Post 9fW2UONDeVLmB8Ld1k by mirsal@pleroma.1312.media
(DIR) More posts by mirsal@pleroma.1312.media
(DIR) Post #9fVwMnIsTonBSKJLHc by pea@fuckonthefirst.date
2019-02-05T04:58:24.271809Z
0 likes, 0 repeats
hey, so a reverse-proxy is a good way to route incoming traffic to other containers/VMs, but what's a good way to route outgoing trafficI've been looking into NAT masquerading but that seems like it only works from guest -> host's assigned ip, when i want to go from guest to guest's assigned ip, but I may be missing something
(DIR) Post #9fVwVeDtbs0ttrCcEq by pea@fuckonthefirst.date
2019-02-05T05:00:07.164930Z
0 likes, 0 repeats
it's an unusual usecase that's only come up because of federation butis a proxy the right way to do it??
(DIR) Post #9fVwtWcBY4phFlwuZc by pea@fuckonthefirst.date
2019-02-05T05:04:25.081224Z
0 likes, 0 repeats
for clarification, these VMs are on internal network, other than the reverse proxy oneI could just assign an ip but i don't really want to do it that way
(DIR) Post #9fVxP7VASEDsdIjT72 by mirsal@pleroma.1312.media
2019-02-05T05:04:55.232030Z
0 likes, 0 repeats
@pea yes, setting up a proxy is probably the way to go. What is your use case exactly?
(DIR) Post #9fVxP7r98VntjT11N2 by pea@fuckonthefirst.date
2019-02-05T05:10:06.067717Z
0 likes, 0 repeats
@mirsal basically, i've got a proxmox setup, then a container i'm gonna set up haproxy in for reverse proxyingthat container connects to all others that are only on private netbut for federation (and many other things) i also need to be able to send outbound requests through the one public endpoint
(DIR) Post #9fVxVAv0fCiEy2htxI by pea@fuckonthefirst.date
2019-02-05T05:11:16.535202Z
0 likes, 0 repeats
@mirsal (haproxy was chosen because not only http would be proxied)
(DIR) Post #9fVxcYKg0dmjbzELuS by mirsal@pleroma.1312.media
2019-02-05T05:12:13.413420Z
0 likes, 0 repeats
@pea ah, do you want to route all outgoing traffic through a specific container?
(DIR) Post #9fVxcYVJN6IA8yCqUC by pea@fuckonthefirst.date
2019-02-05T05:12:33.235013Z
0 likes, 0 repeats
@mirsal yeah
(DIR) Post #9fVxmFmRqA6Sy9qW8W by pea@fuckonthefirst.date
2019-02-05T05:14:18.332669Z
0 likes, 0 repeats
@mirsal the container itself isn't important, i imagine there might be some network rules way to do it from the host, but essentially yes
(DIR) Post #9fVxyje2dBHB4DrjUW by mirsal@pleroma.1312.media
2019-02-05T05:14:23.260181Z
0 likes, 0 repeats
@pea then you could set a default route via that container's IP address on the internal network and do source NAT / masquerading
(DIR) Post #9fVxyjyFQ3RI4tJrzE by pea@fuckonthefirst.date
2019-02-05T05:16:29.896587Z
0 likes, 0 repeats
@mirsal could you explain how that would be done in more detail? i understand the basics of masquerading but i've only been able to find it being done with the host's ip
(DIR) Post #9fVyWVT7qMlKwkraCG by mirsal@pleroma.1312.media
2019-02-05T05:17:33.180237Z
0 likes, 0 repeats
@pea it's basically the same as masquerading on the host. How does the routing container access the internet?
