(if this post gets line-feed-mangled please read
http://www.dl.reneschmidt.de/shorewallxenpost.txt - that''s an unmangled
version, thank you)
Hello,
first I would like to thank the Mr. Eastep and contributors for this great piece
of software and superb documentation.
I have a SOHO server (Debian testing) that I''m using for several
purposes so
I''ve set up a Xen environment some months ago. I did an upgrade to 3.0
last
week. The network setup is pretty much the same as described in
www.shorewall.net/Xen.html with the exception that I have a second NIC
installed that connects to loc (192.168.1.0/24).
In order to masquerade network traffic from loc I did the follwing additions to
the setup:
/etc/shorewall/interfaces:
loc eth1 192.168.1.0 routeback
/etc/shorewall/masq
eth0 eth1
/etc/shorewall/policy
loc net ACCEPT info
/etc/shorewall/zones
loc ipv4
In shorewall.conf I''ve enabled IP-Forwarding and BRIDGING. Without
BRIDGING,
shorewall won''t start due to a failed iptables command.
From fw I can connect to loc, dmz and net, everything is fine here. From dmz I
can connect to net which is also fine.
But I cannot connect from loc to net nor to dmz and that''s my problem.
Of course
clients in loc have a proper route/gateway/nameserver configured (set to the fw
IP). For example, when I try to ping 192.168.178.1 (one of the routers between
fw and the evil net) from a loc machine and set up Shorewall to log everything
this keeps popping up in /var/log/messages:
Jan 28 23:05:27 nostromo kernel: Shorewall:ursa2all:ACCEPT:IN=xenbr0 OUT=xenbr0
PHYSIN=vif0.0 PHYSOUT=peth0 SRC=192.168.144.41 DST=192.168.178.1 LEN=84
TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=59455 SEQ=1
Jan 28 23:05:27 nostromo kernel: Performing cross-bridge DNAT requires IP
forwarding to be enabled
I don''t know what to do with the last line shown. Googling for that
phrase
yielded exactly ZERO useful matches, so it seems noone has had this problem
yet. I am at a loss know. Help is much appreciated. :)
Rene Schmidt
Useful information (sorry, very long post):
nostromo:~# lsmod | grep ebt_dnat
ebt_dnat 1728 0
ebtables 19072 1 ebt_dnat
nostromo:~# /sbin/shorewall version
3.0.4
nostromo:~# ip addr show
1: peth0: <BROADCAST,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen
1000
link/ether fe:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
2: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:02:a5:89:41:db brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
3: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
4: vif0.0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
link/ether fe:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
5: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
link/ether 00:02:a5:89:41:da brd ff:ff:ff:ff:ff:ff
inet 192.168.144.41/24 brd 192.168.144.255 scope global eth0
6: vif0.1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether fe:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
7: veth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
8: vif0.2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether fe:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
9: veth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
10: vif0.3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether fe:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
11: veth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
12: vif0.4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether fe:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
13: veth4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
14: vif0.5: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether fe:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
15: veth5: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
16: vif0.6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether fe:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
17: veth6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
18: vif0.7: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether fe:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
19: veth7: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
20: xenbr0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
link/ether fe:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
21: vif1.0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
link/ether fe:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
nostromo:~# ip route show
192.168.144.0/24 dev eth0 proto kernel scope link src 192.168.144.41
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1
default via 192.168.144.1 dev eth0
nostromo:~# shorewall show
Shorewall-3.0.4 Chain at nostromo - Sat Jan 28 22:58:35 CET 2006
Counters reset Sat Jan 28 22:58:31 CET 2006
Chain Drop (0 references)
pkts bytes target prot opt in out source destination
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113
0 0 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 11
0 0 dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:137 dpts:1024:65535
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,139,445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900
0 0 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 xenbr0_in all -- xenbr0 * 0.0.0.0/0 0.0.0.0/0
0 0 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
97 6100 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 xenbr0_fwd all -- xenbr0 * 0.0.0.0/0 0.0.0.0/0
0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 fw2all all -- * xenbr0 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vif0.0
