Re: [Shorewall-users] Xen routed Dom0 - DMZ issue

Tue, 25 Mar 2008 10:55:22 -0700 

Werner van Staden wrote:

Dear List,

As per reporting guidelines, status.txt.bz2 attached.
                        
I am running shorewall 3.0.4 in a routed Xen Dom0.


Shorewall 3.0.4 is quite old to be attempting that.


physical interface eth0 is in the loc zone
physical interface eth2 is in the net zone
virtual interface eth7 (in the dmz zone) connects webserver DomU - its address 
is 192.168.192.252

With the introduction of virtual interfaces I lost my common sense: the
DMZ domU interface (eth7) has address 192.168.192.252 but what should be
its gateway?


I don't understand your question. According to the dump

23: eth7: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
    link/ether fe:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.169/32 brd 192.168.2.255 scope global eth7
    inet6 fe80::fcff:ffff:feff:ffff/64 scope link
       valid_lft forever preferred_lft forever

So eth7 has IP address 196.168.2.169. From The routing table:

192.168.192.252 dev eth7  scope link  src 192.168.2.169
So apparently, you have a VM with IP address 192.168.192.252 running on the VM associated with VIF eth7. Is that correct?
If so, how is it that you expect any communication to the outside world from that VM? Why did you use that IP address? There are no other addresses in your configuration in the 192.168.192.0 network. 

Your /etc/shorewall/masq file makes no sense: It appears to look like:

eth2    192.168.2.0/24  
eth2    192.168.2.11    
eth2    192.168.2.12
eth2    192.168.2.18    62.24.195.87
a) All but the first rule are useless since they are masked by the first rule (remember that the first match determines the outcome except in the tcrules file). 

b) You are not masquerading/SNATting 192.168.192.252.

I see that you have a couple of DNAT rules:
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.27 tcp dpt:18080 to:192.168.192.252:80 0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.27 tcp dpt:22252 to:192.168.192.252:22 

 I have arbitrarily assigned 192.168.192.27 in the host's

/etc/network/interfaces file, yet this cannot be correct?


I don't think there is anything correct about this IP configuration.


With my
current setup users on the web can connect to the DMZ host, but the
machine cannot initiate connections to the web (e.g. apt-get update or
wget) because (I assume) it cannot find a gateway route.


It's because the net has no clue how to route responses back to that host.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Attachment: signature.asc
Description: OpenPGP digital signature

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to