Shorewall users - Nov 2008 - SNAT/masquerade + overs rulez

Hi all,

I get trobles for add SNAT/masquerade in work configuration (it''s
OpenVZ hardware node).
In near future, I want add traffic shaping for VZ containers, and
physical hosts, and whrite how-to about this.

it''s 2 external links with NAT:

eth0      Link encap:Ethernet  HWaddr 00:80:48:48:22:5F
          inet addr:xxx.xxx.xxx Bcast:255.255.255.255  Mask:255.255.255.0

eth1      Link encap:Ethernet  HWaddr 00:0C:76:E4:75:14
          inet addr:10.0.5.10  Bcast:10.0.5.255  Mask:255.255.255.0

eth1 is intenal and external link (on next hope, is DSL router with ip 10.0.5.1)

========interfaces============#ZONE   INTERFACE       BROADCAST       OPTIONSnet
loci    eth1             detect
venet   venet0              -           routeback
akado   eth0             detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
=========================
=========providers============# Shorewall version 4 - Providers File
############################################################################################
#NAME        NUMBER    MARK   DUPLICATE       INTERFACE       GATEWAY
#OPTIONS         COPY
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
stream         1       50     main           eth1        10.0.5.1
track,optional,loose eth1
kakad         2       51     main            eth0        xx.xx.xx.1
track,optional,loose,balance
================
=============masq==============#INTERFACE       SUBNET            ADDRESS

#For external interfaces:
#eth0             $ETH0_SUBNET      $ETH0_IP
#eth1             10.0.5.0          10.0.5.10

#Masquarding for internal interfaces

eth0              10.0.5.0/24
eth1             10.0.5.0/24
==========================
============   route_rules ============#SOURCE            DEST      PROVIDER    
PRIORITY
venet0               -        kakad           1000


=============================
when i add for any provider eth1 for COPY options, all rules for
container''s does''nt work.

Please help me for find erorr
Thanks for all answer or ideas.

P.S.

rpm -qa | grep shorewall
shorewall-4.2.0-1
shorewall-perl-4.2.0-1


-- 
Best regards,
Galia Lisovskaya.
e-mail: inbox@shaggy-cat.ru

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Galia Lisovskaya wrote:
> Hi all,
> 
> I get trobles for add SNAT/masquerade in work configuration (it''s
> OpenVZ hardware node).
None of the core Shorewall developers run OpenVZ or know anything
about it. So if you want to run Shorewall under OpenVZ, you are
pretty much on your own.


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Galia Lisovskaya wrote:
> Hi all,
> 
> I get trobles for add SNAT/masquerade in work configuration (it''s
> OpenVZ hardware node).
> In near future, I want add traffic shaping for VZ containers, and
> physical hosts, and whrite how-to about this.
> 
> it''s 2 external links with NAT:
> 
> eth0      Link encap:Ethernet  HWaddr 00:80:48:48:22:5F
>           inet addr:xxx.xxx.xxx Bcast:255.255.255.255  Mask:255.255.255.0
> 
> eth1      Link encap:Ethernet  HWaddr 00:0C:76:E4:75:14
>           inet addr:10.0.5.10  Bcast:10.0.5.255  Mask:255.255.255.0
> 
> eth1 is intenal and external link (on next hope, is DSL router with ip
10.0.5.1)
Unless the hosts in 10.0.5.1 always access the internet through the DSL
router or through eth0, the SNAT will work. SNAT of 10.0.5.0/24 out of
eth1 WILL NOT WORK.
> 
> ========interfaces============> #ZONE   INTERFACE       BROADCAST      
OPTIONSnet
> loci    eth1             detect
> venet   venet0              -           routeback
> akado   eth0             detect
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> =========================> 
> =========providers============> # Shorewall version 4 - Providers File
>
############################################################################################
> #NAME        NUMBER    MARK   DUPLICATE       INTERFACE       GATEWAY
> #OPTIONS         COPY
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> stream         1       50     main           eth1        10.0.5.1
> track,optional,loose eth1
> kakad         2       51     main            eth0        xx.xx.xx.1
> track,optional,loose,balance
See that ''LAST LINE'' up above -- it means what it says.
> ================> 
> =============masq==============> #INTERFACE       SUBNET           
ADDRESS
> 
> #For external interfaces:
> #eth0             $ETH0_SUBNET      $ETH0_IP
> #eth1             10.0.5.0          10.0.5.10 
The Second entry is silly; as I mention abouve, it won''t work and
10.0.5.0 is the NETWORK ADDRESS for the network.

And what is $ETH0_SUBNET?
> 
> #Masquarding for internal interfaces
> 
> eth0              10.0.5.0/24
> eth1             10.0.5.0/24
> ==========================> 
> ============   route_rules ============> #SOURCE            DEST     
PROVIDER        PRIORITY
> venet0               -        kakad           1000
> 
> 
> =============================> 
> when i add for any provider eth1 for COPY options, all rules for
> container''s does''nt work.
Again -- I don''t think there is anyone here who can help you with that.

And in the future, *please* include the output of ''shorewall
dump'' as an
attachment rather than your configuration files. We really don''t want
to
see your configuration files; the files show us your solution to *some*
problem -- when we look at the files, we have to guess what that problem
is and whether your solution is the correct one. When we see the output
of ''shorewall dump'', we know exactly what your firewall is
doing (except
for the OpenVZ part).


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Shorewall Geek wrote:
> 
> Unless the hosts in 10.0.5.1 always access the internet through the DSL
> router or through eth0, the SNAT will work. SNAT of 10.0.5.0/24 out of
> eth1 WILL NOT WORK.
That should have been ''...hosts in 10.0.5.0/24...''

