[Shorewall-users] Shorewall system hosting KVM virtual machines

Sat, 08 Sep 2012 14:30:01 -0700 

Shorewall 4.5.6, CentOS 6.3. The shorewall box runs several KVM virtual 
machines, each of which has an interface attached to the two "internal" 
bridges br1 and br2 (and each thus has two IP's; one on 192.168.0.0/22 and 
one on 192.168.4.0/22):

                            Internet ("net")
                                ^
                                |
                         +---------------+
                         |     br0       |
  net1=192.168.4.0/22    |               |           net2=192.168.0.0/22
  -----------------------+  br1      br2 +---------------------------------
          |              |               |                |
          |              |               |                |
      Client A           +---------------+            Client B
                       (hosts KVM1, KVM2, etc)

There are no shorewall rules that prohibit net1 <-> net2 traffic. I have:

/etc/shorewall/interfaces:
    net   br0   -   
tcpflags,routefilter,nosmurfs,logmartians,blacklist,arp_filter
    net1  br1   -   tcpflags,nosmurfs,maclist
    net2  br2   -   tcpflags,nosmurfs,maclist

/etc/shorewall/zones:
    fw    firewall
    net   ipv4
    net1  ipv4
    net2  ipv4

/etc/shorewall/policy:
    net1  net   ACCEPT
    net1  net2  ACCEPT
    net2  net   ACCEPT
    net2  net1  ACCEPT
    net   all   DROP    info
    all   all   REJECT  info

Client A can ldapsearch (for example) to a KVM machine by IP address by 
using the KVM machine's net1 IP address. Client B can likewise communicate 
using the KVM machine's net2 IP address. However, neither client can 
communicate by using the address on the opposing segment (eg, Client A 
using KVM1_net2_IP); the packets are rejected by shorewall with the 
appropriate log message:

Sep  8 16:13:05 gw-2 kernel: Shorewall:br1_rec:REJECT:IN=br1 OUT=br2
   SRC=192.168.5.204 DST=192.168.0.14 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=10716
   DF PROTO=TCP SPT=55536 DPT=389 WINDOW=65535 RES=0x00 SYN URGP=0

I would have expected the "net1 net2 ACCEPT" and "net2 net1 ACCEPT" 
policies to allow this, since the KVM machine is logically attached to 
both networks. Since it doesn't work, I am missing something. I have tried 
using the bridge option in the interfaces file to no effect. I'd 
appreciate it if someone can give me a clue.

TIA,
Steve

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to