Thanks for the quick reply. It works flawlessly. Just one last question: why can I be sure though that shorewall runs the 'params' file after I've got an IP through DHCP?
Niels
On 07/26/2014 04:19 PM, Tom Eastep wrote:
> On 7/26/2014 4:54 AM, Niels Penneman wrote:
>> Hi,
>>
>> In a setup with a dedicated server that's connected to the public
>> internet, I intend to split the different services that run on this
>> server over a number of virtual machines.
>>
>> The server has one single 'global' IPv4 address and a whole subnet of
>> IPv6 addresses. In the future I may want to occasionally allocate a
>> publicly accessible IPv6 address to a VM, but for now I'm relying on NAT
>> with IPv4 only.
>>
>> My goal is to make the VMs portable with respect to network
>> configuration, so that I can easily test them on different machines.
>> Therefore I've set up DHCP for all VMs. The DHCPv4 server is running
>> directly on the server, and it's pushing settings like the default
>> gateway, NTP server, etc. to the VMs.
>>
>> I run Shorewall on the physical server, and I would also like to run
>> Shorewall on the individual VMs. Configuring Shorewall with DHCP is not
>> so straightforward though, especially because I'd like to differentiate
>> between traffic coming from subnet the VM is on (as a nested zone that
>> represents the internal network), and traffic coming from WAN (through
>> NAT on the physical server).
>>
>> I've seen that in recent versions Shorewall can detect the default
>> gateway (findgw script) and the IP address but I don't see a variable to
>> get the subnet mask. If there is one, you can stop reading here and just
>> tell me which one it is!
>>
>> I know what the subnet is going to be on the server, but if I move a VM
>> to my desktop to play around with it, I do not want to reconfigure it.
>> Hence, I cannot hardwire the subnet into the Shorewall configuration. I
>> see many different ways to tackle this issue but I'd like some input to
>> see which is the best way to go forward.
>>
>
> Assuming that the VM net interface is eth0, in /etc/shorewall/params:
>
> find_interface_subnet() {
> local addr
> addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | \
> grep 'inet .* global' | head -n1)
> echo $addr | sed 's/ brd.*//;s/.*inet //;s/ peer.*//'
> }
>
> MYSUBNET=$(find_interface_subnet eth0)
>
> Then, in the remainder of your configuration you can simply use
> $MYSUBNET where you want the local sub-network.
>
> -Tom
>
>
>
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
>
>
>
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