(DIR) Post #9fVyWVft4uyFaKpm5Y by pea@fuckonthefirst.date
2019-02-05T05:22:38.759215Z
0 likes, 0 repeats
@mirsal umm, i've got a bridge set up that's... got ports bridged to my ethernet biti'll just show you the fileauto loiface lo inet loopbackiface enp3s0 inet manualauto vmbr0iface vmbr0 inet static address 192.99.4.XXX netmask 255.255.255.0 gateway 192.99.4.254 bridge-ports enp3s0 bridge-stp off bridge-fd 0auto vmbr1iface vmbr1 inet static address 10.0.0.0 netmask 255.255.255.0 bridge-ports none bridge-stp off bridge-fd 0and the routing container has public ip set in its config
(DIR) Post #9fVybRfRP8QwbYyjsO by pea@fuckonthefirst.date
2019-02-05T05:23:38.852544Z
0 likes, 0 repeats
@mirsal my terminology knowledge is less than nonebut the address set with vmbr0 is the actual host's address it's usingthe address for the container is only set in the container config
(DIR) Post #9fVyiJhdPnJHvjHVRI by pea@fuckonthefirst.date
2019-02-05T05:24:49.368113Z
0 likes, 0 repeats
@mirsal i guess i just don't get how i would define that address, the masquerading examples i've seen have just defined the equivalent of my enp3s0, which to my knowledge would masquerade it as the ip of the host
(DIR) Post #9fVym7CxoP0GKwkLOi by pea@fuckonthefirst.date
2019-02-05T05:25:34.328862Z
0 likes, 0 repeats
@mirsal which isn't what i wanti have a block of 4 ips, one of which is hooked up to the vm and without the network config Knowing That, how do you do the masquerading, otherwise, how do you tell the network config that
(DIR) Post #9fVyrJu02ikr9fMGBM by pea@fuckonthefirst.date
2019-02-05T05:26:31.581858Z
0 likes, 0 repeats
@mirsal (the masquerading example i've seen is this https://pve.proxmox.com/wiki/Network_Configuration#_masquerading_nat_with_tt_span_class_monospaced_iptables_span_tt )
(DIR) Post #9fVyvPlcBCyCVDO9NQ by mirsal@pleroma.1312.media
2019-02-05T05:26:45.765929Z
1 likes, 0 repeats
@pea ok I think I get why you're confused and it's legit :) what you want is a source-nat setup, using iptables' SNAT target
(DIR) Post #9fVyz2ZKN7pfiGN0xk by mirsal@pleroma.1312.media
2019-02-05T05:27:39.220010Z
1 likes, 0 repeats
@pea the MASQUERADE target uses the first IP address set-up on the outgoing interface for source-nat
(DIR) Post #9fVyzLveOLyhkzxbtY by pea@fuckonthefirst.date
2019-02-05T05:27:50.555000Z
0 likes, 0 repeats
@mirsal hmm, okay, let me bust open the manpages real quickthank you for all your help by the way!
(DIR) Post #9fVz0OcPsQDMOASfRI by pea@fuckonthefirst.date
2019-02-05T05:28:09.906836Z
0 likes, 0 repeats
@mirsal ohh, okay, makes sense
(DIR) Post #9fVzRxLUs18duagmps by pea@fuckonthefirst.date
2019-02-05T05:33:02.836009Z
0 likes, 0 repeats
@mirsal so i would want something along the lines of iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o enp3s0 -j SNAT --to-source '192.99.4.XXX' ?
(DIR) Post #9fVzSqCstjvg3o5BY0 by pea@fuckonthefirst.date
2019-02-05T05:33:17.791734Z
0 likes, 0 repeats
@mirsal if i'm reading it right
(DIR) Post #9fVzfbIZdbTjaVpOjY by mirsal@pleroma.1312.media
2019-02-05T05:34:52.715035Z
0 likes, 0 repeats
@pea yes, assuming enp3s0 is the name of the outgoing interface from the routing container's point of view
(DIR) Post #9fVzfbX6lZ6YJad0O8 by pea@fuckonthefirst.date
2019-02-05T05:35:29.659055Z
0 likes, 0 repeats
@mirsal wait, from the routing container's point of view?i was under the impression this would be in the host's config
(DIR) Post #9fVzhiAH53g5Shx7U8 by pea@fuckonthefirst.date
2019-02-05T05:35:59.390281Z
0 likes, 0 repeats
@mirsal if it's in the routing container's config, then how do the other containers know that they should be routing stuff through it?
