-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 08/15/2016 03:40 AM, Christian Aust wrote: > Hello, > > I’m running Shorewall 4.6.4.3 on Debian Linux 8.5. Debug data can > be found here: > > https://gist.github.com/datenimperator/997547efff3fcc2b9270ec870d60021c > > I’m using LXC containers w/ external addresses, connected to a > bridge. I’m trying to blacklist IPs from accessing the LXC > containers. > > The IPs which should be blacklisted show up in the output of > `shorewall dump` but those clients are still able to access port 80 > on an apache server running inside one of the containers. I can’t > say why. > > Any help is appreciated. Kind regards >
The problem here is that your Shorewall configuration doesn't match your IP configuration. You have defined 'net' as an ipv4 zone associated with eth0, but eth0 is a port on a bridge. While you could define 'net' as bport zone, Netfilter imposes restrictions which make that approach less than optimal. With 'net' as a bport zone, you would not be able to define priv->net rules or policies. So a better approach is to remove eth0 from vmbr0 and give it a public IP address. Assuming that 149.202.201.254 is the only external host in 149.202.201.0/24 that your system (including VMs) needs to access: a) Configure the address as a /32 rather than a /24 (you can actually use 149.202.201.227 for both vmbr0 and eth0). b) Define a host route out of eth0 to 149.202.201.254 out of eth0. c) Redefine your default gateway to be out of eth0. d) Set the 'proxyarp' option in the eth0 entry in /etc/shorewall/interfaces. Regards, - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJXsd+ZAAoJEJbms/JCOk0QSLIP/j9KPLsrtUphzuKqOsdSUFGq Nty7kU7aeRdOCzk5Pi3ftvn1hlK5mE9oIzhjjqAglwKrzLuuC8Cb4Yl0SMpbTFWC 1LQVWgAbEZvpyYQdrT0prODdDBneT0RcwVP7XooFsIDqJWjTDF4bzA2nCFu4OJTd xB853dIQGecuWOeeb6Z47jF+CrFcqiyeXVNl+uGss1+bYXQGdRjtSpmbiGtzLBLG C8K4rdMAh/wcMOH2lVoHPUvFY9hgIEoeCANaV03gF+qsYDxFg5/oFwzUjXIWPdpc GJI1d1rGgzSIpanwZKZuznSr6e+W+jVaLsaxZKVuwSShVsr+kMZvIUzwzHSUa+Ph bDMTQq6QXWhy9KjRsh8/bmfw+lAzh6egGxBaWkFJyUrE5pEJJAyUdC1id/jHa0dH qOaIiBH0UMR3bz8hrqyFMzpC3IymN0ffPb3kJLIUNLEitOhinh9AMJerSSuHEeLP 38dyuYY7Z6btYvjOTBwf4NbBhZBb7jtpZWJqNgpPko+HKK5583q3NFtke8+V0+d0 vGs6Ro0ZevK0Lfjf+mzXEy1oxNHI6MMS9/y3hlkvM9+ZXe7V6XsNK2aRbWPK7Y7f exf8qORh/Jd535LCKOoXTaUiHoDcd8GEEOwc/IeTRA90fofNt6CmiBi56VjvQtTE 0z4VWaxMWIH9NVhrPWn1 =uOPf -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohodev2dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
