399381954 J * fosco fosco@marx.wirefull.org 1399382709 Q * fosco Ping timeout: 480 seconds 1399383114 M * alpha_one_x86 http://pastebin.com/XQSUNtZc -> how cut the internet to this vm? This vm need only listen (server on tap0), but don't access to the net 1399383352 Q * thierryp_ Quit: ciao folks 1399383867 M * Bertl simply add an iptables rule which prevents outgoing traffic 1399383906 M * alpha_one_x86 I'm looking for the correct rules, but failed 1399383932 M * Bertl well, I guess the guest is using 192.168.250.1 ? 1399384003 M * Bertl so something like iptables -A OUTPUT -s 192.168.250.1 -j DENY should do 1399384018 M * Bertl s/DENY/REJECT/ 1399384032 M * Bertl or if you want to drop it silently, use -j DROP 1399384141 M * alpha_one_x86 same with this rule 1399384201 M * Bertl so does the guest use 192.168.250.1 or not? 1399384213 M * alpha_one_x86 why, because the guest know the 192.168.250.1 is without gateway, then it can't send outcomming with this ip, then it send from 190.186.67.243 (but not trace into the vserver config and into the guest of that's) 1399384215 M * Bertl show me a tcpdump of the outgoing packets 1399384243 M * Bertl so the guest also has 190.186.67.243? 1399384254 M * Bertl or do you have a masquerading rule which changes that? 1399384275 M * alpha_one_x86 I setup all to do the network dump... 1399384276 M * Bertl if so, you need to disable that for this guest or mark the packets during masquerading 1399384413 M * alpha_one_x86 http://pastebin.com/3v7ZzrvW 1399384479 M * alpha_one_x86 but how do that's for specific guest? 1399384718 M * alpha_one_x86 the best it's just drop route for the specific guest... 1399384769 M * Bertl just in the post routing, where you masquerade all, make an exception for this guest 1399384796 M * Bertl either by terminating the chain early or by explicitely making an exception to the masquerade rule 1399384919 M * Bertl e.g. something like iptables -I POSTROUTING -s 192.168.250.1 -j DROP 1399384992 M * alpha_one_x86 The "nat" table is not intended for filtering, the use of DROP is therefore inhibited. 1399385025 M * Bertl then simply skip the other rules 1399385072 M * alpha_one_x86 impossible 1399385077 M * Bertl -j RETURN 1399385084 M * alpha_one_x86 I try 1399385202 M * Bertl note that I have no problem to add a drop rule to postrouting here 1399385236 M * Bertl but it's an older kernel 1399385298 M * Bertl another option would be to simply mark it 1399385324 M * Bertl e.g. iptables -t nat -I POSTROUTING -s 192.168.250.1 -j MARK --set-mark 1 1399385342 M * Bertl and then use the mark to drop/reject the packet on output 1399385644 M * alpha_one_x86 with the return seam work, not nat and snat... then OUTPUT work 1399385694 M * Bertl there you go :) 1399385730 M * alpha_one_x86 thank for your help... now I have correct config: guest 1 on the world as reverse proxy, guest 2 as server/service but unable to contact the web 1399385769 M * alpha_one_x86 I'm into special case, because for this config, I use my own router 1399385900 M * distemper Bertl:not the kernel, but your version of iptables must be ancient... https://git.netfilter.org/iptables/commit/?id=1eada72b7da712bffb87e829b3b9deb3de6bca3c 1399385967 M * alpha_one_x86 now I will do a how to, to help some user to protect the service with the same way 1399385995 M * Bertl distemper: ah, yes, that is true 1399386041 M * distemper ii think they finally enforced it in 2009 (version 1.4.2 or so) 1399386160 M * Bertl so the interesting question is, does it work if not enforced? :) 1399386171 J * fosco fosco@marx.wirefull.org 1399386324 M * distemper it does, i used to patch away the enforcment until 2011, because i was too lazy to change my scripts ;) 1399386615 M * daniel_hozac when changing the kernel is easier than changing your scripts, you might want to reconsider your scripts ;) 1399386697 M * distemper not the kernel, the iptables userspace tools 1399386732 M * distemper but i finally threw them away, anyway ;) 1399386813 M * Bertl maybe the scripts were in a write only language like perl :) 1399387209 M * distemper oh, actually i still like perl, but no, those were shell scripts to generate a ruleset, but for some reason i don't remember anymore i made heavy use of filtering in postrouting 1399389868 J * fisted_ ~fisted@xdsl-87-78-230-187.netcologne.de 1399389890 Q * alpha_one_x86 Quit: KVIrc KVIrc Aria 4.3.1, revision: 6250, sources date: 20120701, built on: 2014-03-11 04:01:58 UTC http://www.kvirc.net/ 1399390025 Q * fisted Read error: Operation timed out 1399390025 N * fisted_ fisted 1399390235 J * ^Cist ~x@88-134-43-117-dynip.superkabel.de 1399390530 M * ^Cist hello, i'm struggleing with netnamespaces. anyone there who got this working / willing to help? 1399392422 Q * beng_ Quit: I Leave 1399392552 M * Bertl what's the problem? 1399392760 M * ^Cist i'm at the point that i have a guest up and running in its own namespace but i don't know how to access this netnamespace from the host. if i give the guest NET_ADMIN/RAW capabilities i'm able to configure the interface from inside the guest though 1399392892 M * ^Cist # ip netns exec dmztest ip addr ls 1399392901 M * ^Cist seting the network namespace failed: Invalid argument 1399393052 M * ^Cist btw, thats 3.10.38-vs2.3.6.8 and util-vserver 0.30.216-pre3062 1399393143 M * Bertl well, if you created the guest with the namespace, then entering it with util-vserver (recent enough version) should be fine 1399393178 M * ^Cist i can enter the guest and configure the interfaces from there 1399393208 M * ^Cist but i'd rather not give the guest NET_ADMIN and configure the interface from the host 1399393273 M * Bertl you can configure most of the network namespace aspects via util-vserver 1399393333 M * ^Cist how would i configure the guests interfaces ip, gw etc? i haven't found documentation 1399393604 M * ^Cist from what i've found so far it seemed that /etc/vserver//spaces/net should be there - but i only get a visible guest interface inside the guest without this 1399393693 M * ^Cist i just wondered if anyone is running a netnamespace setup at all (with the supposed way to configure it via util-vserver) 1399393838 N * ^Cist ^Cist_BBL 1399393855 M * Bertl http://www.nongnu.org/util-vserver/doc/conf/configuration.html 1399393871 M * Bertl search for 'netns' in the guest config 1399393881 M * Bertl you will see a netns/interfaces/... 1399394727 Q * daniel_hozac Quit: reboot 1399395963 M * clopez I have just cloned a vserver from another physical machine, but I did it just by copying the directories /var/lib/vservers/$vservername and /etc/vserver/$vservername and assigning a new context on /etc/vserver/$vservername/context 1399396004 M * clopez and when I tried to start it the machine freezed (the network actually) 1399396026 M * clopez now I tried to do it by bootstraping a new server and replacing the files with the previous ones and it works 1399396057 M * clopez what i'm missing? what does util-vserver when sets a new server other than creating /etc/vserver/$vservername and /var/lib/vservers/$vservername ?? 1399396385 M * Bertl duplicating the config (/etc/vservers/) and the guest data (usually /vservers/) is more than sufficient 1399396411 M * Bertl just make sure that you preserve the ids (uid/gid) and the filesystem attributes 1399396455 M * Bertl and I doubt that the 'network froze' it is more likely that your config somehow affected the host networking 1399397009 J * zerick ~eocrospom@190.187.21.53 1399397577 Q * zerick Remote host closed the connection 1399397611 J * daniel_hozac ~daniel@h149n2-spaa-a12.ias.bredband.telia.com 1399397918 Q * Ghislain Ping timeout: 480 seconds 1399398753 J * zerick ~eocrospom@190.187.21.53 1399398755 Q * zerick 1399400023 J * Ghislain ~aqueos@adsl1.aqueos.com 1399400165 N * ^Cist_BBL ^Cist 1399400214 M * ^Cist Bertl, thats where i read about my config, but netns/interfaces doesn't tell me anything about the ip configuration of the interfaces 1399400581 Q * sannes Remote host closed the connection 1399400735 M * daniel_hozac you can use the regular interfaces for that. 1399401084 M * ^Cist i thought so, but that doesn't work 1399401094 M * ^Cist cat netns/interfaces/00/guest 1399401098 M * ^Cist geth210 1399401118 M * ^Cist cat interfaces/00/dev 1399401123 M * ^Cist geth210 1399401136 M * ^Cist vserver dmztest start 1399401149 M * ^Cist Cannot find device "geth210" 1399401163 M * ^Cist Cannot find device "geth210" 1399401170 M * ^Cist yes, twice 1399401224 J * sannes ~ace@2a02:fe0:c120:5e60:b5d9:117:f96e:7ecf 1399401237 Q * sannes Remote host closed the connection 1399401250 J * sannes ~ace@2a02:fe0:c120:5e60:b5d9:117:f96e:7ecf 1399401274 J * sannes1 ~ace@2a02:fe0:c120:5e60:b5d9:117:f96e:7ecf 1399401398 Q * ex Server closed connection 1399401399 J * ex ~ex@valis.net.pl 1399401724 Q * laurens Server closed connection 1399401736 J * laurens ~laurens@static.70.47.40.188.clients.your-server.de 1399402027 Q * _br_ Server closed connection 1399402048 J * _br_ ~bjoern_of@213-239-215-232.clients.your-server.de 1399402594 M * ^Cist a working vserver guest config i could compare with mine would help me most rigth now 1399403576 Q * tokkee Server closed connection 1399403579 J * tokkee tokkee@osprey.tokkee.org 1399403810 Q * jrklein Remote host closed the connection 1399404952 Q * Vudumen Server closed connection 1399404955 J * Vudumen 452ef3b7a3@perverz.hu 1399406440 Q * sladen Server closed connection 1399406448 J * sladen ~paul@starsky.19inch.net 1399406456 J * jrklein ~osx@proxy.dnihost.net 1399406552 Q * xdr Server closed connection 1399406568 Q * n Server closed connection 1399406569 J * n ~n@s0.servercrunch.com 1399407080 T * * http://linux-vserver.org/ |stable 3.6.x-vs2.3.x|util-vserver-0.30.216-pre3054| He who asks a question is a fool for a minute; he who doesn't ask is a fool for a lifetime -- share the gained knowledge on the Wiki, and we forget about the minute. 1399407080 T * ChanServ - 1399407532 J * Aiken ~Aiken@2001:44b8:2168:1000:21f:d0ff:fed6:d63f 1399410136 Q * click Server closed connection 1399410138 J * click click@ice.vcon.no 1399413880 Q * JelleB Server closed connection 1399413891 J * jelle3 ~jelle3@62.27.85.48 1399414248 Q * voegelas Server closed connection 1399414260 J * voegelas ~voegelas@www.andreasvoegele.com 1399414418 J * zerick ~eocrospom@190.187.21.53 1399414477 J * derjohn_mob ~aj@p578b6aa1.dip0.t-ipconnect.de 1399415481 Q * kiorky_ Server closed connection 1399415482 J * kiorky ~kiorky@cryptelium.net 1399419092 Q * Ghislain Read error: Connection reset by peer