[Shorewall-users] Unable to to gain access to an LXC container using Shorewall

dclinton Thu, 23 Jan 2014 12:57:12 -0800

Hi,
I've having some trouble creating a Shorewall configuration that will 
provide an LXC container connectivity through its host machine. To be 
more precise, the host machine currently has full connectivity to the 
LAN - both in and out - via ssh, ping, wget etc. The container, on the 
other hand, can only ping/ssh to/from its host (and gateway). I'd like 
ssh etc., access into the container from anywhere on the LAN.
Without Shorewall running, the container has full access to Internet 
resources (wget, curl) but, of course, no way in except through the host.
I would really appreciate it if anyone can help!
Thanks so much,
David


Here's my config:

Host /etc/network/interfaces file:
=    =    =
# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet dhcp
=    =    =    =    =

Host ifconfig:
=    =    =
ifconfig
eth0      Link encap:Ethernet  HWaddr 00:25:90:0b:30:fc
           inet addr:10.0.0.94  Bcast:10.255.255.255 Mask:255.255.0.0
           inet6 addr: fe80::225:90ff:fe0b:30fc/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:20838 errors:0 dropped:0 overruns:0 frame:0
           TX packets:4241 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:4577569 (4.5 MB)  TX bytes:607971 (607.9 KB)
           Interrupt:16 Memory:fb5e0000-fb600000

lo        Link encap:Local Loopback
           inet addr:127.0.0.1  Mask:255.0.0.0
           inet6 addr: ::1/128 Scope:Host
           UP LOOPBACK RUNNING  MTU:65536  Metric:1
           RX packets:16 errors:0 dropped:0 overruns:0 frame:0
           TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:1184 (1.1 KB)  TX bytes:1184 (1.1 KB)

lxcbr0    Link encap:Ethernet  HWaddr fe:09:9c:6f:21:0e
           inet addr:10.0.1.1  Bcast:10.0.1.255  Mask:255.255.255.0
           inet6 addr: fe80::1007:c9ff:fe50:f457/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:724 errors:0 dropped:0 overruns:0 frame:0
           TX packets:924 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:91635 (91.6 KB)  TX bytes:101370 (101.3 KB)

veth5UC3H1 Link encap:Ethernet  HWaddr fe:09:9c:6f:21:0e
           inet6 addr: fe80::fc09:9cff:fe6f:210e/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:724 errors:0 dropped:0 overruns:0 frame:0
           TX packets:924 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:101771 (101.7 KB)  TX bytes:101370 (101.3 KB)
=    =    =    =    =    =
Shorewall zones:
=    =    =
#ZONE    TYPE    OPTIONS            IN            OUT
#                    OPTIONS            OPTIONS
fw    firewall
net    ipv4
lxc    ipv4
=    =    =    =    =    =
Shorewall Interfaces:
=    =    =
#ZONE    INTERFACE    OPTIONS
net    eth0        dhcp,tcpflags,nosmurfs,routefilter,logmartians
lxc    lxcbr0 tcpflags,nosmurfs,routefilter,logmartians,routeback
=    =    =    =    =    =
Shorewall policy:
=    =    =
#SOURCE        DEST        POLICY        LOG LEVEL    LIMIT:BURST

#net        all        DROP        info
net        all        REJECT        info

$FW        all        ACCEPT
lxc        net        ACCEPT

# THE FOLLOWING POLICY MUST BE LAST
all        all        REJECT        info
=    =    =    =    =    =
The shorewall.conf file is, to the best of my memory, in pristine, 
default condition.

Here's the container's /etc/network/interfaces:
=    =    =
# The loopback network interface
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp
=    =    =    =    =    =
...and the container's ifconfig:
=    =    =
eth0      Link encap:Ethernet  HWaddr 00:16:3e:9b:71:84
           inet addr:10.0.1.60  Bcast:10.0.1.255  Mask:255.255.255.0
           inet6 addr: fe80::216:3eff:fe9b:7184/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:1136 errors:0 dropped:0 overruns:0 frame:0
           TX packets:845 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:119118 (119.1 KB)  TX bytes:116181 (116.1 KB)

lo        Link encap:Local Loopback
           inet addr:127.0.0.1  Mask:255.0.0.0
           inet6 addr: ::1/128 Scope:Host
           UP LOOPBACK RUNNING  MTU:65536  Metric:1
           RX packets:1389 errors:0 dropped:0 overruns:0 frame:0
           TX packets:1389 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:433197 (433.1 KB)  TX bytes:433197 (433.1 KB)

------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] Unable to to gain access to an LXC container using Shorewall

Reply via email to