Galia Lisovskaya
2008-Nov-01 13:01 UTC
OpenVZ & shorewall. Did''nt work acl based on ip range.
Hello all,
It''s my first letter on this list, and, my English is not very well.
Please take me indulgence
for grammar/syntax and over erorrs :))
I have trouble for acl''s of ip range. But, acl for one host (with ip
adress) work fine.
Please help me for make work acl/find erorr in acl.
Becouse I''m new shorewall user, I maked test configuration on Virtual
Mashine (VirtualBOX) with bridge network.
Prodaction OVZ server work with iptables, and I''m afraid destroy work
configuration.
Work, but not fine. I want simple create new subnetworks, DMZ and overs.
===========Scheme=====================
Host system (simple desktop of Fedora 8 with network bridge and
VirtualBOX) ---> Guest System with openvz kernel ---> some Virtual
Private Servers.
I think, you may forgot about VirtualBOX, but, you need remember about
OpenVZ. Hardware hosts in LAN see virtual OpenVZ? becouse, it use
bridge
with host system, and, VPS servers see also. All work, if whorewall
with virtual OpenVZ disabled.
-------------------Host-system:--------------------------
[shaggycat@desktop ~]$ cat /etc/redhat-release
Fedora release 8 (Werewolf)
[shaggycat@desktop ~]$ uname -a
Linux desktop.loc 2.6.26.5-28.fc8 #1 SMP Sat Sep 20 09:12:30 EDT 2008
x86_64 x86_64 x86_64 GNU/Linux
[shaggycat@desktop ~]$ ifconfig
br0 Link encap:Ethernet HWaddr **************
inet addr:10.0.5.2 Bcast:10.0.5.255 Mask:255.255.255.0
inet6 addr: fe80::211:d8ff:fe91:a3da/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1246145 errors:0 dropped:0 overruns:0 frame:0
TX packets:1563590 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:975442995 (930.2 MiB) TX bytes:1051074268 (1002.3 MiB)
eth0 Link encap:Ethernet HWaddr ********
inet6 addr: fe80::211:d8ff:fe91:a3da/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1246044 errors:0 dropped:0 overruns:0 frame:0
TX packets:1563463 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:998007741 (951.7 MiB) TX bytes:1057556364 (1008.5 MiB)
Interrupt:17
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1353 errors:0 dropped:0 overruns:0 frame:0
TX packets:1353 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2680004 (2.5 MiB) TX bytes:2680004 (2.5 MiB)
vbox0 Link encap:Ethernet HWaddr 00:FF:9E:34:22:E5
inet6 addr: fe80::2ff:9eff:fe34:22e5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:5161 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
vbox1 Link encap:Ethernet HWaddr 00:FF:EE:80:DA:5C
inet6 addr: fe80::2ff:eeff:fe80:da5c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:119 errors:0 dropped:0 overruns:0 frame:0
TX packets:142 errors:0 dropped:5142 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:15192 (14.8 KiB) TX bytes:12786 (12.4 KiB)
virbr0 Link encap:Ethernet HWaddr B2:12:B1:BF:97:CB
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
inet6 addr: fe80::b012:b1ff:febf:97cb/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:30 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:4855 (4.7 KiB)
-------------------end of Host-system:--------------------------
-----------------------VirtualBOX with host
system:-------------------------------------
[shaggycat@desktop ~]$ rpm -qa | grep Virtual
VirtualBox-2.0.2_36488_fedora8-1
-----------------------end of VirtualBOX with host
system:-------------------------------
------------------------------ Guest system with
ovz-kernel------------------------------
[root@localhost ~]# cat /etc/redhat-release
CentOS release 5.2 (Final)
[root@localhost ~]# uname -a
Linux localhost.localdomain 2.6.18-92.1.13.el5.028stab059.3 #1 SMP Wed
Oct 15 17:48:55 MSD 2008 i686 athlon i386 GNU/Linux
