I''ve been tearing my hair out on this one for the last couple of days, I even switched from CentOS on the physical server, to Debian, just to see if it would make a difference, but it didn''t. First of all, I''ll describe my setup: I have one Dell server, running Debian 6 with only one network port connected to my test LAN (eth0), and two test containers, also running Debian 6. On those containers I have installed Shorewall 4.4.11.6 from the Debian repositories and configured it as described in the attached files. The physical server doesn''t have Shorewall installed. This is a clean install, the only modifications I made from the base install was installing the OpenVZ kernel and userland utilities. I have tested these same configuration files on a VMware virtual machine and it worked without any problems. Now for the problem: Whenever I enable shorewall (shorewall safe-start or boot), it allows SSH and MySQL from the LAN, but it''s impossible to access anything from within the container to the outside world. Simply disabling shorewall, or setting ALLOW in the net section of /etc/shorewall/policy resolves the problem. I have tested this by using PING and SSH to the IP addresses of other machines on the LAN, the other OpenVZ container and the physical server. I''ve attached all relevant configuration files I could find and I appreciate any assistance you could give me with this. Martin. ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
On Tue, 2011-06-21 at 19:37 +0100, Martin wrote:> I''ve attached all relevant configuration files I could find and I > appreciate any assistance you could give me with this.I looked at this exact same problem with another user recently. The problem is that the OpenVZ kernel is miss-categorizing incoming packets. Look at this: Chain net2fw (1 references) pkts bytes target prot opt in out source destination 585 45057 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 585 45057 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 9 790 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Not one packet has matched the ''cstate RELATED,ESTABLISHED'' rule. Incoming SSH works but all outgoing connections all fail because the response packets are dropped. I took a quick look at the Debian Bugtrack system and didn''t see any reports against the kernel package you are using but I would have thought that the user I tried to help earlier would have filed a report so you might want to poke around there. Sorry for the bad news, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
On 06/21/2011 08:39 PM, Tom Eastep wrote:> I took a quick look at the Debian Bugtrack system and didn''t see any > reports against the kernel package you are using but I would have > thought that the user I tried to help earlier would have filed a report > so you might want to poke around there.Thanks for the info, I guess I''m happy that at least I didn''t miss something silly, after so much trying. I''ve filled a bug report with Debian (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631234), but I''m wondering now if this is not an upstream issue, since I got the exact same issue with CentOS. Anyways, I''ll post an update once I have one and thanks again. ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation''s a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It''s vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev