On 1/23/2014 12:27 PM, dclinton wrote: > Hi, > I've having some trouble creating a Shorewall configuration that will > provide an LXC container connectivity through its host machine. To be > more precise, the host machine currently has full connectivity to the > LAN - both in and out - via ssh, ping, wget etc. The container, on the > other hand, can only ping/ssh to/from its host (and gateway). I'd like > ssh etc., access into the container from anywhere on the LAN. > Without Shorewall running, the container has full access to Internet > resources (wget, curl) but, of course, no way in except through the host. > I would really appreciate it if anyone can help! > Thanks so much, > David > > Here's my config: > > Host /etc/network/interfaces file: > = = = > # The loopback network interface > auto lo > iface lo inet loopback > > # The primary network interface > auto eth0 > iface eth0 inet dhcp > = = = = = > > Host ifconfig: > = = = > ifconfig > eth0 Link encap:Ethernet HWaddr 00:25:90:0b:30:fc > inet addr:10.0.0.94 Bcast:10.255.255.255 Mask:255.255.0.0 > inet6 addr: fe80::225:90ff:fe0b:30fc/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:20838 errors:0 dropped:0 overruns:0 frame:0 > TX packets:4241 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:4577569 (4.5 MB) TX bytes:607971 (607.9 KB) > Interrupt:16 Memory:fb5e0000-fb600000 > > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > UP LOOPBACK RUNNING MTU:65536 Metric:1 > RX packets:16 errors:0 dropped:0 overruns:0 frame:0 > TX packets:16 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:1184 (1.1 KB) TX bytes:1184 (1.1 KB) > > lxcbr0 Link encap:Ethernet HWaddr fe:09:9c:6f:21:0e > inet addr:10.0.1.1 Bcast:10.0.1.255 Mask:255.255.255.0 > inet6 addr: fe80::1007:c9ff:fe50:f457/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:724 errors:0 dropped:0 overruns:0 frame:0 > TX packets:924 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:91635 (91.6 KB) TX bytes:101370 (101.3 KB) > > veth5UC3H1 Link encap:Ethernet HWaddr fe:09:9c:6f:21:0e > inet6 addr: fe80::fc09:9cff:fe6f:210e/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:724 errors:0 dropped:0 overruns:0 frame:0 > TX packets:924 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:101771 (101.7 KB) TX bytes:101370 (101.3 KB) > = = = = = = > Shorewall zones: > = = = > #ZONE TYPE OPTIONS IN OUT > # OPTIONS OPTIONS > fw firewall > net ipv4 > lxc ipv4 > = = = = = = > Shorewall Interfaces: > = = = > #ZONE INTERFACE OPTIONS > net eth0 dhcp,tcpflags,nosmurfs,routefilter,logmartians > lxc lxcbr0 tcpflags,nosmurfs,routefilter,logmartians,routeback > = = = = = = > Shorewall policy: > = = = > #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST > > #net all DROP info > net all REJECT info > > $FW all ACCEPT > lxc net ACCEPT > > # THE FOLLOWING POLICY MUST BE LAST > all all REJECT info > = = = = = = > The shorewall.conf file is, to the best of my memory, in pristine, > default condition.
You need an entry in /etc/shorewall/masq. And you must have IP_FORWARDING=Yes in shorewall.conf. > > Here's the container's /etc/network/interfaces: > = = = > # The loopback network interface > auto lo > iface lo inet loopback > > auto eth0 > iface eth0 inet dhcp > = = = = = = > ...and the container's ifconfig: > = = = > eth0 Link encap:Ethernet HWaddr 00:16:3e:9b:71:84 > inet addr:10.0.1.60 Bcast:10.0.1.255 Mask:255.255.255.0 > inet6 addr: fe80::216:3eff:fe9b:7184/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:1136 errors:0 dropped:0 overruns:0 frame:0 > TX packets:845 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:119118 (119.1 KB) TX bytes:116181 (116.1 KB) > > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > UP LOOPBACK RUNNING MTU:65536 Metric:1 > RX packets:1389 errors:0 dropped:0 overruns:0 frame:0 > TX packets:1389 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:433197 (433.1 KB) TX bytes:433197 (433.1 KB) What is the default gateway on the container? It should be 10.0.1.1. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