[root@localhost ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:89:FF:82
inet addr:10.0.5.4 Bcast:10.0.5.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe89:ff82/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:47 errors:0 dropped:0 overruns:0 frame:0
TX packets:51 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5274 (5.1 KiB) TX bytes:5888 (5.7 KiB)
Interrupt:11 Base address:0xc020
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
venet0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
[root@localhost shorewall]# rpm -qa | grep vz
ovzkernel-2.6.18-92.1.13.el5.028stab059.3
vzrpm44-4.4.1-22.5
vztmpl-fedora-7-1.1-1
vzquota-3.0.11-1
vzctl-3.0.22-1
vzrpm44-python-4.4.1-22.5
vzpkg-2.7.0-18
vzctl-lib-3.0.22-1
vzyum-2.4.0-11
------------------------------ end of Guest system with
ovz-kernel------------------------------
---------------------VE containers with venet network (Fedora 7
distribution)------------------
[root@localhost ~]# vzlist
VEID NPROC STATUS IP_ADDR HOSTNAME
201 5 running 10.0.2.1 test_vps1.loc
202 8 running 10.0.2.2 test_vps2.loc
203 3 running 10.0.2.3 test_vps3.loc
[root@localhost ~]#
---------------------end of VE containers with venet network (Fedora 7
distribution)------------------
===========end of Scheme=====================
If service shorewall stoped, and, all iptables policy set for ACCEPT,
all connections successfully:
VPS<-->lan
VPS<-->HN
HN<-->lan
For example, with host computer(from LAN):
[shaggycat@desktop ~]$ ssh root@10.0.2.1
root@10.0.2.1''s password:
Last login: Sun Oct 26 20:13:56 2008 from 10.0.5.2
[root@test_vps1 ~]#
============Configuration files===================
root@localhost two_work_config_]# cat zones
########################zones#######################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
############ Hardware Local Network ##############
#local Network interface
loci ipv4
#local network
loc:loci
desk1:loc
################################################
############# Venet Local Network ##############
#Virtual Interface
venet ipv4
#Virtual network (see hosts file)
ven1:venet
#VPS servers
web1:ven1
serv2:ven1
dmz:ven1
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
[root@localhost two_work_config_]# cat hosts
################### hosts###################
#ZONE HOST(S) OPTIONS
web1 venet0:10.0.2.1
serv2 venet0:10.0.2.2
dmz venet0:10.0.2.3
ven1 venet0:10.0.2.1-10.0.2.255
loc eth0:10.0.5.0/24
desk1 eth0:10.0.5.2
#inet 0.0.0.0/24
[root@localhost two_work_config_]# cat interfaces
#ZONE INTERFACE BROADCAST OPTIONSnet eth0
loci eth0 detect
venet venet0 - routeback
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
[root@localhost two_work_config_]# cat policy
################## policy
#############################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
#
$FW all ACCEPT
#Remove this string!
all $FW ACCEPT
#May be, it''s not need
#loci venet ACCEPT
#venet loci ACCEPT
#loc ven1 ACCEPT
#ven1 loc ACCEPT
#Test DMZ
ven1 dmz ACCEPT
desk1 dmz ACCEPT
dmz all DROP
#Teporary acl for one vps
web1 venet ACCEPT
venet web1 ACCEPT
loc web1 ACCEPT
web1 loc ACCEPT
#ACL for venet network
ven1 venet ACCEPT
venet ven1 ACCEPT
loc ven1 ACCEPT
ven1 loc ACCEPT
#ven1 ven1 ACCEPT
#ven1 loc ACCEPT
#loc ven1 ACCEPT
#temporary for desktop
#desk1 ven1 ACCEPT
#ven1 desk1 ACCEPT
desk1 web1 ACCEPT
web1 desk1 ACCEPT
#loc web1 ACCEPT
#loc serv2 ACCEPT
#serv2 loc ACCEPT
#web1 loc ACCEPT
all all REJECT
#LAST LINE -- DO NOT REMOVE
[root@localhost two_work_config_]#
============end of Configuration files===================
For one test VPS server connection accept:
[shaggycat@desktop ~]$ ping -c 1 10.0.2.1
PING 10.0.2.1 (10.0.2.1) 56(84) bytes of data.
