Hello all,
It's my first letter on this list, and, my English is not very well.
Please take me indulgence
for grammar/syntax and over erorrs :))
I have trouble for acl's of ip range. But, acl for one host (with ip
adress) work fine.
Please help me for make work acl/find erorr in acl.
Becouse I'm new shorewall user, I maked test configuration on Virtual
Mashine (VirtualBOX) with bridge network.
Prodaction OVZ server work with iptables, and I'm afraid destroy work
configuration.
Work, but not fine. I want simple create new subnetworks, DMZ and overs.
===========Scheme======================
Host system (simple desktop of Fedora 8 with network bridge and
VirtualBOX) ---> Guest System with openvz kernel ---> some Virtual
Private Servers.
I think, you may forgot about VirtualBOX, but, you need remember about
OpenVZ. Hardware hosts in LAN see virtual OpenVZ? becouse, it use
bridge
with host system, and, VPS servers see also. All work, if whorewall
with virtual OpenVZ disabled.
-------------------Host-system:--------------------------
[EMAIL PROTECTED] ~]$ cat /etc/redhat-release
Fedora release 8 (Werewolf)
[EMAIL PROTECTED] ~]$ uname -a
Linux desktop.loc 2.6.26.5-28.fc8 #1 SMP Sat Sep 20 09:12:30 EDT 2008
x86_64 x86_64 x86_64 GNU/Linux
[EMAIL PROTECTED] ~]$ ifconfig
br0 Link encap:Ethernet HWaddr **************
inet addr:10.0.5.2 Bcast:10.0.5.255 Mask:255.255.255.0
inet6 addr: fe80::211:d8ff:fe91:a3da/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1246145 errors:0 dropped:0 overruns:0 frame:0
TX packets:1563590 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:975442995 (930.2 MiB) TX bytes:1051074268 (1002.3 MiB)
eth0 Link encap:Ethernet HWaddr ********
inet6 addr: fe80::211:d8ff:fe91:a3da/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1246044 errors:0 dropped:0 overruns:0 frame:0
TX packets:1563463 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:998007741 (951.7 MiB) TX bytes:1057556364 (1008.5 MiB)
Interrupt:17
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1353 errors:0 dropped:0 overruns:0 frame:0
TX packets:1353 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2680004 (2.5 MiB) TX bytes:2680004 (2.5 MiB)
vbox0 Link encap:Ethernet HWaddr 00:FF:9E:34:22:E5
inet6 addr: fe80::2ff:9eff:fe34:22e5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:5161 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
vbox1 Link encap:Ethernet HWaddr 00:FF:EE:80:DA:5C
inet6 addr: fe80::2ff:eeff:fe80:da5c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:119 errors:0 dropped:0 overruns:0 frame:0
TX packets:142 errors:0 dropped:5142 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:15192 (14.8 KiB) TX bytes:12786 (12.4 KiB)
virbr0 Link encap:Ethernet HWaddr B2:12:B1:BF:97:CB
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
inet6 addr: fe80::b012:b1ff:febf:97cb/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:30 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:4855 (4.7 KiB)
-------------------end of Host-system:--------------------------
-----------------------VirtualBOX with host
system:-------------------------------------
[EMAIL PROTECTED] ~]$ rpm -qa | grep Virtual
VirtualBox-2.0.2_36488_fedora8-1
-----------------------end of VirtualBOX with host
system:-------------------------------
------------------------------ Guest system with
ovz-kernel------------------------------
[EMAIL PROTECTED] ~]# cat /etc/redhat-release
CentOS release 5.2 (Final)
[EMAIL PROTECTED] ~]# uname -a
Linux localhost.localdomain 2.6.18-92.1.13.el5.028stab059.3 #1 SMP Wed
Oct 15 17:48:55 MSD 2008 i686 athlon i386 GNU/Linux
[EMAIL PROTECTED] ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:89:FF:82
inet addr:10.0.5.4 Bcast:10.0.5.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe89:ff82/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:47 errors:0 dropped:0 overruns:0 frame:0
TX packets:51 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5274 (5.1 KiB) TX bytes:5888 (5.7 KiB)
Interrupt:11 Base address:0xc020
