networking riseup labs

host configuration

All processes on the real host must bind to a particular ip address when they bind to ports so that the vservers can bind to the same port using another ip address.

host:/etc/apache/httpd.conf:

Listen 216.162.197.194:8080

we can't use inetd, because it binds to all addresse/interfaces (?). we have to use xinetd... tbw..

delegate

Delegate is our ftp and web proxy.

To run delegate:

host# /etc/init.d/delegate [start|stop|restart]

Here is a working example of /etc/delegate/web:

ADMIN=webmaster@raven.riseup.net


DGROOT=/home/delegate


-P216.162.197.194:80


PERMIT="*:*:*"


MOUNT="/* http://127.0.0.1:8080/* vhost=-raven.riseup.net"


## auto created below here ##


MOUNT="/blue/* http://blue.revolt.org/* "  ## id=blue


MOUNT="/blue.revolt.org/* http://blue.revolt.org/* "  ## id=blue


MOUNT="/* http://blue.revolt.org/* vhost=-blue.revolt.org"  ## id=blue


MOUNT="/red.revolt.org/* http://red.revolt.org/* "  ## id=blue


MOUNT="/* http://red.revolt.org/* vhost=-red.revolt.org"  ## id=blue

In this example, we have a real host named raven.riseup.net. The vserver named blue is running sites for blue.revolt.org and red.revolt.org. If the domain is not yet working, you can visit the site at raven.riseup.net/blue.revolt.org (or simply /blue).

For this to work, /etc/hosts must have entries for blue.revolt.org and red.revolt.org which are equal to the vserver's local IP but not the IP of those domains.

The script setup-network should do all this for you:

host# /root/setup-network blue

See delegate manual for more info:
www.delegate.org/delegate/Manual.htm

NAT

to give a vserver two way access to the outside world, we need to set up up some Network Address Translation routes:

to add a NAT route:

# iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d ! 192.168.0.0/24 -j SNAT --to-source <hostip>

to remove a NAT route:

# iptables -t nat -D POSTROUTING -s <vserver ip> -j SNAT --to-source <host ip>

to check the routes:

# iptables -t nat -L

Limiting network sniffing

When we actually are deploying vservers, we should not be giving CAP_NET_RAW and CAP_NET_ADMIN because that allows vservers on the same network to sniff each other's packets