64 bytes from 10.0.2.1: icmp_seq=1 ttl=64 time=1.44 ms
--- 10.0.2.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.440/1.440/1.440/0.000 ms
But for over test VPS connection drop:
[shaggycat@desktop ~]$ ping -c 1 10.0.2.2
PING 10.0.2.2 (10.0.2.2) 56(84) bytes of data.>From 10.0.5.4 icmp_seq=1 Destination Host Unreachable
--- 10.0.2.2 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
acl ven1 does''nt work.
connection for one VPS accept, becouse in policy file is strings:
#Teporary acl for one vps
web1 venet ACCEPT
venet web1 ACCEPT
loc web1 ACCEPT
web1 loc ACCEPT
Please help me for find erorr
.
Thank you for all answer or ideas.
--
Best regards,
Galia Lisovskaya.
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom Eastep
2008-Nov-01 14:11 UTC
Re: OpenVZ & shorewall. Did''nt work acl based on ip range.
Galia Lisovskaya wrote:> ============Configuration files===================> > root@localhost two_work_config_]# cat zones > ########################zones####################################################### > #ZONE TYPE OPTIONS IN OUT > # OPTIONS OPTIONS > fw firewall > > ############ Hardware Local Network ############## > #local Network interface > loci ipv4 > #local network > loc:loci > > desk1:loc > ################################################ > > ############# Venet Local Network ############## > #Virtual Interface > venet ipv4 > > #Virtual network (see hosts file) > ven1:venet > > #VPS servers > web1:ven1 > serv2:ven1 > dmz:ven1 > > #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE > > [root@localhost two_work_config_]# cat hosts > ################### hosts################### > #ZONE HOST(S) OPTIONS > web1 venet0:10.0.2.1 > serv2 venet0:10.0.2.2 > > dmz venet0:10.0.2.3 > > ven1 venet0:10.0.2.1-10.0.2.255 > > loc eth0:10.0.5.0/24 > desk1 eth0:10.0.5.2 > > #inet 0.0.0.0/24 > > [root@localhost two_work_config_]# cat interfaces > #ZONE INTERFACE BROADCAST OPTIONSnet eth0 > loci eth0 detect > venet venet0 - routeback > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > [root@localhost two_work_config_]# cat policy > ################## policy > ############################################################# > #SOURCE DEST POLICY LOG LIMIT:BURST > # > $FW all ACCEPT > > #Remove this string! > all $FW ACCEPT > > #May be, it''s not need > #loci venet ACCEPT > #venet loci ACCEPT > > #loc ven1 ACCEPT > #ven1 loc ACCEPT > > > #Test DMZ > ven1 dmz ACCEPT > desk1 dmz ACCEPT > dmz all DROP > > > #Teporary acl for one vps > web1 venet ACCEPT > venet web1 ACCEPT > loc web1 ACCEPT > web1 loc ACCEPT > > #ACL for venet network > ven1 venet ACCEPT > venet ven1 ACCEPT > loc ven1 ACCEPT > ven1 loc ACCEPT > > #ven1 ven1 ACCEPT > #ven1 loc ACCEPT > #loc ven1 ACCEPT > > > #temporary for desktop > #desk1 ven1 ACCEPT > #ven1 desk1 ACCEPT > > desk1 web1 ACCEPT > web1 desk1 ACCEPT > > > > #loc web1 ACCEPT > #loc serv2 ACCEPT > #serv2 loc ACCEPT > #web1 loc ACCEPT > > all all REJECT > #LAST LINE -- DO NOT REMOVE > [root@localhost two_work_config_]# > > ============end of Configuration files===================> > For one test VPS server connection accept: > > [shaggycat@desktop ~]$ ping -c 1 10.0.2.1 > PING 10.0.2.1 (10.0.2.1) 56(84) bytes of data. > 64 bytes from 10.0.2.1: icmp_seq=1 ttl=64 time=1.44 ms > > --- 10.0.2.1 ping statistics --- > 1 packets transmitted, 1 received, 0% packet loss, time 0ms > rtt min/avg/max/mdev = 1.440/1.440/1.440/0.000 ms > > But for over test VPS connection drop: > > [shaggycat@desktop ~]$ ping -c 1 10.0.2.2 > PING 10.0.2.2 (10.0.2.2) 56(84) bytes of data. >>From 10.0.5.4 icmp_seq=1 Destination Host Unreachable > > --- 10.0.2.2 ping statistics --- > 1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms > > > acl ven1 does''nt work.The reason that it doesn''t work is that 10.0.2.2 is in the serv2 zone. And serv2 is a sub-zone of ven1. The policy for desk->serv2 is REJECT. To make these zone definitions work the way you want them to, you need to set IMPLICIT_CONTINUE=Yes in shorewall.conf. That way, if a connection doesn''t match for one zone that a host is in, it will be compared against the rules/policies of the next zone that the host is in. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Galia Lisovskaya
2008-Nov-01 16:42 UTC
Re: OpenVZ & shorewall. Did''nt work acl based on ip range.