(DIR) Post #9fVzmVByjuVsg02AsK by mirsal@pleroma.1312.media
2019-02-05T05:36:30.654724Z
0 likes, 0 repeats
@pea it works the same way whether you route on the host or in a container :)
(DIR) Post #9fVzmVLYAKAZ9gVonI by pea@fuckonthefirst.date
2019-02-05T05:36:49.513868Z
0 likes, 0 repeats
@mirsal okay now i'm very confused
(DIR) Post #9fVzo7fXAZZaIcdBpI by pea@fuckonthefirst.date
2019-02-05T05:37:09.450389Z
0 likes, 0 repeats
@mirsal i'm gonna try this 3 different ways and see if i can sort it out lol
(DIR) Post #9fW01nYmjM2bzFzm2S by mirsal@pleroma.1312.media
2019-02-05T05:38:45.153108Z
0 likes, 0 repeats
@pea I'd advise to do it in the same order as the traffic traverses interfaces, using tcpdump at each step to validate that it works right
(DIR) Post #9fW01ntLUuUJ11cC5Q by pea@fuckonthefirst.date
2019-02-05T05:39:31.278134Z
0 likes, 0 repeats
@mirsal i will try to take that under advisement, but i don't know enough about networking and debugging it to do so i don't think ^^'
(DIR) Post #9fW02lVfq3Cfuz08WG by pea@fuckonthefirst.date
2019-02-05T05:39:47.571461Z
0 likes, 0 repeats
@mirsal all i've worked with before this was a dinky $5 vps
(DIR) Post #9fW0TH6L0NlzQTn7Gy by mirsal@pleroma.1312.media
2019-02-05T05:41:18.152215Z
0 likes, 0 repeats
@pea don't worry, it's scary at first but I am sure you'll manage ^^
(DIR) Post #9fW0THFuQnQfuAGlBw by pea@fuckonthefirst.date
2019-02-05T05:44:28.581577Z
0 likes, 0 repeats
@mirsal okay, so for clarification, if i edit the /etc/network/interfaces of my routing container, other containers will "know" that and use the routing container for outgoing requests to the external internet, even though they are only on the internal network?
(DIR) Post #9fW0VgxJqjgcBwj22a by pea@fuckonthefirst.date
2019-02-05T05:44:56.323617Z
0 likes, 0 repeats
@mirsal because that just doesn't make sense to my brain
(DIR) Post #9fW0jsJ0RqJvRkdGNc by mirsal@pleroma.1312.media
2019-02-05T05:45:40.877311Z
0 likes, 0 repeats
@pea no, they won't, unless you add a default route in your containers
(DIR) Post #9fW0jsWTdl607Ww1NQ by pea@fuckonthefirst.date
2019-02-05T05:47:30.308096Z
0 likes, 0 repeats
@mirsal oh, oh, oh, with something along the lines of `route add -net default gw 10.0.0.1` ? i saw that in one of the posts i was going through
(DIR) Post #9fW0sbl3LDCwjOunho by mirsal@pleroma.1312.media
2019-02-05T05:48:45.170179Z
1 likes, 0 repeats
@pea yes, but the correct command is ip route add default via 10.0.0.1 dev the_internal_network_interface_name
(DIR) Post #9fW0vIYlAzbS3dRqEK by pea@fuckonthefirst.date
2019-02-05T05:49:40.258582Z
0 likes, 0 repeats
@mirsal ok, gotcha! thank you a ton
(DIR) Post #9fW0zmVrkiTG7AESJc by pea@fuckonthefirst.date
2019-02-05T05:50:28.145667Z
0 likes, 0 repeats
@mirsal i saw something like that somewhere else too but i haven't been keeping up i guess ^^'
(DIR) Post #9fW15REzkqX9sU2RFY by mirsal@pleroma.1312.media
2019-02-05T05:51:11.350684Z
0 likes, 0 repeats
@pea yeah well, the route command has been deprecated for like a decade :p
(DIR) Post #9fW15RTWso9ybYq2u8 by pea@fuckonthefirst.date
2019-02-05T05:51:27.744752Z
0 likes, 0 repeats
@mirsal oh, is there a better way to do it?
