On 9/6/2015 2:57 PM, Ob Noxious wrote: > On Sun, Sep 6, 2015 at 8:38 PM, Tom Eastep <[email protected] > <mailto:[email protected]>> wrote: > > > > > I'm really enjoying Shorewall for now. It's a bit "complex" for the > > newcomer but highly configurable, to an impressive level I must say. > > > > Glad to hear that it is working for you. > > > I confirm that I'm liking Shorewall a lot! It is indeed very very > flexible. I decided to put it on a more serious setup to see it in > action, so far so good. > > I'm facing a minor problem, very annoying for me but technically > harmless. The thing is I would like to understand what's going on > exactly. This is SNAT related. > > I have a hosted server somewhere and here's the setup : eth0 connected > to internet with a public IP address. On this host, there are several > LXC containers, all connected to a bridge similar to the default lxcbr0 > but with another name and another IP range. > > Among the LXC containers, which are all assigned to one and one service, > two of them need to get out to internet to do their stuff. One is an > HTTP proxy needing acces to world/http(s) and the other is a SMTP server > needing access to world/smtp. > > "interfaces" file: > net eth0 nets=(!10.1.1.0/24 <http://10.1.1.0/24>),nosmurfs,rpfilter > vdmz vbr nets=(!10.1.1.0/24 <http://10.1.1.0/24>),nosmurfs,rpfilter > > note: using "bridge" for "vdmz" zone does not seem to harm nor benefit > in a visible way. > > "zones" file: > fw firewall > net ipv4 > vdmz ipv4 > > "policy" file: > all all DROP info > > "masq" file: > # smtp > eth0 10.1.1.1 ${PUBLIC_IP} tcp smtp > eth0 10.1.1.2 ${PUBLIC_IP} tcp http,https > > of course PUBLIC_IP is defined in "params" > > "rules" file: > > ACCEPT { source=vdmz:10.1.1.2 dest=net proto=tcp dport=http,https } > SMTP(ACCEPT) { source=vdmz:10.1.1.1 dest=net } > > There are other rules above these but they are irrelevant. Disabling > them does not change anything to the annoyance. > > So here is the problem : With this setup, when I'm inside the SMTP > container for example, a simple "nc some-host-on-internet 25" works but > also produces 5 DROP hits in the syslog! In fact, it produces as many > hits as LXC containers I have attached to the bridge. In this case, I > have 5 other containers. Here are the logs : > > Shorewall:FORWARD:DROP:IN=vbr OUT=vbr PHYSIN=veSMTP PHYSOUT=veSALT > SRC=10.1.1.1 DST=xx.xx.xx.xx PROTO=TCP SPT=30621 DPT=25 SYN URGP=0 > > Shorewall:FORWARD:DROP:IN=vbr OUT=vbr PHYSIN=veSMTP PHYSOUT=vePROXY > SRC=10.1.1.1 DST=xx.xx.xx.xx PROTO=TCP SPT=30621 DPT=25 SYN URGP=0 > > Shorewall:FORWARD:DROP:IN=vbr OUT=vbr PHYSIN=veSMTP PHYSOUT=vePHP > SRC=10.1.1.1 DST=xx.xx.xx.xx PROTO=TCP SPT=30621 DPT=25 SYN URGP=0 > > Shorewall:FORWARD:DROP:IN=vbr OUT=vbr PHYSIN=veSMTP PHYSOUT=veLDAP > SRC=10.1.1.1 DST=xx.xx.xx.xx PROTO=TCP SPT=30621 DPT=25 SYN URGP=0 > > Shorewall:FORWARD:DROP:IN=vbr OUT=vbr PHYSIN=veSMTP PHYSOUT=veIMAP > SRC=10.1.1.1 DST=xx.xx.xx.xx PROTO=TCP SPT=30621 DPT=25 SYN URGP=0 > > As you can see, the packet tries to get out by all "veth" interfaces. > The very same behaviour applies to the other host having external acces, > the proxy at 10.1.1.2. Any "wget http://website.tld"; or "nc website 80" > does the exact same thing. > > This setup works, I mean the SMTP and PROXY get outside and reach the > destination but the syslog gets flooded with these hits everytime. How > can I get rid of these hits? What I'm not seeing here to avoid the problem? > > Thanks for any clue on this matter.
Have you looked at Shorewall FAQ 17? Looks like you don't have the 'routeback' option on the vbr interface (although Shorewall should be detecting that it is a bridge unless brctl isn't installed). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
