Here's my setup. Note - i have mixed virtual machines - ones that attach to the bridge and use real public ip's and ones that use the virbr0 of libvirt ( i assume you're using libvirt, if you're not - you better be :P ), that have private network ip's , i.e. 172.16.0.0/12
cat zones # # Shorewall version 4 - Zones File # # For information about this file, type "man shorewall-zones" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-zones.html # ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall world ipv4 net:world bport kvm:world bport vir ipv4 cat interfaces # # Shorewall version 4 - Interfaces File # # For information about entries in this file, type "man shorewall-interfaces" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-interfaces.html # ############################################################################### #ZONE INTERFACE BROADCAST OPTIONS world br0 detect tcpflags,nosmurfs,logmartians,routeback,bridge vir virbr0 detect dhcp,tcpflags,nosmurfs,logmartians,routeback,bridge net br0:eth0 detect kvm br0:vnet+ detect cat policy # # Shorewall version 4 - Policy File # # For information about entries in this file, type "man shorewall-policy" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-policy.html # ############################################################################### #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK $FW all ACCEPT info vir all ACCEPT info kvm all ACCEPT info net kvm ACCEPT info all all DROP info cat rules # # Shorewall version 4 - Rules File # # For information on the settings in this file, type "man shorewall-rules" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-rules.html # #################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME # PORT PORT(S) DEST LIMIT GROUP #SECTION ESTABLISHED #SECTION RELATED SECTION NEW #SSH(ACCEPT) all $FW ACCEPT all $FW icmp 8 SSH(ACCEPT) all $FW ACCEPT net:83.148.126.68 $FW tcp 10050 FTP(ACCEPT) net:78.128.77.97/24 $FW # DNAT Database access to postgresql and mysql DNAT net:78.83.144.122,77.70.16.150,93.152.141.231 vir:172.17.0.1 tcp 5432,3306 DNAT:Info net kvm:83.148.126.70:64738 tcp 3785 DNAT:Info net kvm:83.148.126.70:64738 udp 3785 DNAT:Info net vir:172.30.166.217:80 tcp 8282 DNAT:Info net vir:172.30.166.217 tcp 8069,8070 ***NOTE**** i have a subnet of real ip's that's 83.148.126.65/28. As you can see i'm doing some redirects from the host to one of the guests here ( the DNAT kvm: ones ), the vir: ones are redirects to machines with internal ip's. cat masq # # Shorewall version 4 - Masq file # # For information about entries in this file, type "man shorewall-masq" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-masq.html # ############################################################################### #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ # GROUP br0 172.16.0.0/12 83.148.126.67 If you have any questions feel free to ask :) ----- Original Message ----- From: "Andrew Niemantsverdriet" <[email protected]> To: "Shorewall Users" <[email protected]> Sent: Tuesday, March 2, 2010 7:28:05 PM Subject: Re: [Shorewall-users] KVM and bridge advice please While not your sitituition exactally I wrote an article detailing how to use a firewall with KVM and OpenVZ machines. http://www.montanalinux.org/proxmox-ve-with-shorewall-part2.html If you ignore the OpenVZ parts the way to use shorewall with KVM is there. Hope that helps some. _ /-\ ndrew On Tue, Mar 2, 2010 at 3:52 AM, Bike & Snow <[email protected]> wrote: > Hello > > I have recently started using Shorewall to manage my firewall. I'm > very impressed so far. > > Yesterday I installed it on 2 machines which run KVM (kernel virtual > machine) virtualization. > > When a virtual machine starts, a virtual network interface(s) is > created for the VM - vnetX. These in turn are connected to a bridge > which uses a physical interface (eth1). > > What I need to do: > a) Filter traffic on the management interface - eth0. > b) Allow all traffic on the bridge - br0 - which in turn uses physical > interface eth1. Each VM will handle traffic by running their own > firewall. > > I'm using Shorewall 4.2.10. > > I spent ages using the "bport" option but I was getting nowhere. I > could not get the traffic inside the VMs to route. > So I changed the bridge interface to the same as eth0 - ipv4 - and it > now works OK. > > Here is my setup: > > Zones > fw firewall > lan ipv4 > kvm ipv4 > > Interfaces > lan eth0 detect dhcp > kvm br0 detect dhcp,bridge,routeback > > Policy > fw all ACCEPT > lan fw REJECT > kvm fw ACCEPT > all all DROP > > Rules > ACCEPT lan fw icmp > ACCEPT lan fw tcp ssh,https > > > where "lan" is the local area network and "kvm" is the zone for the > bridge which handles the VMs and their virtual network interfaces. > As you can see, for the management interface I'm allowing icmp traffic > for ping and SSH and HTTPS. > > I must stress that this machine is not connected directly to the > internet but lives inside a secure LAN. > So why bother running a firewall? Well this is a test for a machine > that will be hosted in a data centre and will be connected directly to > the internet. > > Now it's working but have I simply taken the easy route here when > setting this up? > Or should I try to get the kvm zone working as "bport"? > > Has anyone else setup a machine running a bridge for virtual machines? > > I've searched the documentation and this mailing list, but > documentation is inconsistent for this setup. > > Thank you > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
