Hi Shorewall users, I am running Debian etch with shorewall 4.0.14-1 and Xen 3.2-1 on a 2.6.18-6-xen-686 kernel. Xen is running natted and I''m trying to setup shorewall. I read the documentation that came closer to it (http://www.shorewall.net/XenMyWay-Routed.html) but I just can''t get it to work. I have been using Shorewall for a while now and I though that it would be the same as any natted environment I have setup but it''s not. Is there any documentation floating around on the net regarding Shorewall and Xen natted? The differences I have noted for now is that I DROP or REJECT all traffic in my /etc/shorewall/policy file. This seems to cause communication problems between Dom0 and the DomUs. If you need more details I can provide them later on when I have access to the system. For now, I am just after some documentation or someone''s success story. Many thanks for any help. -- eco ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
>I am running Debian etch with shorewall 4.0.14-1 and Xen 3.2-1 on a >2.6.18-6-xen-686 kernel. Xen is running natted and I''m trying to >setup shorewall. I read the documentation that came closer to it >(http://www.shorewall.net/XenMyWay-Routed.html) but I just can''t get >it to work. > >I have been using Shorewall for a while now and I though that it >would be the same as any natted environment I have setup but it''s >not. Is there any documentation floating around on the net >regarding Shorewall and Xen natted?Are you trying to do this in the Dom0 or a DomU ? The bridging environment in the Dom0 is not friendly to firewalling, and I think common advice is not to try. In fact, I think Tom has previously said that he doesn''t know of anyone who has managed to get firewalling+nat working in a Dom0 ! I have put my firewall/router/nat in a DomU and made the external ethernet port available to it exclusively (by hiding the PCI device from Dom0). The DomU router then works ''normally'', and the Dom0 (which is internal only) has no firewalling at all. I have another Xen box (without NAT) I manage, and on that I''ve had-crafted a bare minimum of iptables rules that simply protect the Dom0 itself and permit all other traffic. Each DomU is treated like a standalone box and does it''s own firewalling (with Shorewall). ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Hi Simon,
Thanks for your reply. The following is the setup I have:
|-eth1 Mail (domU) (10.0.0.1)
WAN <---> eth0-GW (Dom0) ---|-eth2 WWW (domU) (10.0.0.2)
(62.235.222.227) (10.0.0.128) |-eth1 test (domU) (10.0.0.3)
I only have one external IP for eth0 and I''d like my DomUs to be
available on the WAN. From what I can tell by Tom''s documentation, is
that he managed to do this using Xen-routed, so what is the difference between
the two and can I implement the above in a routed environment?
Thanks.
--
eco
----- Original Message -----
From: "Simon Hobson" <linux@thehobsons.co.uk>
To: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
Sent: Thursday, October 16, 2008 10:40:09 AM GMT +01:00 Amsterdam / Berlin /
Bern / Rome / Stockholm / Vienna
Subject: Re: [Shorewall-users] Shorewall and a natted Xen setup
>I am running Debian etch with shorewall 4.0.14-1 and Xen 3.2-1 on a
>2.6.18-6-xen-686 kernel. Xen is running natted and I''m trying to
>setup shorewall. I read the documentation that came closer to it
>(http://www.shorewall.net/XenMyWay-Routed.html) but I just can''t
get
>it to work.
>
>I have been using Shorewall for a while now and I though that it
>would be the same as any natted environment I have setup but it''s
>not. Is there any documentation floating around on the net
>regarding Shorewall and Xen natted?
Are you trying to do this in the Dom0 or a DomU ?
The bridging environment in the Dom0 is not friendly to firewalling,
and I think common advice is not to try. In fact, I think Tom has
previously said that he doesn''t know of anyone who has managed to get
firewalling+nat working in a Dom0 !
I have put my firewall/router/nat in a DomU and made the external
ethernet port available to it exclusively (by hiding the PCI device
from Dom0). The DomU router then works ''normally'', and the
Dom0
(which is internal only) has no firewalling at all.
I have another Xen box (without NAT) I manage, and on that I''ve
had-crafted a bare minimum of iptables rules that simply protect the
Dom0 itself and permit all other traffic. Each DomU is treated like a
standalone box and does it''s own firewalling (with Shorewall).
