Hi all, I get trobles for add SNAT/masquerade in work configuration (it''s OpenVZ hardware node). In near future, I want add traffic shaping for VZ containers, and physical hosts, and whrite how-to about this. it''s 2 external links with NAT: eth0 Link encap:Ethernet HWaddr 00:80:48:48:22:5F inet addr:xxx.xxx.xxx Bcast:255.255.255.255 Mask:255.255.255.0 eth1 Link encap:Ethernet HWaddr 00:0C:76:E4:75:14 inet addr:10.0.5.10 Bcast:10.0.5.255 Mask:255.255.255.0 eth1 is intenal and external link (on next hope, is DSL router with ip 10.0.5.1) ========interfaces============#ZONE INTERFACE BROADCAST OPTIONSnet loci eth1 detect venet venet0 - routeback akado eth0 detect #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE ========================= =========providers============# Shorewall version 4 - Providers File ############################################################################################ #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY #OPTIONS COPY #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE stream 1 50 main eth1 10.0.5.1 track,optional,loose eth1 kakad 2 51 main eth0 xx.xx.xx.1 track,optional,loose,balance ================ =============masq==============#INTERFACE SUBNET ADDRESS #For external interfaces: #eth0 $ETH0_SUBNET $ETH0_IP #eth1 10.0.5.0 10.0.5.10 #Masquarding for internal interfaces eth0 10.0.5.0/24 eth1 10.0.5.0/24 ========================== ============ route_rules ============#SOURCE DEST PROVIDER PRIORITY venet0 - kakad 1000 ============================= when i add for any provider eth1 for COPY options, all rules for container''s does''nt work. Please help me for find erorr Thanks for all answer or ideas. P.S. rpm -qa | grep shorewall shorewall-4.2.0-1 shorewall-perl-4.2.0-1 -- Best regards, Galia Lisovskaya. e-mail: inbox@shaggy-cat.ru ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Galia Lisovskaya wrote:> Hi all, > > I get trobles for add SNAT/masquerade in work configuration (it''s > OpenVZ hardware node).None of the core Shorewall developers run OpenVZ or know anything about it. So if you want to run Shorewall under OpenVZ, you are pretty much on your own. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Galia Lisovskaya wrote:> Hi all, > > I get trobles for add SNAT/masquerade in work configuration (it''s > OpenVZ hardware node). > In near future, I want add traffic shaping for VZ containers, and > physical hosts, and whrite how-to about this. > > it''s 2 external links with NAT: > > eth0 Link encap:Ethernet HWaddr 00:80:48:48:22:5F > inet addr:xxx.xxx.xxx Bcast:255.255.255.255 Mask:255.255.255.0 > > eth1 Link encap:Ethernet HWaddr 00:0C:76:E4:75:14 > inet addr:10.0.5.10 Bcast:10.0.5.255 Mask:255.255.255.0 > > eth1 is intenal and external link (on next hope, is DSL router with ip 10.0.5.1)Unless the hosts in 10.0.5.1 always access the internet through the DSL router or through eth0, the SNAT will work. SNAT of 10.0.5.0/24 out of eth1 WILL NOT WORK.> > ========interfaces============> #ZONE INTERFACE BROADCAST OPTIONSnet > loci eth1 detect > venet venet0 - routeback > akado eth0 detect > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > =========================> > =========providers============> # Shorewall version 4 - Providers File > ############################################################################################ > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY > #OPTIONS COPY > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > stream 1 50 main eth1 10.0.5.1 > track,optional,loose eth1 > kakad 2 51 main eth0 xx.xx.xx.1 > track,optional,loose,balanceSee that ''LAST LINE'' up above -- it means what it says.> ================> > =============masq==============> #INTERFACE SUBNET ADDRESS > > #For external interfaces: > #eth0 $ETH0_SUBNET $ETH0_IP > #eth1 10.0.5.0 10.0.5.10The Second entry is silly; as I mention abouve, it won''t work and 10.0.5.0 is the NETWORK ADDRESS for the network. And what is $ETH0_SUBNET?> > #Masquarding for internal interfaces > > eth0 10.0.5.0/24 > eth1 10.0.5.0/24 > ==========================> > ============ route_rules ============> #SOURCE DEST PROVIDER PRIORITY > venet0 - kakad 1000 > > > =============================> > when i add for any provider eth1 for COPY options, all rules for > container''s does''nt work.Again -- I don''t think there is anyone here who can help you with that. And in the future, *please* include the output of ''shorewall dump'' as an attachment rather than your configuration files. We really don''t want to see your configuration files; the files show us your solution to *some* problem -- when we look at the files, we have to guess what that problem is and whether your solution is the correct one. When we see the output of ''shorewall dump'', we know exactly what your firewall is doing (except for the OpenVZ part). ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Shorewall Geek wrote:> > Unless the hosts in 10.0.5.1 always access the internet through the DSL > router or through eth0, the SNAT will work. SNAT of 10.0.5.0/24 out of > eth1 WILL NOT WORK.That should have been ''...hosts in 10.0.5.0/24...'' ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
