Hi All, running OpenVZ on one a server I manage, and having a problem connecting between the containers, when the policy is set to all all REJECT. Error in the logs: May 26 11:55:10 fluffy kernel: [3790273.435404] Shorewall:FORWARD:REJECT:IN=venet0 OUT=venet0 SRC=xxx.xxx.11.119 DST=xxx.xxx.11.152 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=6459 DF PROTO=TCP SPT=58720 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 policy: all all REJECT info rules: # SSH is allowed everywhere ACCEPT all all tcp 22 ACCEPT vz vz tcp 22 (that last line was from desperation) interfaces: lan br0 detect lan eth0 detect vz venet0 detect stor bond0 detect Anyone see why I am getting to error forwarding between containers? If I change the policy to all all ACCEPT, it works fine. If I change it to reject, I get this error. But why doesn''t the rule allow it at all? thanks Dave ------------------------------------------------------------------------------
On 5/26/10 12:50 AM, Dave Kempe wrote:> > Error in the logs: > May 26 11:55:10 fluffy kernel: [3790273.435404] > Shorewall:FORWARD:REJECT:IN=venet0 OUT=venet0 SRC=xxx.xxx.11.119 > DST=xxx.xxx.11.152 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=6459 DF PROTO=TCP > SPT=58720 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 > > policy: > all all REJECT info > > rules: > # SSH is allowed everywhere > ACCEPT all all tcp 22 > > ACCEPT vz vz tcp 22 > > (that last line was from desperation) > interfaces: > lan br0 detect > lan eth0 detect > vz venet0 detect > stor bond0 detect > > Anyone see why I am getting to error forwarding between containers? If I > change the policy to all all ACCEPT, it works fine. If I change it to > reject, I get this error. But why doesn''t the rule allow it at all?This issue is addressed by both Shorewall FAQ 17. The main thing you are missing is the ''routeback'' option on the bridge in /etc/shorewall/interfaces. This is a requirement for any bridge to work properly. Note that the most recent Shorewall release will attempt to autodetect bridges and set the ''routeback'' option automatically. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
On 5/26/10 6:50 AM, Tom Eastep wrote:> On 5/26/10 12:50 AM, Dave Kempe wrote: > > This issue is addressed by both Shorewall FAQ 17.I started out to say that it is addressed by both FAQ 17 and by the Shorewall OpenVZ documentation (http://www.shorewall.net/OpenVZ.html). The later shows the ''routeback'' option on the container interfaces, whether using venet0 or a bridge. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
thanks Tom! as always, great support for a great product. On 27 May 2010 00:32, Tom Eastep <teastep@shorewall.net> wrote:> > I started out to say that it is addressed by both FAQ 17 and by the > Shorewall OpenVZ documentation (http://www.shorewall.net/OpenVZ.html). > The later shows the ''routeback'' option on the container interfaces, > whether using venet0 or a bridge. > >------------------------------------------------------------------------------