Complete network config for mixed OpenVZ virtual containers

Complete network config for mixed OpenVZ virtual containers

Cancelled

Job Description

We have been using CSF on a virtualized (OpenVZ) environment successfully for a while now where the host and virtual machines each run their own CSD instance. We have now mixed venet with bridged interfaces by adding some redirect rules:

iptables -t nat -A POSTROUTING -s "10.0.0.0/24" -o vmbr0 -j MASQUERADE

And we were hoping to open some ports via the host to the local virtual machines but limiting it only to certain IPs

With the redirect feature on CSF firewall this works great, but the IP reported is the host one, not the originating IP so we can not limit it with another CSF instance (or simple firewall rule) on the destination virtual system.
We thought that CSF was "firewalling" those redirects before "natting" them, but only now have realized it does not!!

The CSF readme actually states "All redirections to another IP address will always appear on the destination server with the source of this server, not the originating IP address." so this is a standart feature.

So the scenario is somethink like:

HOST system (Proxmox/OpenVZ)
Debian 6
ifconfig
eth0 Link encap:Ethernet HWaddr 4c:72:b9:4e:e0:cf
inet6 addr: fe80::4e72:b9ff:fe4e:e0cf/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4235911 errors:0 dropped:0 overruns:0 frame:0
TX packets:4161554 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2795864669 (2.6 GiB) TX bytes:2789434770 (2.5 GiB)
Interrupt:20 Memory:fe500000-fe520000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1208008 errors:0 dropped:0 overruns:0 frame:0
TX packets:1208008 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2348576286 (2.1 GiB) TX bytes:2348576286 (2.1 GiB)

venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:1983771 errors:0 dropped:0 overruns:0 frame:0
TX packets:1796852 errors:0 dropped:18 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1579486415 (1.4 GiB) TX bytes:656686552 (626.2 MiB)

vmbr0 Link encap:Ethernet HWaddr 4c:72:b9:4e:e0:cf
inet addr:XX.XX.XX.174 Bcast:XX.XX.XX.255 Mask:255.255.255.0
inet6 addr: fe80::4e72:b9ff:fe4e:e0cf/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3561164 errors:0 dropped:0 overruns:0 frame:0
TX packets:4142645 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2701019173 (2.5 GiB) TX bytes:2788172303 (2.5 GiB)

vmbr10 Link encap:Ethernet HWaddr 00:18:51:84:8f:45
inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::fc30:89ff:fe1e:45b0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1810634 errors:0 dropped:0 overruns:0 frame:0
TX packets:1411392 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1397092105 (1.3 GiB) TX bytes:473342087 (451.4 MiB)


IPROUTE SHOW
10.0.0.100 dev venet0 scope link
XX.XX.XX.109 dev venet0 scope link ## virtual IPs configured on containers
10.0.0.0/24 dev vmbr10 proto kernel scope link src 10.0.0.1
XX.XX.XX..0/24 dev vmbr0 proto kernel scope link src XX.XX.XX..174
default via XX.XX.XX.254 dev vmbr0

We can supply some additional data such as iptables rules created by CSF if required.

THE JOB
What we are looking is for a tested enviroiment that works on this basis solving the 2 major issues we currently have:

- traffic between "local" ips bridged to venet ones originates from "host". This is... 10.0.0.200 (bridged) traffic to 10.0.0.100 (venet) reports as originating from hosts IP
- we need CSF redirect rules to be parsed by the firewall and/or that the redirects pass the ioriginating IP to the containers so we can firewall there.
-- the solution might be to create all the NAT rules manually with masquerading and including them on a "post" script that CSF executes and ignore the "redirect" feature there.

We would like to recieve the network configuration + required ip route commands + iptables rules to be loaded by CSF if requried.
The supplier will have to emulate and test on his own enviroiment the solution, with full payment once we have implemented them on our own setup.

---
Skills: linux