> None of the core Shorewall developers run OpenVZ or know anything > about it. So if you want to run Shorewall under OpenVZ, you are > pretty much on your own.Of cource, but, it''s work on many systems. In shorewall-wiki is some text''s about Xen and KVM. I think, VZ is really future technology, and now it''s very populary technology, but free version of this system not include administrator-frendly utils for make routing. Now, in OpenVZ (not in Virtuozzoo) write scripts of iptables/ip route/tc It''s not good ;(( In this mail list i geted support in last time. But, i understand, it''s free support, and, If i ask not correct, all readers may does''nt want help. Now, i make simple work rules for VZ containers, but, doe''snt make rules for hardware hosts (with 10.0.5.0/24). It''s not VZ-specific trobles. It''s only my stupid> Again -- I don''t think there is anyone here who can help you with that. > > And in the future, *please* include the output of ''shorewall dump'' as an > attachment rather than your configuration files. We really don''t want to > see your configuration files; the files show us your solution to *some* > problem -- when we look at the files, we have to guess what that problem > is and whether your solution is the correct one. When we see the output > of ''shorewall dump'', we know exactly what your firewall is doing (except > for the OpenVZ part).dump file attached. I edit this dump, using sed command. my extenal IP deleted, and, inluded symbols: xx.xx.xx For private e-mail (not public list) i may send not edited dump I understand it, but, i''m afrade send big of size letters, becouse, i think, anybody of readers of this mail-list read it from mobile gadjets with limited trafic.> Unless the hosts in 10.0.5.1 always access the internet through the DSL > router or through eth0, the SNAT will work. SNAT of 10.0.5.0/24 out of > eth1 WILL NOT WORK.> That should have been ''...hosts in 10.0.5.0/24...''Sorry, i don''t understand. SNAT of 10.0.5.0/24 out of eth1 _never_ will work, or is over road for get this route? May be, virtual interface(. i.e. eth1:1, eth1:2)?> Again -- I don''t think there is anyone here who can help you with that.Sorry for my bad english, and, thanks for answer. -- Best regards, Galia Lisovskaya. e-mail: inbox@shaggy-cat.ru ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Galia Lisovskaya wrote:>> None of the core Shorewall developers run OpenVZ or know anything >> about it. So if you want to run Shorewall under OpenVZ, you are >> pretty much on your own. > > Of cource, but, it''s work on many systems. > In shorewall-wiki is some text''s about Xen and KVM.Yes -- and the Shorewall author himself had to install the software, learn how it worked, then write the article. He isn''t doing that any more.> I think, VZ is really future technology, and now it''s very populary technology, > but free version of this system > not include administrator-frendly utils for make routing. > Now, in OpenVZ (not in Virtuozzoo) write scripts of iptables/ip route/tc > It''s not good ;(( > > In this mail list i geted support in last time. But, i understand, > it''s free support, > and, If i ask not correct, all readers may does''nt want help. > > Now, i make simple work rules for VZ containers, but, doe''snt make rules for > hardware hosts (with 10.0.5.0/24). > It''s not VZ-specific trobles. It''s only my stupid > >> Again -- I don''t think there is anyone here who can help you with that. >> >> And in the future, *please* include the output of ''shorewall dump'' as an >> attachment rather than your configuration files. We really don''t want to >> see your configuration files; the files show us your solution to *some* >> problem -- when we look at the files, we have to guess what that problem >> is and whether your solution is the correct one. When we see the output >> of ''shorewall dump'', we know exactly what your firewall is doing (except >> for the OpenVZ part). > > dump file attached. I edit this dump, using sed command. > my extenal IP deleted, and, inluded symbols: xx.xx.xx > For private e-mail (not public list) i may send not edited dump > > I understand it, but, i''m afrade send big of size letters, becouse, i think, > anybody of readers of this mail-list read it from mobile gadjets with limited > trafic. > >> Unless the hosts in 10.0.5.1 always access the internet through the DSL >> router or through eth0, the SNAT will work. SNAT of 10.0.5.0/24 out of >> eth1 WILL NOT WORK. > >> That should have been ''...hosts in 10.0.5.0/24...'' > > Sorry, i don''t understand. SNAT of 10.0.5.0/24 out of eth1 _never_ will work, > or is over road for get this route? > May be, virtual interface(. i.e. eth1:1, eth1:2)?Actually you could possibly get it to work by adding ''routeback'' to the eth1 entry in /etc/shorewall/interfaces and by adding an entry for eth1 in /etc/shorewall/masq like the one for eth0: eth1 10.0.5.0/24 but it is really too ugly to consider, IMO. I also see that you have containers with IP addresses in 10.0.7.0/24 -- those don''t need internet access?> >> Again -- I don''t think there is anyone here who can help you with that.> when i add for any provider eth1 for COPY options, all rules for > container''s doesn''t work.''eth1'' is implicitly included in the COPY list for ''stream''; so I assume that when you add ''eth1'' for the ''akado'' provider then there are problems? Can you give us an example of what exactly "doesn''t work"? Even without knowing that, there are serious problems with this setup: a) It was never intended that the interface to one provider could be added to the COPY list of another provider. So adding ''eth1'' to the COPY list of akado isn''t supported. b) Because of a), it was never intended that a connection could use multiple connections that have the ''track'' option. So connections from the local LAN (10.0.5.0/24) cannot use the akado provider correctly because they get marked with the mark for ''stream'' (1). ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/