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
venet0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
[EMAIL PROTECTED] shorewall]# rpm -qa | grep vz
ovzkernel-2.6.18-92.1.13.el5.028stab059.3
vzrpm44-4.4.1-22.5
vztmpl-fedora-7-1.1-1
vzquota-3.0.11-1
vzctl-3.0.22-1
vzrpm44-python-4.4.1-22.5
vzpkg-2.7.0-18
vzctl-lib-3.0.22-1
vzyum-2.4.0-11
------------------------------ end of Guest system with
ovz-kernel------------------------------
---------------------VE containers with venet network (Fedora 7
distribution)------------------
[EMAIL PROTECTED] ~]# vzlist
VEID NPROC STATUS IP_ADDR HOSTNAME
201 5 running 10.0.2.1 test_vps1.loc
202 8 running 10.0.2.2 test_vps2.loc
203 3 running 10.0.2.3 test_vps3.loc
[EMAIL PROTECTED] ~]#
---------------------end of VE containers with venet network (Fedora 7
distribution)------------------
===========end of Scheme======================
If service shorewall stoped, and, all iptables policy set for ACCEPT,
all connections successfully:
VPS<-->lan
VPS<-->HN
HN<-->lan
For example, with host computer(from LAN):
[EMAIL PROTECTED] ~]$ ssh [EMAIL PROTECTED]
[EMAIL PROTECTED]'s password:
Last login: Sun Oct 26 20:13:56 2008 from 10.0.5.2
[EMAIL PROTECTED] ~]#
============Configuration files====================
[EMAIL PROTECTED] two_work_config_]# cat zones
########################zones#######################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
############ Hardware Local Network ##############
#local Network interface
loci ipv4
#local network
loc:loci
desk1:loc
################################################
############# Venet Local Network ##############
#Virtual Interface
venet ipv4
#Virtual network (see hosts file)
ven1:venet
#VPS servers
web1:ven1
serv2:ven1
dmz:ven1
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
[EMAIL PROTECTED] two_work_config_]# cat hosts
################### hosts###################
#ZONE HOST(S) OPTIONS
web1 venet0:10.0.2.1
serv2 venet0:10.0.2.2
dmz venet0:10.0.2.3
ven1 venet0:10.0.2.1-10.0.2.255
loc eth0:10.0.5.0/24
desk1 eth0:10.0.5.2
#inet 0.0.0.0/24
[EMAIL PROTECTED] two_work_config_]# cat interfaces
#ZONE INTERFACE BROADCAST OPTIONSnet eth0
loci eth0 detect
venet venet0 - routeback
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
[EMAIL PROTECTED] two_work_config_]# cat policy
################## policy
#############################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
#
$FW all ACCEPT
#Remove this string!
all $FW ACCEPT
#May be, it's not need
#loci venet ACCEPT
#venet loci ACCEPT
#loc ven1 ACCEPT
#ven1 loc ACCEPT
#Test DMZ
ven1 dmz ACCEPT
desk1 dmz ACCEPT
dmz all DROP
#Teporary acl for one vps
web1 venet ACCEPT
venet web1 ACCEPT
loc web1 ACCEPT
web1 loc ACCEPT
#ACL for venet network
ven1 venet ACCEPT
venet ven1 ACCEPT
loc ven1 ACCEPT
ven1 loc ACCEPT
#ven1 ven1 ACCEPT
#ven1 loc ACCEPT
#loc ven1 ACCEPT
#temporary for desktop
#desk1 ven1 ACCEPT
#ven1 desk1 ACCEPT
desk1 web1 ACCEPT
web1 desk1 ACCEPT
#loc web1 ACCEPT
#loc serv2 ACCEPT
#serv2 loc ACCEPT
#web1 loc ACCEPT
all all REJECT
#LAST LINE -- DO NOT REMOVE
[EMAIL PROTECTED] two_work_config_]#
============end of Configuration files====================
For one test VPS server connection accept:
[EMAIL PROTECTED] ~]$ ping -c 1 10.0.2.1
PING 10.0.2.1 (10.0.2.1) 56(84) bytes of data.
64 bytes from 10.0.2.1: icmp_seq=1 ttl=64 time=1.44 ms
--- 10.0.2.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.440/1.440/1.440/0.000 ms
But for over test VPS connection drop:
[EMAIL PROTECTED] ~]$ ping -c 1 10.0.2.2
PING 10.0.2.2 (10.0.2.2) 56(84) bytes of data.
>From 10.0.5.4 icmp_seq=1 Destination Host Unreachable
--- 10.0.2.2 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
acl ven1 does'nt work.
connection for one VPS accept, becouse in policy file is strings:
#Teporary acl for one vps
web1 venet ACCEPT
venet web1 ACCEPT
loc web1 ACCEPT
web1 loc ACCEPT
Please help me for find erorr
.
Thank you for all answer or ideas.
--
Best regards,
Galia Lisovskaya.
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