(DIR) Post #9fW1CfNfa5fNl7Xgy8 by mirsal@pleroma.1312.media
2019-02-05T05:52:09.662006Z
1 likes, 0 repeats
@pea the `ip route` command is the way of the future \o/
(DIR) Post #9fW1GQ0gfej9FJa7zk by mirsal@pleroma.1312.media
2019-02-05T05:53:09.921267Z
0 likes, 0 repeats
@pea man 8 ip-route
(DIR) Post #9fW1GQE9rZVDv5sszY by pea@fuckonthefirst.date
2019-02-05T05:53:28.391153Z
0 likes, 0 repeats
@mirsal dw, i'd already pulled that up :p
(DIR) Post #9fW1IB3HFwZ5QudEfI by pea@fuckonthefirst.date
2019-02-05T05:53:48.349252Z
0 likes, 0 repeats
@mirsal lol, the place i saw the route command was in ovh network bridge guide from 2018, nice
(DIR) Post #9fW24LwU4KxD6pQUHA by mirsal@pleroma.1312.media
2019-02-05T05:57:22.819565Z
0 likes, 0 repeats
@pea haha https://lists.debian.org/debian-devel/2009/03/msg00780.html
(DIR) Post #9fW24MAfDcIRoo3oNU by pea@fuckonthefirst.date
2019-02-05T06:02:24.282471Z
0 likes, 0 repeats
@mirsalthanks.png
(DIR) Post #9fW2E9zLMsVKvlRM92 by pea@fuckonthefirst.date
2019-02-05T06:04:12.774536Z
0 likes, 0 repeats
@mirsal i'm pretty sure there should be a way for me to do it automatically with new containers that are created too but idk exactly howthat's a problem for after work tomorrow ^^
(DIR) Post #9fW2MPbHCvTTfO7MiO by pea@fuckonthefirst.date
2019-02-05T06:05:40.765673Z
0 likes, 0 repeats
@mirsal lol wait it might just be this, one sec
(DIR) Post #9fW2UONDeVLmB8Ld1k by mirsal@pleroma.1312.media
2019-02-05T06:05:45.908562Z
0 likes, 0 repeats
@pea yeah, just add the default route in new containers' network configs, you only have to setup the NAT part once
(DIR) Post #9fW2UOZyt3YgoiJov2 by pea@fuckonthefirst.date
2019-02-05T06:07:07.394786Z
0 likes, 0 repeats
@mirsal yeah it was literally just putting it in 'gateway' in the guifunny that it took me basically a million years to figure out
(DIR) Post #9fW2bwGK3LuXJGijFg by pea@fuckonthefirst.date
2019-02-05T06:08:28.388136Z
0 likes, 0 repeats
@mirsal or not actually, it yells at me for doing that because vmbr0 already has a default gateway? i don't really get it but ok
(DIR) Post #9fW2g37yTBkXlDmA8u by pea@fuckonthefirst.date
2019-02-05T06:09:18.265388Z
0 likes, 0 repeats
@mirsal i don't really get why that matters since i'm editing vmbr1 buut okayoof.png
(DIR) Post #9fW2r3ax4YA4OaZvzk by pea@fuckonthefirst.date
2019-02-05T06:11:14.252425Z
0 likes, 0 repeats
@mirsal oh, i seebecause both of them are on my router container and i can only set one default gatewayi don't really know how i should have this automatically work then
(DIR) Post #9fW31wc1NH5dvNGosK by mirsal@pleroma.1312.media
2019-02-05T06:11:47.414133Z
0 likes, 0 repeats
@pea the default route (gateway) should be set up in the app containers network config, not on the routing container
(DIR) Post #9fW31wvAE6P0skE6iG by pea@fuckonthefirst.date
2019-02-05T06:13:11.652243Z
0 likes, 0 repeats
@mirsal i am setting it up in the networking config, but i'm pretty sure it's yelling at me because both vmbr0 and vmbr1 are on one of my containers and the default gateway is already set with vmbr0so using them together on that container is making me unable to set the default gateway on vmbr0? could be wrong
(DIR) Post #9fW3825puRwif17SBk by pea@fuckonthefirst.date
2019-02-05T06:14:20.289472Z
0 likes, 0 repeats
@mirsal per... routing table?