0 0 fw2all all -- * xenbr0 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vif+
0 0 fw2all all -- * xenbr0 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out peth0
0 0 fw2all all -- * eth0 0.0.0.0/0 0.0.0.0/0
76 7696 fw2all all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain Reject (2 references)
pkts bytes target prot opt in out source destination
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113
0 0 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 11
0 0 dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,445
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:137 dpts:1024:65535
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,139,445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900
0 0 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53
Chain all2all (8 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain all2fw (5 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain dmz2net (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0
!192.168.0.0/22 multiport dports 53,123
0 0 ACCEPT tcp -- * * 0.0.0.0/0
!192.168.0.0/22 multiport dports 7,21,22,25,43,53,80,81,443,873,8080
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain dmz2ursa (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain dropBcast (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
PKTTYPE = multicast
Chain dropInvalid (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
Chain dropNotSyn (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:!0x17/0x02
Chain dynamic (6 references)
pkts bytes target prot opt in out source destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 net2ursa all -- * xenbr0 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vif0.0
0 0 net2dmz all -- * xenbr0 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vif+
0 0 all2all all -- * eth1 0.0.0.0/0 0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 all2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 loc2ursa all -- * xenbr0 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vif0.0
0 0 loc2dmz all -- * xenbr0 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vif+
0 0 loc2net all -- * xenbr0 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out peth0
0 0 loc2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
Chain eth1_in (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
97 6100 loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2all (5 references)
pkts bytes target prot opt in out source destination
76 7696 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2dmz (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2fw (1 references)
pkts bytes target prot opt in out source destination
97 6100 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 all2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2net (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:loc2net:ACCEPT:''
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2ursa (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2dmz (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 80,25,465,53,22,873,443,993,21,110
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:33434:33524
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2ursa (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain reject (8 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
PKTTYPE = multicast
0 0 DROP all -- * * 192.168.144.0 0.0.0.0/0
0 0 DROP all -- * * 192.168.1.0 0.0.0.0/0
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Chain smurfs (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 192.168.144.0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 192.168.144.0 0.0.0.0/0
0 0 LOG all -- * * 192.168.1.0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 192.168.1.0 0.0.0.0/0
0 0 LOG all -- * * 255.255.255.255 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 LOG all -- * * 224.0.0.0/4 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
Chain ursa2all (4 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain xenbr0_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 ursa2all all -- * xenbr0 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vif0.0 --physdev-out vif+
0 0 ursa2all all -- * xenbr0 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vif0.0 --physdev-out peth0
0 0 ursa2all all -- * eth0 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vif0.0
0 0 ursa2all all -- * eth1 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vif0.0
0 0 dmz2ursa all -- * xenbr0 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vif+ --physdev-out vif0.0
0 0 dmz2net all -- * xenbr0 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vif+ --physdev-out peth0
0 0 dmz2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vif+
0 0 all2all all -- * eth1 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vif+
0 0 net2ursa all -- * xenbr0 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in peth0 --physdev-out vif0.0
0 0 net2dmz all -- * xenbr0 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in peth0 --physdev-out vif+
0 0 all2all all -- * eth1 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in peth0
Chain xenbr0_in (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 all2fw all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vif0.0
0 0 all2fw all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vif+
0 0 all2fw all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in peth0
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