2008/11/1 Tom Eastep <teastep@shorewall.net>:> The reason that it doesn't work is that 10.0.2.2 is in the serv2 zone. > And serv2 is a sub-zone of ven1. The policy for desk->serv2 is REJECT. > > To make these zone definitions work the way you want them to, you need > to set IMPLICIT_CONTINUE=Yes in shorewall.conf. That way, if a > connection doesn't match for one zone that a host is in, it will be > compared against the rules/policies of the next zone that the host is in. > > -TomThanks. I seted IMPLICIT_CONTINUE=Yes and get, i think. bug of OVZ-kernel: [root@localhost shorewall]# shorewall debug start Compiling... Compiling /etc/shorewall/zones... Compiling /etc/shorewall/interfaces... Compiling /etc/shorewall/hosts... Determining Hosts in Zones... Preprocessing Action Files... Pre-processing /usr/share/shorewall/action.Drop... Pre-processing /usr/share/shorewall/action.Reject... Compiling /etc/shorewall/policy... Compiling Kernel Route Filtering... Compiling Martian Logging... Compiling MAC Filtration -- Phase 1... Generating Transitive Closure of Used-action List... Processing /usr/share/shorewall/action.Reject for chain Reject... Compiling ... Processing /usr/share/shorewall/action.Drop for chain Drop... Compiling MAC Filtration -- Phase 2... Applying Policies... Generating Rule Matrix... Creating iptables-restore input... Compiling iptables-restore input for chain mangle:... Shorewall configuration compiled to /var/lib/shorewall/.start Starting Shorewall.... Initializing... Setting up ARP filtering... Setting up Route Filtering... Setting up Martian Logging... Setting up Accept Source Routing... Setting up Traffic Control... Preparing iptables-restore input... Running debug_restore_input... iptables v1.3.5: Unknown arg `--src-range' Try `iptables -h' or 'iptables --help' for more information. ERROR: Command "/sbin/iptables -A venet0_fwd --src-range 10.0.2.1-10.0.2.255 -j ven1_frwd" Failed IP Forwarding Enabled /sbin/shorewall: line 435: 15022 Завершено ${VARDIR}/.start $debugging start [root@localhost shorewall]# One word of Russian is "end" in English. Light googling take this information: * http://lists.netfilter.org/pipermail/netfilter/2007-February.txt ========================================From michel at mitch-it.com Thu Feb 15 01:49:32 2007 From: michel at mitch-it.com (Michel van der Klei) Date: Thu Feb 15 02:41:02 2007 Subject: Need help with iptables and iprange module In-Reply-To: <b6d73fa90702141615y138d3f0dh176f309ca9ea74dd@mail.gmail.com> References: <b6d73fa90702141615y138d3f0dh176f309ca9ea74dd@mail.gmail.com> Message-ID: <20070215014932.d5815394.michel@mitch-it.com> On Wed, 14 Feb 2007 19:15:13 -0500 TheNokia <nokiairc@gmail.com> wrote:> Hello everybody, I installed iptables v1.3.7 (the lastest one) > But when I try to use iprange module (-m iprange) here the error: > > debian:~# iptables -A INPUT -m iprange > iptables v1.3.7: iprange match: You must specify `--src-range' or `--dst-range' > Try `iptables -h' or 'iptables --help' for more information. > debian:~# iptables -A INPUT -m iprange --src-range > iptables v1.3.7: Unknown arg `--src-range' > Try `iptables -h' or 'iptables --help' for more information. > debian:~# iptables -A INPUT -m iprange --src-range > xx.xxx.xxx.0-xx.xxx.xxx.255 -j DROP > iptables: No chain/target/match by that name > > I try to install the crap-patch-o-matic, impossible to install without > 100 years of linux knowledge.Which kernelversion is there installed on your Debian machine. Since kernel 2.6.18 it's no longer needed to run patch-o-matic. modprobe ipt_iprange will do that trick for you. ====================== I load