(DIR) Post #9fW3JImADwXlaQI74S by mirsal@pleroma.1312.media
2019-02-05T06:16:05.480941Z
1 likes, 0 repeats
@pea yes, but for the sake of simplicity, lets assume that you only have one per container ^^'
(DIR) Post #9fW3JJ5J4lr8XnFOuO by pea@fuckonthefirst.date
2019-02-05T06:16:19.968897Z
0 likes, 0 repeats
@mirsal o-okay
(DIR) Post #9fW3L3k95Mh9XjBXYe by pea@fuckonthefirst.date
2019-02-05T06:16:44.932940Z
0 likes, 0 repeats
@mirsal is there a way around this? or should i just do it manually for each one? sorry for just directly asking you for answers at this point :p
(DIR) Post #9fW3acH6ynrAz81TmK by pea@fuckonthefirst.date
2019-02-05T06:19:25.986457Z
0 likes, 0 repeats
@mirsal honestly i'm sorta coming around to the idea of just setting it up manually, seems sorta like the hassle is worth it lmao
(DIR) Post #9fW3r0XuVaz2tRhF1E by mirsal@pleroma.1312.media
2019-02-05T06:20:52.494459Z
0 likes, 0 repeats
@pea its ok :) it depends on how the network is configured on containers. I suppose it's done with ifupdown (/etc/network/interfaces) if so, the default route can be set up with the gateway keyword in the private network interface definition block (at the same level as the ip address of the container)
(DIR) Post #9fW3r0mRdYbrcWUqfo by pea@fuckonthefirst.date
2019-02-05T06:22:23.644862Z
0 likes, 0 repeats
@mirsal i'm more talking about setting it on the host level, setting it in /etc/network/interfaces basically what i'd been doing (although i'd been doing it the stupid way, with post-up and pre-down i guess)
(DIR) Post #9fW3zbCO7NT0t2j4yG by pea@fuckonthefirst.date
2019-02-05T06:23:58.641629Z
0 likes, 0 repeats
@mirsal although that does mean i can just set it when creating pretty easy, so not a huge deal i guess
(DIR) Post #9fW4nV1jL5LIDxXFui by mirsal@pleroma.1312.media
2019-02-05T06:24:28.896317Z
0 likes, 0 repeats
@pea you have to configure the default route on each container
(DIR) Post #9fW4nVeN1QFc9nc78q by pea@fuckonthefirst.date
2019-02-05T06:32:56.282388Z
0 likes, 0 repeats
@mirsal ahh okay, brilliant, thank you, just realising i can do that through the gui on container creation already makes my life easier :p
(DIR) Post #9fW4p6iMhdGpOrFCc4 by pea@fuckonthefirst.date
2019-02-05T06:33:21.592811Z
0 likes, 0 repeats
@mirsal thank you so much, i sincerely appreciate all the help you've been giving, it would've taken me ages to figure this out without you
(DIR) Post #9fW4tAiPln2mxzCng0 by pea@fuckonthefirst.date
2019-02-05T06:34:04.669082Z
0 likes, 0 repeats
@mirsal with that, i gotta sleep so i'm ready for work ^^' sysadmin stuff always keeps me up way too late >>
(DIR) Post #9fW50dfwUlAmoObrbU by mirsal@pleroma.1312.media
2019-02-05T06:34:51.213322Z
1 likes, 0 repeats
@pea haha, me too ^^' sweet dreams :)
(DIR) Post #9fWAMVm53DywRtjIps by drlabman@mastodon.technology
2019-02-05T07:34:38Z
0 likes, 0 repeats
@pea Just to clarify, do you want to setup network traffic between different VMs and containers without giving them full network access?
(DIR) Post #9fWAMVzuDp2b8mCLNw by pea@fuckonthefirst.date
2019-02-05T07:35:24.337677Z
0 likes, 0 repeats
@drlabmannot really, but it's already been sorted at this pointthank you though!