Shorewall users - Jun 2011 - kvm with bridged and vlan interface

Hello Tom
Hello dear shorewall users.
Could some one help me to configure shorewall to satisfy the following
scenario:
I''ve got ubuntu 10.04LTS server with eth0 and eth1 network interfaces
acting
as KVM virt machines host.
Here''s the "interfaces"

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet manual

#LAN iface
auto br0
iface br0 inet static
address 192.168.0.6
netmask 255.255.255.0
bridge_ports eth0
bridge_stp off
bridge_fd 0
bridge_maxwait 0
metric 0

# WAN iface 1
#auto eth1.7
iface eth1.7 inet manual
vlan_raw_device eth1

auto br1-vlan7
iface br1-vlan7 inet static
address 192.168.162.2
netmask 255.255.255.248
gateway 192.168.162.1
bridge_ports eth1.7
bridge_stp off
bridge_fd 0
bridge_maxwait 0
metric 1

# WAN iface 2
iface eth1.23 inet manual
vlan_raw_device eth1

auto br1-vlan23
iface br1-vlan23 inet static
address 192.168.163.234
netmask 255.255.255.240
gateway 192.168.163.233
bridge_ports eth1.23
bridge_stp off
bridge_fd 0
bridge_maxwait 0
metric 2

# WAN iface 3 DNS
iface eth1.445 inet manual
vlan_raw_device eth1

auto br1-vlan445
iface br1-vlan445 inet manual
bridge_ports eth1.445
bridge_stp on
bridge_fd 1
bridge_maxwait 0
metric 0

There are 3 virtual machines are running on the server currently...

br0 is in LAN and act as virt-manager only (should be accessible from LAN
only)
br1-vlan7 connects to the ISP1
br1-vlan23 to the ISP2
br1-vlan445 bridges vlan 445 to the virtual machine interface with ip
192.168.162.162

here''s what  IP ADDR  gives:
ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP qlen 1000
    link/ether 00:30:48:57:e7:42 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::230:48ff:fe57:e742/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast
state UP qlen 1000
    link/ether 00:30:48:57:e7:43 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::230:48ff:fe57:e743/64 scope link
       valid_lft forever preferred_lft forever
4: br1-vlan7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state
UNKNOWN
    link/ether 00:30:48:57:e7:43 brd ff:ff:ff:ff:ff:ff
    inet 192.168.162.2/29 brd 192.168.162.7 scope global br1-vlan7
    inet6 fe80::230:48ff:fe57:e743/64 scope link
       valid_lft forever preferred_lft forever
5: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state
UNKNOWN
    link/ether 00:30:48:57:e7:42 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.6/24 brd 192.168.0.255 scope global br0
    inet6 fe80::230:48ff:fe57:e742/64 scope link
       valid_lft forever preferred_lft forever
6: eth1.7@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state UP
    link/ether 00:30:48:57:e7:43 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::230:48ff:fe57:e743/64 scope link
       valid_lft forever preferred_lft forever
7: br1-vlan23: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state UNKNOWN
    link/ether 00:30:48:57:e7:43 brd ff:ff:ff:ff:ff:ff
    inet 192.168.163.234/28 brd 192.168.163.239 scope global br1-vlan23
    inet6 fe80::230:48ff:fe57:e743/64 scope link
       valid_lft forever preferred_lft forever
8: eth1.23@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state UP
    link/ether 00:30:48:57:e7:43 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::230:48ff:fe57:e743/64 scope link
       valid_lft forever preferred_lft forever
9: br1-vlan445: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state UNKNOWN
    link/ether 00:30:48:57:e7:43 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::230:48ff:fe57:e743/64 scope link
       valid_lft forever preferred_lft forever
10: eth1.445@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue
state UP
    link/ether 00:30:48:57:e7:43 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::230:48ff:fe57:e743/64 scope link
       valid_lft forever preferred_lft forever
11: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state
UNKNOWN qlen 500
    link/ether fe:54:00:ed:51:ae brd ff:ff:ff:ff:ff:ff
    inet6 fe80::fc54:ff:feed:51ae/64 scope link
       valid_lft forever preferred_lft forever
12: vnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state
UNKNOWN qlen 500
    link/ether fe:54:00:b4:07:13 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::fc54:ff:feb4:713/64 scope link
       valid_lft forever preferred_lft forever
16: vnet2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state
UNKNOWN qlen 500
    link/ether fe:54:00:79:09:c2 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::fc54:ff:fe79:9c2/64 scope link
       valid_lft forever preferred_lft forever
17: vnet3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state
UNKNOWN qlen 500
    link/ether fe:54:00:c5:cb:88 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::fc54:ff:fec5:cb88/64 scope link
       valid_lft forever preferred_lft forever


I wonder if it''s possible to use shorewall in the following scenario ?
Gurus please help !!!


