Hello All I installed shorewall 3.0.8 on Centos 4.3 with openvz.org kernel it work well i have in this Host 3 virtual servers (VPS) i can access from a VPS to the internet , and with NAt rule (Via Shorewall) i can access from Internet to the 3 VPS. i want that all the 3 VPS can communicate between them. i can''t do a tcp connection from a VPS to an other , in my shorewall log in the Host, i have this error : kernel: Shorewall:FORWARD:REJECT:IN=venet0 OUT=venet0 SRC=192.168.7.185 DST=192.168.7.152 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=48986 DF PROTO=TCP SPT=47559 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 i have this in my default policy, my Host is fw venet is the virtual network card for the VPS networking net all DROP info fw all ACCEPT loc all ACCEPT loc venet ACCEPT # venet all ACCEPT all all REJECT info And it doesn''t work. But if i replace the last line with all all ACCEPT it work. but this rule is very permissive i triyed many combination ... no good result ! Perhaps the problem is that venet0 isn''t a real ethernet interface ? so we can''t do this simply ... some body here have the solution ? thanks in advance ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Syloe Tech wrote:> > > i want that all the 3 VPS can communicate between them. > i can''t do a tcp connection from a VPS to an other , in my shorewall log > in the Host, i have this error : > kernel: Shorewall:FORWARD:REJECT:IN=venet0 OUT=venet0 SRC=192.168.7.185 > DST=192.168.7.152 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=48986 DF PROTO=TCP > SPT=47559 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 > > > some body here have the solution ? >Yes -- it is in Shorewall FAQ 17. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Le vendredi 21 juillet 2006 à 06:31 -0700, Tom Eastep a écrit :> Syloe Tech wrote: > > > > > > i want that all the 3 VPS can communicate between them. > > i can't do a tcp connection from a VPS to an other , in my shorewall log > > in the Host, i have this error : > > kernel: Shorewall:FORWARD:REJECT:IN=venet0 OUT=venet0 SRC=192.168.7.185 > > DST=192.168.7.152 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=48986 DF PROTO=TCP > > SPT=47559 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 > > > > > > some body here have the solution ? > > > > Yes -- it is in Shorewall FAQ 17.hi Thanks for your answer but i have the same error message even if i do in /usr/share/shorewall/rfc1918 #SUBNETS TARGET 172.16.0.0/12 logdrop # RFC 1918 192.168.7.0/24 RETURN # venet 192.168.0.0/16 logdrop # RFC 1918 10.0.0.0/8 logdrop # RFC 1918 or #SUBNETS TARGET 172.16.0.0/12 logdrop # RFC 1918 192.168.0.0/16 RETURN # venet 192.168.7.0/24 logdrop # RFC 1918 10.0.0.0/8 logdrop # RFC 1918 or #SUBNETS TARGET 172.16.0.0/12 logdrop # RFC 1918 10.0.0.0/8 logdrop # RFC 1918> > -Tom > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Syloe Tech wrote:> Le vendredi 21 juillet 2006 à 06:31 -0700, Tom Eastep a écrit : >> Syloe Tech wrote: >>> >>> i want that all the 3 VPS can communicate between them. >>> i can''t do a tcp connection from a VPS to an other , in my shorewall log >>> in the Host, i have this error : >>> kernel: Shorewall:FORWARD:REJECT:IN=venet0 OUT=venet0 SRC=192.168.7.185 >>> DST=192.168.7.152 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=48986 DF PROTO=TCP >>> SPT=47559 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 >>> >>> >>> some body here have the solution ? >>> >> Yes -- it is in Shorewall FAQ 17. > > hi > Thanks for your answer > but i have the same error message even if i do > in /usr/share/shorewall/rfc1918Please read FAQ 17 carefully. Your problem has nothing to do with the rfc1918 chain (Do you see ''rfc1918'' anywhere in the above log message???). The above message is being generated out of the FORWARD chain; see the word "FORWARD" immediately following "Shorewall:"? Now look at FAQ 17 and search for "FORWARD". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Le vendredi 21 juillet 2006 à 07:16 -0700, Tom Eastep a écrit :> Syloe Tech wrote: > > Le vendredi 21 juillet 2006 à 06:31 -0700, Tom Eastep a écrit : > >> Syloe Tech wrote: > >>> > >>> i want that all the 3 VPS can communicate between them. > >>> i can't do a tcp connection from a VPS to an other , in my shorewall log > >>> in the Host, i have this error : > >>> kernel: Shorewall:FORWARD:REJECT:IN=venet0 OUT=venet0 SRC=192.168.7.185 > >>> DST=192.168.7.152 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=48986 DF PROTO=TCP > >>> SPT=47559 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 > >>> > >>> > >>> some body here have the solution ? > >>> > >> Yes -- it is in Shorewall FAQ 17. > > > > hi > > Thanks for your answer > > but i have the same error message even if i do > > in /usr/share/shorewall/rfc1918 > > Please read FAQ 17 carefully. Your problem has nothing to do with the rfc1918 > chain (Do you see 'rfc1918' anywhere in the above log message???).because of IP 192.168.7.185 and 192.168.7.152> > The above message is being generated out of the FORWARD chain; see the word > "FORWARD" immediately following "Shorewall:"? Now look at FAQ 17 and search for > "FORWARD".Ok thank you ! i added routeback in the definition of the interface and it work now well. I will search now to permit a first virtual server to access a second VS with the public IP Alias of the second VS...> > -Tom > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users