Hi, I''m trying to configure shorewall 4.5.8.2 on a debian squeeze box with the latest backport kernel together with. I like to filter traffic but for some reason my rules get ignored. Kernel+iptables have physdev match support and bridge-nf-call-iptables is set to 1 aswell as ip_forward. I cannot find a way to restrict access to the vnet+ devices. The host (ip is on br0) and the vm''s (ip''s are set inside vm, the vnet+ devices on the host have no ip) all are in the same public subnet. I''m still able to ping and telnet to the vm''s attached to the vnet+ interfaces with the configs I''ll post below. This is done from a machine outside the kvm host on the internet. My goal is that I can filter some ports for each individual vm. But first I need all traffic to get dropped to the vm''s so that I can open the ports that I need. I hope someone can shine a light for me on this one. Thx. Bram ---- This is what brctl shows: bridge name bridge id STP enabled interfaces br0 8000.3c4a92dbc2c0 no eth0 vnet0 vnet1 /etc/shorewall/interfaces: net br0 - bridge vmnet br0:eth0 vmkin br0:vnet0 vmbso br0:vnet1 /etc/shorewall/zones: fw firewall net ipv4 vmnet:net bport4 vmkin:net bport4 vmbso:net bport4 /etc/shorewall/policy: fw all ACCEPT net all DROP vmnet all DROP all all REJECT ------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d
Hi, In my editing process I accidentally deleted the mentioning that this all is done with KVM/libvirt Bram From: Bram Jansen Sent: Saturday, November 03, 2012 12:25 To: shorewall-users@lists.sourceforge.net Subject: [Shorewall-users] (no subject) Hi, I''m trying to configure shorewall 4.5.8.2 on a debian squeeze box with the latest backport kernel together with. I like to filter traffic but for some reason my rules get ignored. Kernel+iptables have physdev match support and bridge-nf-call-iptables is set to 1 aswell as ip_forward. I cannot find a way to restrict access to the vnet+ devices. The host (ip is on br0) and the vm''s (ip''s are set inside vm, the vnet+ devices on the host have no ip) all are in the same public subnet. I''m still able to ping and telnet to the vm''s attached to the vnet+ interfaces with the configs I''ll post below. This is done from a machine outside the kvm host on the internet. My goal is that I can filter some ports for each individual vm. But first I need all traffic to get dropped to the vm''s so that I can open the ports that I need. I hope someone can shine a light for me on this one. Thx. Bram ---- This is what brctl shows: bridge name bridge id STP enabled interfaces br0 8000.3c4a92dbc2c0 no eth0 vnet0 vnet1 /etc/shorewall/interfaces: net br0 - bridge vmnet br0:eth0 vmkin br0:vnet0 vmbso br0:vnet1 /etc/shorewall/zones: fw firewall net ipv4 vmnet:net bport4 vmkin:net bport4 vmbso:net bport4 /etc/shorewall/policy: fw all ACCEPT net all DROP vmnet all DROP all all REJECT ---------------------------------------------------------------------------- -- LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d
On 11/03/2012 04:24 AM, Bram Jansen wrote:> Hi, > > I’m trying to configure shorewall 4.5.8.2 on a debian squeeze box with > the latest backport kernel together with. I like to filter traffic but > for some reason my rules get ignored. > > Kernel+iptables have physdev match support and bridge-nf-call-iptables > is set to 1 aswell as ip_forward. > > I cannot find a way to restrict access to the vnet+ devices. The host > (ip is on br0) and the vm’s (ip’s are set inside vm, the vnet+ devices > on the host have no ip) all are in the same public subnet. I’m still > able to ping and telnet to the vm’s attached to the vnet+ interfaces > with the configs I’ll post below. This is done from a machine outside > the kvm host on the internet. > > My goal is that I can filter some ports for each individual vm. But > first I need all traffic to get dropped to the vm’s so that I can open > the ports that I need. > > I hope someone can shine a light for me on this one. Thx. > > Bram > > ---- > > This is what brctl shows: > > bridge name bridge id STP enabled interfaces > > br0 8000.3c4a92dbc2c0 no eth0 > > > vnet0 > > > vnet1 > > /etc/shorewall/interfaces: > > net br0 - bridge > > vmnet br0:eth0 > > vmkin br0:vnet0 > > vmbso br0:vnet1 > > /etc/shorewall/zones: > > fw firewall > > net ipv4 > > vmnet:net bport4 > > vmkin:net bport4 > > vmbso:net bport4 > > /etc/shorewall/policy: > > fw all ACCEPT > > net all DROP > > vmnet all DROP > > all all REJECTSounds like you have IMPLICIT_CONTINUE=Yes in shorewall.conf. For a full bridge configuration like this one, you want IMPLICIT_CONTINUE=No. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d
Hi Tom, Thanks a lot that did the trick -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Saturday, November 03, 2012 14:14 To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] (no subject) On 11/03/2012 04:24 AM, Bram Jansen wrote:> Hi, > > I''m trying to configure shorewall 4.5.8.2 on a debian squeeze box with > the latest backport kernel together with. I like to filter traffic but > for some reason my rules get ignored. > > Kernel+iptables have physdev match support and bridge-nf-call-iptables > is set to 1 aswell as ip_forward. > > I cannot find a way to restrict access to the vnet+ devices. The host > (ip is on br0) and the vm''s (ip''s are set inside vm, the vnet+ devices > on the host have no ip) all are in the same public subnet. I''m still > able to ping and telnet to the vm''s attached to the vnet+ interfaces > with the configs I''ll post below. This is done from a machine outside > the kvm host on the internet. > > My goal is that I can filter some ports for each individual vm. But > first I need all traffic to get dropped to the vm''s so that I can open > the ports that I need. > > I hope someone can shine a light for me on this one. Thx. > > Bram > > ---- > > This is what brctl shows: > > bridge name bridge id STP enabled interfaces > > br0 8000.3c4a92dbc2c0 no eth0 > > > vnet0 > > > vnet1 > > /etc/shorewall/interfaces: > > net br0 - bridge > > vmnet br0:eth0 > > vmkin br0:vnet0 > > vmbso br0:vnet1 > > /etc/shorewall/zones: > > fw firewall > > net ipv4 > > vmnet:net bport4 > > vmkin:net bport4 > > vmbso:net bport4 > > /etc/shorewall/policy: > > fw all ACCEPT > > net all DROP > > vmnet all DROP > > all all REJECTSounds like you have IMPLICIT_CONTINUE=Yes in shorewall.conf. For a full bridge configuration like this one, you want IMPLICIT_CONTINUE=No. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ---------------------------------------------------------------------------- -- LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d