I have a server configured with one main IP with defaul gw and a sub-net as additional IP. I have create a OpenVZ container configuration with a bridge, attached is a diagram where you can understand configuration: This configuration has: * main IP as br0 ip and route * the first IP of the sub-net at br0:0 (as gw for containers) * OpenVZ special interfaces vethXX.0 (attached to bridge, one for each container) And now I wish to configure shorewall ;) I follow this document: http://www.shorewall.net/2.0/bridge.html but I have Shorewall 4.0.14.2 shorewall.conf BRIDGING=Yes zones fw firewall net ipv4 loc ipv4 policy fw net ACCEPT loc net ACCEPT net fw DROP info net all DROP info all all REJECT info interfaces - br0 70.12.10.191 rules HTTP/ACCEPT net loc hosts net br0:eth0 loc br0:veth101.0 loc br0:veth102.0 ... loc br0:beth105.0 shorewall check: Shorewall configuration verified but shorewall start: Applying Policies... Activating Rules... iptables: Invalid argument ERROR: Command "/sbin/iptables -A OUTPUT -o br0 -j br0_out" Failed IP Forwarding Enabled Terminated Can you provide me a tip how I can configure shorewall for this bridged configuration of OpenVZ containers? Thank you. Rodolfo Pilas ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Rodolfo Pilas wrote:> I have a server configured with one main IP with defaul gw and a sub-net > as additional IP. > > I have create a OpenVZ container configuration with a bridge, attached > is a diagram where you can understand configuration: > > This configuration has: > * main IP as br0 ip and route > * the first IP of the sub-net at br0:0 (as gw for containers) > * OpenVZ special interfaces vethXX.0 > (attached to bridge, one for each container) > > And now I wish to configure shorewall ;) > > I follow this document: > http://www.shorewall.net/2.0/bridge.html > but I have Shorewall 4.0.14.2Which will never work! To configure a bridge/firewall when using kernel 2.6.20 or later, you must use other techniques. This is spelled out in large bold letters on the Shorewall home page: http://www.shorewall.net#Notice1 ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Shorewall Geek escribió:> Rodolfo Pilas wrote: >> And now I wish to configure shorewall ;) >> >> I follow this document: >> http://www.shorewall.net/2.0/bridge.html >> but I have Shorewall 4.0.14.2 > > Which will never work! To configure a bridge/firewall when using kernel > 2.6.20 or later, you must use other techniques. This is spelled out in > large bold letters on the Shorewall home page: > http://www.shorewall.net#Notice1Thanks! it''s works perfectly with: http://www.shorewall.net/3.0/NewBridge.html for i in $(seq 1 1000); do echo "I need to read first page first!", done Rodolfo ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/