Re: [Shorewall-users] A host, a virtual bridge and two 2 virtual machines

Fri, 31 May 2019 13:52:13 -0700 

On 31/05/2019 20:52, Frédéric Lespez wrote:
I am looking for advice for setting up Shorewall on a host with 2 virtual machines. 

Here my setup :
A machine (running Debian 9) is accessing internet through eth0.
On this machine, I set up a virtual bridge br0 with IP 192.168.0.1.

I also set up two virtual machines (KVM) Machine A (vnet1 / 192.168.0.2) 
and B (vnet2 / 192.168.0.3).



I set up Shorewall by following this guide 
http://shorewall.org/KVM.html, that is to say with the simple 
two-interface masquerading setup where the local network interface is br0.

Everything is working.


Now I would like to filter the traffic between Machine A and Machine B 
(rejecting all traffic between A and B by default with some exceptions).

That's where i need advice on how to do this :-)


Should I need to set up another virtual bridge, attach each virtual 
machine to its own virtual bridge and define a zone for each virtual 
bridge ?

Or is this possible by tweaking the current setup ? If yes, how ?



By default, Shorewall allows intra-zone traffic. To control the 
intra-zone traffic on your own terms, just declare the zone in your 
"policy" file and also declare the interface on the "interfaces" file.



Ex: Assuming the br0 interface is in zone "brz" (I only use the bracket 
notation, I don't like the column-based notation)


/etc/shorewall/interfaces

net  {  interface=eth0 
options="nets=(!192.168.0.0/24),nosmurfs,rpfilter,dhcp"  }



brz  {  interface=br0 
options="nets=(192.168.0.0/24),nosmurfs,rpfilter,bridge,dhcp" }


/etc/shorewall/policy
$FW  {  dest=all  policy=ACCEPT  }
brz  {  dest=brz  policy=REJECT  loglevel=info  }
all  {  dest=all  policy=DROP  loglevel=info  }

NOTE: Choose "policy" and "loglevel" as you see fit for your needs


Now, everything is under control and you can manage your "rules" file as 
you wish! Declare all you need for the rightful traffic between A and B 
and the kern.log will show you the unwanted traffic between A and B 
(assuming you keep the policy settings written above)


--
ObNox


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to