this module: [root@localhost shorewall]# lsmod | grep ipt_iprange ipt_iprange 5888 0 x_tables 19204 46 ip6_tables,xt_realm,xt_comment,xt_policy,ipt_ULOG,ipt_TTL,ipt_ttl,ipt_TOS,ipt_tos,ipt_TCPMSS,ipt_REJECT,ipt_REDIRECT,ipt_recent,ipt_owner,ipt_NETMAP,ipt_MASQUERADE,ipt_LOG,ipt_iprange,ipt_hashlimit,ipt_ECN,ipt_ecn,ipt_DSCP,ipt_dscp,ipt_CLUSTERIP,ipt_ah,ipt_addrtype,xt_tcpmss,xt_pkttype,xt_physdev,xt_NFQUEUE,xt_multiport,xt_MARK,xt_mark,xt_mac,xt_limit,xt_length,xt_helper,xt_dccp,xt_conntrack,xt_CONNMARK,xt_connmark,xt_CLASSIFY,xt_tcpudp,xt_state,iptable_nat,ip_tables [root@localhost shorewall]# But erorr does'nt go away. What do you think, it's error of ovz kernel, and, i need get help in openvz mail list? Thank you for answer. -- Best regards, Galia Lisovskaya. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Tom Eastep
2008-Nov-01 17:08 UTC
Re: OpenVZ & shorewall. Did''nt work acl based on ip range.
Galia Lisovskaya wrote:> Running debug_restore_input... > iptables v1.3.5: Unknown arg `--src-range'' > Try `iptables -h'' or ''iptables --help'' for more information. > ERROR: Command "/sbin/iptables -A venet0_fwd --src-range > 10.0.2.1-10.0.2.255 -j ven1_frwd" Failed > IP Forwarding EnabledHmmm -- I see from the dump you sent to support@shorewall.net that Repeat match: Not available That is causing Shorewall to generate an invalid rule. Please do the following: shorewall show -f capabilities > /etc/shorewall/caps tar -zcf shorewall.tgz /etc/shorewall Send shorewall.tgz to support@shorewall.net Thanks, -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom Eastep
2008-Nov-01 20:29 UTC
Re: OpenVZ & shorewall. Did''nt work acl based on ip range.
Tom Eastep wrote:> Galia Lisovskaya wrote: > >> Running debug_restore_input... >> iptables v1.3.5: Unknown arg `--src-range'' >> Try `iptables -h'' or ''iptables --help'' for more information. >> ERROR: Command "/sbin/iptables -A venet0_fwd --src-range >> 10.0.2.1-10.0.2.255 -j ven1_frwd" Failed >> IP Forwarding Enabled > > Hmmm -- I see from the dump you sent to support@shorewall.net that > > Repeat match: Not available > > That is causing Shorewall to generate an invalid rule. > > Please do the following: > > shorewall show -f capabilities > /etc/shorewall/caps > tar -zcf shorewall.tgz /etc/shorewall > Send shorewall.tgz to support@shorewall.net >Attached is a patch to /usr/share/shorewall-perl/Shorewall/Rules.pm that should correct the problem. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Galia Lisovskaya
2008-Nov-02 12:49 UTC
Re: OpenVZ & shorewall. Did''nt work acl based on ip range.
Thank you very much, all work! Is it bug, or else? I have work configuration with some subnetworks and DMZ, but, I want make trafic-shaping for some VPS servers and serivices in VPS servers. It''s new line in Perl compilator did''nt may intercept for make trafic shaping? If it''s bug, this new line will be include in future release? And, I want write how-to about OpenVZ and shorewall. I want know details of public how-to in wiki openvz.org and wiki shorewall... In shorewall wiki is documentation on some lagugeges. I may write how-to on two languge, didn''t that? And, if i remeber true, Tom want edit English version for correct English syntax and grammar... Is it true? 2008/11/1 Tom Eastep <teastep@shorewall.net>:> Tom Eastep wrote:> Attached is a patch to /usr/share/shorewall-perl/Shorewall/Rules.pm that > should correct the problem.-- Best regards, Galia Lisovskaya. e-mail: inbox@shaggy-cat.ru ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom Eastep
2008-Nov-02 14:44 UTC
Re: OpenVZ & shorewall. Did''nt work acl based on ip range.