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

> None of the core Shorewall developers run OpenVZ or know anything
> about it. So if you want to run Shorewall under OpenVZ, you are
> pretty much on your own.
Of cource, but, it''s work on many systems.
In shorewall-wiki is some text''s about Xen and KVM.
I think, VZ is really future technology, and now it''s very populary
technology,
 but free version of this system
not include administrator-frendly utils for make routing.
Now, in OpenVZ (not in Virtuozzoo) write scripts of iptables/ip route/tc
It''s not good ;((

In this mail list i geted support in last time. But, i understand,
it''s free support,
and, If i ask not correct, all readers may does''nt want help.

Now, i make simple work rules for VZ containers, but, doe''snt make
rules for
hardware hosts (with 10.0.5.0/24).
It''s not VZ-specific trobles. It''s only my stupid
> Again -- I don''t think there is anyone here who can help you with
that.
>
> And in the future, *please* include the output of ''shorewall
dump'' as an
> attachment rather than your configuration files. We really don''t
want to
> see your configuration files; the files show us your solution to *some*
> problem -- when we look at the files, we have to guess what that problem
> is and whether your solution is the correct one. When we see the output
> of ''shorewall dump'', we know exactly what your firewall
is doing (except
> for the OpenVZ part).
dump file attached. I edit this dump, using sed command.
my extenal IP deleted, and, inluded symbols: xx.xx.xx
For private e-mail (not public list) i may send not edited dump

I understand it, but, i''m afrade send big of size letters, becouse, i
think,
anybody of readers of this mail-list read it from mobile gadjets with limited
trafic.
> Unless the hosts in 10.0.5.1 always access the internet through the DSL
> router or through eth0, the SNAT will work. SNAT of 10.0.5.0/24 out of
> eth1 WILL NOT WORK.
> That should have been ''...hosts in 10.0.5.0/24...''
Sorry, i don''t understand. SNAT of 10.0.5.0/24 out of eth1 _never_ will
work,
or is over road for get this route?
May be, virtual interface(. i.e. eth1:1, eth1:2)?
> Again -- I don''t think there is anyone here who can help you with
that.
Sorry for my bad english, and, thanks for answer.

-- 
Best regards,
Galia Lisovskaya.
e-mail: inbox@shaggy-cat.ru


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Galia Lisovskaya wrote:
>> None of the core Shorewall developers run OpenVZ or know anything
>> about it. So if you want to run Shorewall under OpenVZ, you are
>> pretty much on your own.
> 
> Of cource, but, it''s work on many systems.
> In shorewall-wiki is some text''s about Xen and KVM.
Yes -- and the Shorewall author himself had to install the software,
learn how it worked, then write the article. He isn''t doing that any
more.
> I think, VZ is really future technology, and now it''s very
populary technology,
>  but free version of this system
> not include administrator-frendly utils for make routing.
> Now, in OpenVZ (not in Virtuozzoo) write scripts of iptables/ip route/tc
> It''s not good ;((
> 
> In this mail list i geted support in last time. But, i understand,
> it''s free support,
> and, If i ask not correct, all readers may does''nt want help.
> 
> Now, i make simple work rules for VZ containers, but, doe''snt make
rules for
> hardware hosts (with 10.0.5.0/24).
> It''s not VZ-specific trobles. It''s only my stupid
> 
>> Again -- I don''t think there is anyone here who can help you
with that.
>>
>> And in the future, *please* include the output of ''shorewall
dump'' as an
>> attachment rather than your configuration files. We really
don''t want to
>> see your configuration files; the files show us your solution to *some*
>> problem -- when we look at the files, we have to guess what that
problem
>> is and whether your solution is the correct one. When we see the output
>> of ''shorewall dump'', we know exactly what your
firewall is doing (except
>> for the OpenVZ part).
> 
> dump file attached. I edit this dump, using sed command.
> my extenal IP deleted, and, inluded symbols: xx.xx.xx
> For private e-mail (not public list) i may send not edited dump
> 
> I understand it, but, i''m afrade send big of size letters,
becouse, i think,
> anybody of readers of this mail-list read it from mobile gadjets with
limited
> trafic.
> 
>> Unless the hosts in 10.0.5.1 always access the internet through the DSL
>> router or through eth0, the SNAT will work. SNAT of 10.0.5.0/24 out of
>> eth1 WILL NOT WORK.
> 
>> That should have been ''...hosts in 10.0.5.0/24...''
> 
> Sorry, i don''t understand. SNAT of 10.0.5.0/24 out of eth1 _never_
will work,
> or is over road for get this route?
> May be, virtual interface(. i.e. eth1:1, eth1:2)?
Actually you could possibly get it to work by adding
''routeback'' to the
eth1 entry in /etc/shorewall/interfaces and by adding an entry for eth1
in /etc/shorewall/masq like the one for eth0:

eth1	10.0.5.0/24	

but it is really too ugly to consider, IMO. I also see that you have
containers with IP addresses in 10.0.7.0/24 -- those don''t need
internet
access?
> 
>> Again -- I don''t think there is anyone here who can help you
with that.
> when i add for any provider eth1 for COPY options, all rules for
> container''s doesn''t work.
''eth1'' is implicitly included in the COPY list for
''stream''; so I assume
that when you add ''eth1'' for the ''akado''
provider then there are problems?

Can you give us an example of what exactly "doesn''t work"?

Even without knowing that, there are serious problems with this setup:

a) It was never intended that the interface to one provider could be
added to the COPY list of another provider. So adding ''eth1''
to the COPY
list of akado isn''t supported.

b) Because of a), it was never intended that a connection could use
multiple connections that have the ''track'' option. So
connections from
the local LAN (10.0.5.0/24) cannot use the akado provider correctly
because they get marked with the mark for ''stream'' (1).



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/