> > first I would like to thank the Mr. Eastep and contributors for this great > piece of software and superb documentation. >Rene, Please refer to some of that suberb documentation - namely, http://www.shorewall.net/support.htm. I REALLY need the output of ''shorewall dump'' as an attachment (preferably compressed).> > Useful information (sorry, very long post):Not useful enough, I''m afraid.> > nostromo:~# lsmod | grep ebt_dnat > ebt_dnat 1728 0 > ebtables 19072 1 ebt_dnat >Interesting but irrelevant -- Shorewall doesn''t use ebtables (in fact, if you use the search form at the top of the Shorewall home page and search for ''ebtables'', you get zero hits). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Andrew Braund
2006-Jan-30 13:34 UTC
Re: Shorewall/Xen setup (correct from-address this time)
(resend again, re-subscribed -different from address, bz2, didn''t seem to go through yesterday) On 29/01/2006, at 09:18, Rene Schmidt wrote:> In shorewall.conf I''ve enabled IP-Forwarding and BRIDGING. Without > BRIDGING, > shorewall won''t start due to a failed iptables command. >I was just trying to work out why mine was not working... I got the error; ===========8<=============Activating Rules... iptables v1.2.11: host/network `vif0.0'' not found Try `iptables -h'' or ''iptables --help'' for more information. ERROR: Command "/sbin/iptables -A OUTPUT -o xenbr0 -d vif0.0 -j fw2all" Failed ===========8<============= I changed shorewall.conf BRIDGING=No to BRIDGING=Yes and the error went away and shorewall started. Thanks for the solution!> But I cannot connect from loc to net nor to dmz and that''s my problem.This is now my problem too. My setup; osx laptop (192.168.5.57 netmask 255.255.255.0, gateway 192.168.5.254) connected via crossover cable to xen debian shorewall firewall box 192.168.5.254 on eth0 xen box connects via eth1 (192.168.1.253) to internet via adsl router 192.168.1.254 interfaces; - xenbr0 - dhcp loc eth0 detect routeback net eth1 detect hosts; extd0 xenbr0:vif0.0 dmz xenbr0:vif+ loc xenbr0:peth0 policy; #all $FW ACCEPT $FW all ACCEPT extd0 all ACCEPT net extd0 ACCEPT #loc all ACCEPT info loc net ACCEPT debug net net NONE #$FW net ACCEPT # # # # THE FOLLOWING POLICY MUST BE LAST all all REJECT info rules; SECTION NEW Ping/ACCEPT loc extd0 Ping/ACCEPT loc $FW Ping/ACCEPT loc $FW Ping/ACCEPT loc net Ping/ACCEPT net loc Ping/ACCEPT dmz $FW Ping/ACCEPT dmz net SSH/ACCEPT loc $FW SSH/ACCEPT net $FW I can''t ping 192.168.1.254 from the laptop ==============8<========pb:~ abraund$ ping 192.168.1.254 PING 192.168.1.254 (192.168.1.254): 56 data bytes ^C --- 192.168.1.254 ping statistics --- 6 packets transmitted, 0 packets received, 100% packet loss ==============8<========I can ping 192.168.5.254 and 192.168.1.253 from the laptop I can ping 192.168.1.254 from fw I can''t ping 192.168.5.254 from the dmz ==============8<========www3:~# ping 192.168.5.254 PING 192.168.5.254 (192.168.5.254) 56(84) bytes of data. From 192.168.5.254 icmp_seq=1 Destination Host Unreachable ==============8<========I thought that the entry in rules; Ping/ACCEPT dmz $FW would allow this. I have done much reading of the most excellent documentation but I just can''t seem to work out what I am doing wrong. Probably something simple but I can''t see it :-( I have attached the compressed output from shorewall dump >>/tmp/ status.txt Thanks in advance for any suggestions anyone can make. Thanks and regards Andrew Braund PS I am a little confused by the Xen explanation particularly exactly where ursa and the fw live. On http://www.shorewall.net/myfiles.htm#id2459611 ursa is shown to be inside domain 0 (ie not extended domain 0) but the diagram just below rules; http://www.shorewall.net/Xen.html#id2459561 shows the fw to be domain 0 and ursa to be Extended domain 0, but the text near; http://www.shorewall.net/Xen.html#id2460072 says "by creating a firewall in (the Extended) Domain 0" the hosts file has; ursa xenbr0:vif0.0 so from this I think that ursa is in Domain 0 (not extended Domain 0). Also, if the fw is in domain 0, then how does it get access to vif1.0 vif2.0 etc. any addition comments on this would be most appreciated, Xen and Shorewall seem like a great combination I just need to get my head around it :-)
Rene Schmidt
2006-Feb-04 10:24 UTC
Re: Shorewall/Xen setup (correct from-address this time)
Am Montag 30 Januar 2006 14:34 schrieb Andrew Braund:> > But I cannot connect from loc to net nor to dmz and that''s my problem. > > This is now my problem too.Hi Andrew, I cannot see anything obviously wrong with your config but I''m not an expert (yet...). From my point of view our config (which is mostly the same except eth0/eth1 swapped) this config has to work IMHO but it doesn''t because something (the kernel?) is not able to see IP forwarding IS enabled: Feb 4 11:04:36 nostromo kernel: Performing cross-bridge DNAT requires IP forwarding to be enabled nostromo:~# cat /proc/sys/net/ipv4/ip_forward 1 My workaround is to use network-nat/vif-nat with Xen (scripts create a 10.0. $domainid.$x subnet, see /etc/xen/scripts/). Setup is cumbersome but much simpler to understand IMHO. And it does work for the moment. Bridging is more elegant though and I will try again in the future. -- Mit freundlichem Gruß 8) Rene Schmidt http://log.reneschmidt.de
Possibly Parallel Threads
- [Xense-devel] [RFC][PATCH][ACM] enforcing ACM policy on network traffic between virtual network interfaces
- Mail server on DMZ
- network issue, RHEL4, lack of peth0/peth1 device
- Bridging problem with Shorewall and OpenVpn
- DNS Name problem with mail server on LAN