Galia Lisovskaya wrote:> Thank you very much, all work! > Is it bug, or else?It''s a bug in Shorewall''s handling of IP ranges in the /etc/shorewall/hosts file when iptables 1.3.8 or earlier is used.> > I have work configuration with some subnetworks and DMZ, > but, I want make trafic-shaping for some VPS servers and serivices in > VPS servers. > > It''s new line in Perl compilator did''nt may intercept for make trafic shaping?It doesn''t affect traffic shaping.> > If it''s bug, this new line will be include in future release?It will be included in the next release.> > And, I want write how-to about OpenVZ and shorewall. > I want know details of public how-to in wiki openvz.org and wiki shorewall... > In shorewall wiki is documentation on some lagugeges. > I may write how-to on two languge, didn''t that?That''s fine.> > And, if i remeber true, Tom want edit English version for correct > English syntax and grammar... > Is it true?Either Roberto or I will be happy to edit your English article; just don''t ask us to edit your Russian article :-) -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Galia Lisovskaya
2008-Nov-04 17:18 UTC
Re: OpenVZ & shorewall. Did''nt work acl based on ip range.
When i make configuration in work OpenVZ hosts, i get new troubles: [shaggycat@hn shorewall]$ sudo shorewall debug start Password: Compiling... Compiling /etc/shorewall/zones... Compiling /etc/shorewall/interfaces... Compiling /etc/shorewall/hosts... Determining Hosts in Zones... Preprocessing Action Files... Pre-processing /usr/share/shorewall/action.Drop... Pre-processing /usr/share/shorewall/action.Reject... Compiling /etc/shorewall/policy... Compiling Kernel Route Filtering... Compiling Martian Logging... Compiling ... Compiling /etc/shorewall/providers ... Compiling /etc/shorewall/route_rules... Compiling /etc/shorewall/masq... Compiling MAC Filtration -- Phase 1... Compiling /etc/shorewall/rules... Generating Transitive Closure of Used-action List... Processing /usr/share/shorewall/action.Reject for chain Reject... Compiling ... Processing /usr/share/shorewall/action.Drop for chain Drop... Compiling MAC Filtration -- Phase 2... Applying Policies... Compiling /etc/shorewall/tcdevices... Compiling /etc/shorewall/tcclasses... Compiling /etc/shorewall/tcrules... Generating Rule Matrix... Creating iptables-restore input... Compiling iptables-restore input for chain mangle:... Shorewall configuration compiled to /var/lib/shorewall/.start /var/lib/shorewall/.start: line 2575: ошибка синтаксиса: неожиданный конец файла [shaggycat@hn shorewall]$ ==================== This line: /var/lib/shorewall/.start: line 2575: ошибка синтаксиса: неожиданный конец файла On english: /var/lib/shorewall/.start: line 2575: syntax error. Unexpected end of file Omache recommend me send /var/lib/shorewall/.start In mail-list. Becouse it's work mashine, i'm afraid public real IP address, becouse mail list indexing in google. I edit start file with sed, and, set fake IP address. I may send original start file from private e-mail, if anybody want help. start file in tgz format attached. -- Best regards, Galia Lisovskaya. e-mail: inbox@shaggy-cat.ru ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom Eastep
2008-Nov-04 17:22 UTC
Re: OpenVZ & shorewall. Did''nt work acl based on ip range.
Galia Lisovskaya wrote:> When i make configuration in work OpenVZ hosts, i get new troubles: >Your /etc/shorewall/stopped file is missing a newline character on the last line. I had already added a change for Shorewall 4.2.2 that will add a newline in that case -- but until I release that version, you''ll have to follow the rule that the last line of user exits MUST HAVE A TERMINATING newline. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/