On 7/26/2014 4:54 AM, Niels Penneman wrote: > Hi, > > In a setup with a dedicated server that's connected to the public > internet, I intend to split the different services that run on this > server over a number of virtual machines. > > The server has one single 'global' IPv4 address and a whole subnet of > IPv6 addresses. In the future I may want to occasionally allocate a > publicly accessible IPv6 address to a VM, but for now I'm relying on NAT > with IPv4 only. > > My goal is to make the VMs portable with respect to network > configuration, so that I can easily test them on different machines. > Therefore I've set up DHCP for all VMs. The DHCPv4 server is running > directly on the server, and it's pushing settings like the default > gateway, NTP server, etc. to the VMs. > > I run Shorewall on the physical server, and I would also like to run > Shorewall on the individual VMs. Configuring Shorewall with DHCP is not > so straightforward though, especially because I'd like to differentiate > between traffic coming from subnet the VM is on (as a nested zone that > represents the internal network), and traffic coming from WAN (through > NAT on the physical server). > > I've seen that in recent versions Shorewall can detect the default > gateway (findgw script) and the IP address but I don't see a variable to > get the subnet mask. If there is one, you can stop reading here and just > tell me which one it is! > > I know what the subnet is going to be on the server, but if I move a VM > to my desktop to play around with it, I do not want to reconfigure it. > Hence, I cannot hardwire the subnet into the Shorewall configuration. I > see many different ways to tackle this issue but I'd like some input to > see which is the best way to go forward. >
Assuming that the VM net interface is eth0, in /etc/shorewall/params:
find_interface_subnet() {
local addr
addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | \
grep 'inet .* global' | head -n1)
echo $addr | sed 's/ brd.*//;s/.*inet //;s/ peer.*//'
}
MYSUBNET=$(find_interface_subnet eth0)
Then, in the remainder of your configuration you can simply use
$MYSUBNET where you want the local sub-network.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