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
Lists wrote:>The following is the setup I have: > > |-eth1 Mail (domU) (10.0.0.1) > WAN <---> eth0-GW (Dom0) ---|-eth2 WWW (domU) (10.0.0.2) >(62.235.222.227) (10.0.0.128) |-eth1 test (domU) (10.0.0.3) > >I only have one external IP for eth0 and I''d like my DomUs to be >available on the WAN. From what I can tell by Tom''s documentation, >is that he managed to do this using Xen-routed, so what is the >difference between the two and can I implement the above in a routed >environment?The difference is that Tom has multiple public IPs, you are using RFC1918 private addresses which are NOT routable on the internet - that''s why you are using NAT. If you look at one of the other pages, then you''ll see that his current arrangement involves the WAN connection being connected ONLY to a DomU so the Dom0 is not directly connected to the internet. What I''ve done is like this : WAN a.b.c.d <--> Dom1 ---+--- Dom0 Dom2 ---+ ... | DomN ---+ Dom1 runs a ''traditional'' two interface router. The WAN port (in this case an ethernet port) is made available by hiding it from Dom0 (using pciback.hide=(xx:yy.z) in the Dom0 boot config) and making it available to the DomU by adding pci=[''xx:yy.z''] to the DomU config. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Lists wrote:>The following is the setup I have: > > |-eth1 Mail (domU) (10.0.0.1) > WAN <---> eth0-GW (Dom0) ---|-eth2 WWW (domU) (10.0.0.2) >(62.235.222.227) (10.0.0.128) |-eth1 test (domU) (10.0.0.3) > >I only have one external IP for eth0 and I''d like my DomUs to be >available on the WAN. From what I can tell by Tom''s documentation, >is that he managed to do this using Xen-routed, so what is the >difference between the two and can I implement the above in a routed >environment?The difference is that Tom has multiple public IPs, you are using RFC1918 private addresses which are NOT routable on the internet - that''s why you are using NAT. If you look at one of the other pages, then you''ll see that his current arrangement involves the WAN connection being connected ONLY to a DomU so the Dom0 is not directly connected to the internet. What I''ve done is like this : WAN a.b.c.d <--> Dom1 ---+--- Dom0 Dom2 ---+ ... | DomN ---+ Dom1 runs a ''traditional'' two interface router. The WAN port (in this case an ethernet port) is made available by hiding it from Dom0 (using pciback.hide=(xx:yy.z) in the Dom0 boot config) and making it available to the DomU by adding pci=[''xx:yy.z''] to the DomU config. ------------------------------------------------------------------------- Shows I still have a lot to learn about Xen. Am I right in thinking your setup will still only allow one DomU to use the public IP? I went over the Tom''s documentation again and I see that although eth0 has several public IPs, both DomUs (eth3/4) are using the same public IP (206.124.146.176). Won''t this setup allow multiple DomUs to share a single public IP? What is the difference between a "Hardware nat" and Xen-natted that makes it impossible to firewall? I also read about nested Xen but I don''t want to go down that path. No need to over complicate things. I''m sorry for all the questions. Thanks again for your advice on this. -- eco ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
>Shows I still have a lot to learn about Xen. Am I right in thinking >your setup will still only allow one DomU to use the public IP?Correct - but see below.>I went over the Tom''s documentation again and I see that although >eth0 has several public IPs, both DomUs (eth3/4) are using the same >public IP (206.124.146.176). Won''t this setup allow multiple DomUs >to share a single public IP?Port forwarding and/or proxy arp. IIRC, in Tom''s current setup, he uses proxy-arp to pass-through certain IPs to machines behind the router. In the case where you only have one public address, then you will need to ''port forward'' certain traffic to certain hosts - see DNAT.>What is the difference between a "Hardware nat" and Xen-natted that >makes it impossible to firewall?Not sure what you mean by ''hardware nat''. The problem with Xen, NAT, and firewalling is that Xen makes the networking environment very complicated. I really am a loooong way from understanding it, but from comments made by people (liek Tom) who know more than I do it could be that the way the traffic passes through the various bits of networking system means that it does not pass though the right places in the right order to also support NAT in a meaningful way. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Simon Hobson wrote:> Not sure what you mean by ''hardware nat''. The problem with Xen, NAT, > and firewalling is that Xen makes the networking environment very > complicated. I really am a loooong way from understanding it, but > from comments made by people (liek Tom) who know more than I do it > could be that the way the traffic passes through the various bits of > networking system means that it does not pass though the right places > in the right order to also support NAT in a meaningful way.I''ve completely given up on trying to run Shorewall in a Xen Dom0. The last straw was when the latest and greatest Xen network start script started blowing away all firewall rules (kind of) and installing its own. It didn''t totally undo what Shorewall had done so it was impossible to communicate with the box at all if Shorewall started before Xen. In my view, that indicates that the Xen developers are dead set against running any kind of firewall in Dom0. -Tom (who has switched to KVM and no longer runs Xen at all) -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
----- "Simon Hobson" <linux@thehobsons.co.uk> wrote:> >Shows I still have a lot to learn about Xen. Am I right in thinking > > >your setup will still only allow one DomU to use the public IP? > > Correct - but see below. > > >I went over the Tom''s documentation again and I see that although > >eth0 has several public IPs, both DomUs (eth3/4) are using the same > >public IP (206.124.146.176). Won''t this setup allow multiple DomUs > >to share a single public IP? > > Port forwarding and/or proxy arp. IIRC, in Tom''s current setup, he > uses proxy-arp to pass-through certain IPs to machines behind the > router. In the case where you only have one public address, then you > will need to ''port forward'' certain traffic to certain hosts - see > DNAT. > > >What is the difference between a "Hardware nat" and Xen-natted that > >makes it impossible to firewall? > > Not sure what you mean by ''hardware nat''. The problem with Xen, NAT, > and firewalling is that Xen makes the networking environment very > complicated. I really am a loooong way from understanding it, but > from comments made by people (liek Tom) who know more than I do it > could be that the way the traffic passes through the various bits of > networking system means that it does not pass though the right places > > in the right order to also support NAT in a meaningful way. > > -------------------------------------------------------------------------So in short, there is no way for me to have several DomUs share a single public IP. So what are my options? - Having multiple public IPs on a single interface (eth0-WAN) and use Xen-Bridged. This way, Dom0 is "invisible" and the DomUs are directly connected to the WAN. I then install shorewall on each DomU. - Having multiple public IPs on a single interface (eth0-WAN) and use Xen-natted. Guess not, it would still be the same NAT problem right. Any other option I might have to protect my DomUs and still make them available to the WAN? Your help is much appreciated! There I was thinking that all I had to do was setup shorewall and be done with it. -- eco ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
----- "Tom Eastep" <teastep@shorewall.net> wrote:> I''ve completely given up on trying to run Shorewall in a Xen Dom0. > The > last straw was when the latest and greatest Xen network start script > started blowing away all firewall rules (kind of) and installing its > own. It didn''t totally undo what Shorewall had done so it was > impossible > to communicate with the box at all if Shorewall started before Xen. > In > my view, that indicates that the Xen developers are dead set against > running any kind of firewall in Dom0. > > -Tom (who has switched to KVM and no longer runs Xen at all) > > -Tom > -- > Tom Eastep \ The ultimate result of shielding men from the > Shoreline, \ effects of folly is to fill the world with > fools. > Washington, USA \ -Herbert > Spencer > http://shorewall.net > \________________________________________________ >Thanks for your feedback Tom and thanks for Shorewall! I''ll start installing KVM at home and give it a go. Any trick you can think of for me to make my DomUs available to the net? I can always install shorewall on them. Thanks! -- eco ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
lists@precognet.com wrote:> > Thanks for your feedback Tom and thanks for Shorewall! I''ll start installing KVM at home and give it a go. > > Any trick you can think of for me to make my DomUs available to the net? I can always install shorewall on them.I think that the XenMyWay approach is the way to go if you need to use Shorewall with Xen and want to do NAT to the other DomUs. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Hi eco, I know you are thinking about using KVM instead of XEN, but anyway... lists@precognet.com wrote:> So in short, there is no way for me to have several DomUs share a single public IP.Not correct. You apparently missed a thing that Simon Hobson wrote in his very first reply to you:> I have put my firewall/router/nat in a DomU and made the external > ethernet port available to it exclusively (by hiding the PCI device > from Dom0). The DomU router then works ''normally'', and the Dom0 > (which is internal only) has no firewalling at all.I repeat: Put the firewall/router/nat in a DomU. Not in the dom0. Whether you are going to use XEN or KVM: Good luck! :-) BR /Martin Leben ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom Eastep wrote:> lists@precognet.com wrote: >> Thanks for your feedback Tom and thanks for Shorewall! I''ll start installing KVM at home and give it a go. >> >> Any trick you can think of for me to make my DomUs available to the net? I can always install shorewall on them. > > I think that the XenMyWay approach is the way to go if you need to use > Shorewall with Xen and want to do NAT to the other DomUs.Of course you have to be able to see the forest through all of the trees. You wrote:> Shows I still have a lot to learn about Xen. Am I right in thinking > your setup will still only allow one DomU to use the public IP?You are most definitely wrong. Simon described this setup: WAN a.b.c.d <--> Dom1 ---+--- Dom0 Dom2 ---+ ... | DomN ---+ All of the DomUs AND DOM0 can access the internet through Dom1. This is exactly the same thing IP-wise as this: WAN a.b.c.d <-> FW -> switch ---- pc0 |---------pc1 |---------pc2 ... |---------pcN That is exactly what the Shorewall two-interface Quickstart Guide shows you how to set up. As Martin says, you just have to "put the firewall/router/NAT in a DomU". -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
----- "Martin Leben" <ml060223@leben.nu> wrote:> Hi eco, > > I know you are thinking about using KVM instead of XEN, but anyway... > > lists@precognet.com wrote: > > So in short, there is no way for me to have several DomUs share a > single public IP. > > Not correct. You apparently missed a thing that Simon Hobson wrote in > his very > first reply to you: > > I have put my firewall/router/nat in a DomU and made the external > > ethernet port available to it exclusively (by hiding the PCI device > > > from Dom0). The DomU router then works ''normally'', and the Dom0 > > (which is internal only) has no firewalling at all. > > I repeat: Put the firewall/router/nat in a DomU. Not in the dom0. > > Whether you are going to use XEN or KVM: Good luck! :-) > > BR > /Martin Leben >Point taken Martin, thanks. I haven''t given up on Xen yet but I will try out KVM... as soon as I can buy a box with a VT CPU to test it on. ;) -- eco ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
lists@precognet.com wrote:>So in short, there is no way for me to have several DomUs share a >single public IP.Yes and No ! Yes, they can all share a single connection through NAT, no, they can''t all offer the same sevices. You need a simple "two interface router with NAT", which can either be an external box (ie router appliance), or you can run it in a DomU with something like Shorewall. You need to forward certain types of traffic to internal machines that are going to handle it - eg DNAT inbound connections to port 80 to your web server, DNAT inbound connections to port 25 to your mail server, and so on. Shorewall doesn''t care if the two interface machine is a standalone computer running only the firewall, or a virtual machine running under Xen. DomU''s are fairly simple in terms of their networking - it''s just Dom0+NAT+firewalling that you need to steer clear of. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
----- "Simon Hobson" <linux@thehobsons.co.uk> wrote:> lists@precognet.com wrote: > > >So in short, there is no way for me to have several DomUs share a > >single public IP. > > Yes and No ! Yes, they can all share a single connection through NAT, > > no, they can''t all offer the same sevices. > > You need a simple "two interface router with NAT", which can either > be an external box (ie router appliance), or you can run it in a DomU > > with something like Shorewall. You need to forward certain types of > traffic to internal machines that are going to handle it - eg DNAT > inbound connections to port 80 to your web server, DNAT inbound > connections to port 25 to your mail server, and so on. > > Shorewall doesn''t care if the two interface machine is a standalone > computer running only the firewall, or a virtual machine running > under Xen. DomU''s are fairly simple in terms of their networking - > it''s just Dom0+NAT+firewalling that you need to steer clear of. >Thank you so much for your help and clarification on all of this. I talked to my provider and I will try and get a couple of extra public IPs and use Xen as a bridged network. This way, I''ll just install a simple shorewall on each Dom. I will however have a look at other solutions unless Xen fix this problem. Thanks again! -- eco ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/