Re: [Shorewall-users] virtual machine 2 virtual machine rules (was Re: restarting shorewall after libvirt-bin starts)

Thu, 02 Apr 2009 10:27:22 -0700 

Tom Eastep wrote:
> Mariano Absatz wrote:
>> Hi again,
>>
>> I'm still dealing with my libvirt issues but it is now clear that it's
>> not a shorewall problem.
>>
>> Now I have a related problem... since my host is the router for all
>> virtual machines, it has to route trafic among them. The problem is that
>> all the trafic, from the host point of view, is seen on the same
>> interface (in my case, vnet0).
>>
>> The point is that I have configured the following:
>>
>> ####################### interfaces #######################
>> net     eth0        -
>> tcpflags,logmartians,nosmurfs,norfc1918,blacklist
>> vms     vnet0       -           bridge,tcpflags,nosmurfs,blacklist
>> vpn     tun+        -           tcpflags,nosmurfs,blacklist
>>
>>
>> and a few rules to allow for "intra-vms" trafic like these:
>>
>> ####################### rules #######################
>> ACCEPT          vms         vms         icmp
>> SSH/ACCEPT      vms         vms
>> DNS/ACCEPT      vms         vms
>>
>>
>> However, these rules are never invoked.
>>
>> That is, the vms2vms chain is created but not referred to.
>>
>> Is there any way to convince shorewall to refer to these rules?
>>
>> I see "BRIDGING=Yes" is not supported in shorewall-perl...
> 
> Please read http://www.shorewall.net/bridge-Shorewall-perl.html

If you just want to allow all traffic between the VMs:

a) Delete all of those silly rules.
b) Remove the 'bridge' option from vnet0 in /etc/shorewall/interfaces
c) Add the 'routeback' option to vnet0 in /etc/shorewall/interfaces

If you only want to allow DNS and SSH:

a) Add a vms->vms REJECT policy to /etc/shorewall/interfaces.
b) Remove the 'bridge' option from vnet0 in /etc/shorewall/interfaces
c) Add the 'routeback' option to vnet0 in /etc/shorewall/interfaces

If you want finer grained control, you probably want to refer to the
article I mention above.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to