------------------------------------------------------------------------------
EditLive Enterprise is the world''s most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev

On 6/12/11 8:53 AM, Юрий Миронов wrote:
> 
> I wonder if it''s possible to use shorewall in the following
scenario ?
Don''t see any reason why you can''t, although I wonder why you
have all
of those one-port bridges.

If you have specific configuration questions, we can answer them.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
EditLive Enterprise is the world''s most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev

Because I need all those vms to be directly connected to the network
(bridged), share the same address space, be in the same broadcast domains.
As far as I know there is no other way to do it.

2011/6/13 Tom Eastep <teastep@shorewall.net>
> On 6/12/11 8:53 AM, Юрий Миронов wrote:
>
> >
> > I wonder if it''s possible to use shorewall in the following
scenario ?
>
> Don''t see any reason why you can''t, although I wonder why
you have all
> of those one-port bridges.
>
> If you have specific configuration questions, we can answer them.
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
>
------------------------------------------------------------------------------
> EditLive Enterprise is the world''s most technically advanced
content
> authoring tool. Experience the power of Track Changes, Inline Image
> Editing and ensure content is compliant with Accessibility Checking.
> http://p.sf.net/sfu/ephox-dev2dev
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

------------------------------------------------------------------------------
EditLive Enterprise is the world''s most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev

On Mon, 2011-06-13 at 09:17 +0400, Юрий Миронов wrote:
> Because I need all those vms to be directly connected to the network
> (bridged), share the same address space, be in the same broadcast
> domains. 
> As far as I know there is no other way to do it. 
You are going to have VMs connected to every bridge?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
EditLive Enterprise is the world''s most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev

yes.
VMs are:
1 - winxp with 2 virtual network interfaces one uses br1-vlan7, another one
uses br0
2 - ubuntuvm with 2 virtual network interfaces one uses br0, another
br1-vlan23

cat /etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
world br0 - bridge,routeback
world br1-vlan7 - bridge,routeback
world br1-vlan23 - bridge,routeback
net1 br1-vlan7:vnet0
net2 br1-vlan23:vnet3
loc1 br0:vnet1
loc2 br0:vnet2

cat /etc/shorewall/zones
fw firewall
world ipv4
loc1:world bport
net1:world bport
loc2:world bport
net2:world bport

Am I right with such config ?

shorewall check shows no errors, shorewall starts with no problem but after
logining to winxp and pinging some hosts through br1-vlan7 networking of KVM
goes down. The only thing left to do is restarting of the host

2011/6/13 Tom Eastep <teastep@shorewall.net>
> On Mon, 2011-06-13 at 09:17 +0400, Юрий Миронов wrote:
> > Because I need all those vms to be directly connected to the network
> > (bridged), share the same address space, be in the same broadcast
> > domains.
> > As far as I know there is no other way to do it.
>
> You are going to have VMs connected to every bridge?
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
>
------------------------------------------------------------------------------
> EditLive Enterprise is the world''s most technically advanced
content
> authoring tool. Experience the power of Track Changes, Inline Image
> Editing and ensure content is compliant with Accessibility Checking.
> http://p.sf.net/sfu/ephox-dev2dev
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

------------------------------------------------------------------------------
EditLive Enterprise is the world''s most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev

On 6/13/11 10:44 AM, Юрий Миронов wrote:
> 
> yes.
> VMs are:
> 1 - winxp with 2 virtual network interfaces one uses br1-vlan7, another
> one uses br0
> 2 - ubuntuvm with 2 virtual network interfaces one uses br0, another
> br1-vlan23
> 
> cat /etc/shorewall/interfaces
> #ZONEINTERFACEBROADCASTOPTIONS
> worldbr0-bridge,routeback
> worldbr1-vlan7-bridge,routeback
> worldbr1-vlan23-bridge,routeback
> net1br1-vlan7:vnet0
> net2br1-vlan23:vnet3
> loc1br0:vnet1
> loc2br0:vnet2
> 
> cat /etc/shorewall/zones
> fwfirewall
> worldipv4
> loc1:worldbport
> net1:worldbport
> loc2:worldbport
> net2:worldbport
> 
> Am I right with such config ?
We can''t possibly tell you that.
> 
> shorewall check shows no errors, shorewall starts with no problem but
> after logining to winxp and pinging some hosts through br1-vlan7
> networking of KVM goes down. The only thing left to do is restarting of
> the host
Have you tried ''shorewall clear''?

We will have to see the output of ''shorewall dump'' (as a
compressed
attachment) before we can provide any concrete guidance.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
EditLive Enterprise is the world''s most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev