Hi guys, I have an issue with my Shorewall setup, which I doesn't seem to be able to resolve.
I have a 3 box setup with the following parameters: Box 1: The router, running Shorewall 4.0.3. It has 3 802.1q interfaces: vlan100, vlan200, vlan300 on eth0 which is connected into a trunk port on my L2 switch. VLAN100 is the NET. VLAN200 is DMZ, VLAN300 and ETH3 is LOC. Box 1 also have 1 Xen DomU, routed to vlan300, interface name eth3. This is the VM which I have problems with. VLAN100 (EXT_IF) has the subnet 195.228.157.16/28 and ip 195.228.157.17. VLAN200 (DMZ_IF) has the subnet 10.20.0.0/24 and ip 10.20.0.1 VLAN300 (INT_IF) has the subnet 10.30.0.0/24 and ip 10.30.0.1 ETH0 is used only internal monitoring for the switch management port, has the ip 10.0.0.1. ETH3 (VM_2_IF) which is the Xen routed interface has the ip 10.30.0.1 The Xen DomU, call it DB-0, has an eth0 and ip 10.30.0.10. A split Bind9 running on it also, serving queries into INTERNAL and EXTERNAL views. Box 2: Connected into the 200 vlan, which is the DMZ. Has one interface, eth0. 2 Xen DomU-s running on this box, respectively 10.20.0.10 and 10.20.0.20, routed to 10.20.0.1 via 10.20.0.2 Box 3: Connected into the 300 clan, which is the LOC. This box is not used currently. I have general accept all to all from all policies and rules for testing purposes, logging everything. NAT: 195.228.157.18 vlan100 10.20.0.10 no no 195.228.157.19 eth3 10.30.0.10 no no MASQ: $EXT_IF $DMZ_IF 195.228.157.17 $EXT_IF $VM_2_IF 195.228.157.19 all My problem: DB-0 can ping everywhere properly, I get normal ICMP replies. It properly resolves everything due to the internal DNS server. However, I cannot establish connections from inside the VM: SSH, FTP, HTTP just hangs after Connection Established messages in verbose mode, then the connection just close after 1-2 minutes. The same stuff is working without a hitch on Box-2, I can connect everywhere properly from each of the 2 VMs running on it. Their configuration and the system is exactly the same, Gentoo Linuxes with 2.6.20-r6 kernels, one interface with an ip address routed through the vlan's default gateway. My guess is somehow the Xen routing could be the problem when the DomU I'm trying to route is on the same host with the Shorewall setup, but I'm not smart enough to figure it on my own. I've attached the shorewall dump (after a reset and tried connections) to this message. Any ideas welcome. Thanks for your help in advance, András -- Some more information: TCPDUMP: After trying to ssh pixelszabaszat.hu from the DB-0 VM: PIX-APP-0 ~ # tcpdump -i eth3 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth3, link-type EN10MB (Ethernet), capture size 96 bytes 19:07:33.172043 arp who-has 10.30.0.1 tell 10.30.0.10 19:07:33.172065 arp reply 10.30.0.1 is-at fe:ff:ff:ff:ff:ff (oui Unknown) 19:07:33.172102 IP 10.30.0.10.32784 > 10.30.0.1.domain: 46764+ AAAA? pixelszabaszat.hu. (35) 19:07:33.172440 IP 10.30.0.1.domain > 10.30.0.10.32784: 46764 0/1/0 (82) 19:07:33.172527 IP 10.30.0.10.32784 > 10.30.0.1.domain: 42920+ AAAA? pixelszabaszat.hu. (35) 19:07:33.172585 IP 10.30.0.1.domain > 10.30.0.10.32784: 42920 0/1/0 (82) 19:07:33.172640 IP 10.30.0.10.32784 > 10.30.0.1.domain: 7400+ A? pixelszabaszat.hu. (35) 19:07:33.172727 IP 10.30.0.1.domain > 10.30.0.10.32784: 7400 1/2/1 A pixelszabaszat.hu (110) 19:07:33.172833 IP 10.30.0.10.54999 > pixelszabaszat.hu.ssh: S 157951987:157951987(0) win 5840 <mss 1460,sackOK,timestamp 182185 0,nop,wscale 6> 19:07:33.173112 IP pixelszabaszat.hu.ssh > 10.30.0.10.54999: S 1718828997:1718828997(0) ack 157951988 win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 2068278201 182185,sackOK,eol> 19:07:33.173165 IP 10.30.0.10.54999 > pixelszabaszat.hu.ssh: . ack 1 win 92 <nop,nop,timestamp 182185 2068278201> 19:07:33.193088 IP pixelszabaszat.hu.ssh > 10.30.0.10.54999: P 1:40(39) ack 1 win 33304 <nop,nop,timestamp 2068278221 182185> 19:07:33.193126 IP 10.30.0.10.54999 > pixelszabaszat.hu.ssh: . ack 40 win 92 <nop,nop,timestamp 182187 2068278221> 19:07:33.193261 IP 10.30.0.10.54999 > pixelszabaszat.hu.ssh: P 1:21(20) ack 40 win 92 <nop,nop,timestamp 182187 2068278221> 19:07:33.402034 IP 10.30.0.10.54999 > pixelszabaszat.hu.ssh: P 1:21(20) ack 40 win 92 <nop,nop,timestamp 182208 2068278221> 19:07:33.822045 IP 10.30.0.10.54999 > pixelszabaszat.hu.ssh: P 1:21(20) ack 40 win 92 <nop,nop,timestamp 182250 2068278221> 19:07:34.662033 IP 10.30.0.10.54999 > pixelszabaszat.hu.ssh: P 1:21(20) ack 40 win 92 <nop,nop,timestamp 182334 2068278221> 19:07:36.342061 IP 10.30.0.10.54999 > pixelszabaszat.hu.ssh: P 1:21(20) ack 40 win 92 <nop,nop,timestamp 182502 2068278221> 19:07:38.172104 arp who-has 10.30.0.10 tell 10.30.0.1 19:07:38.172142 arp reply 10.30.0.10 is-at 00:16:3e:32:37:29 (oui Unknown) 19:07:39.702114 IP 10.30.0.10.54999 > pixelszabaszat.hu.ssh: P 1:21(20) ack 40 win 92 <nop,nop,timestamp 182838 2068278221> 19:07:46.422246 IP 10.30.0.10.54999 > pixelszabaszat.hu.ssh: P 1:21(20) ack 40 win 92 <nop,nop,timestamp 183510 2068278221> LOG: Mar 18 19:07:33 PIX-APP-0 Shorewall:loc2net:ACCEPT:IN=eth3 OUT=vlan100 SRC= 10.30.0.10 DST=80.249.168.21 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=57434 DF PROTO=TCP SPT=54999 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 Mar 18 19:07:34 PIX-APP-0 Shorewall:loc2net:ACCEPT:IN=eth3 OUT=vlan100 SRC= 10.30.0.10 DST=80.249.168.21 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=57434 DF PROTO=TCP SPT=54999 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 -- András Tarsoly [EMAIL PROTECTED]
status.txt.gz
Description: GNU Zip compressed data
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
