thr3ads.net - Shorewall users - XEN (routed Dom0) and domu - VM''s can''t talk to each other. [Sep 2011]

If this information is useful, please help other people find it:
Share via:

Troy Telford

2011-Sep-05 04:57 UTC

XEN (routed Dom0) and domu - VM''s can''t talk to each other.

I''ve set up something similar to
http://www.shorewall.net/XenMyWay-Routed.html

Shorewall runs on the Dom0 host, and the VM''s are in my DMZ.

As far as I can tell, I Shorewall is working as I''d expect, with one 
exception: I can''t get the DomU machines to connect to each other.

I see the following in dmesg/kern.log

Sep  4 22:20:41 pilot kernel: [427181.381412] 
Shorewall:sfilter1:DROP:IN=eth3 OUT=eth4 
MAC=fe:ff:ff:ff:ff:ff:00:16:3e:7f:a0:b9:08:00 SRC=192.168.2.2 
DST=192.168.2.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP 
TYPE=8 CODE=0 ID=10893 SEQ=2

The thing that''s stumping me is the "sfilter" - I
don''t have anything
named that in my shorewall config - it''s not a typical zone2zone 
message, nor does it seem to be coming from the rules.

I get a log message similar to the above message anytime I try to 
connect from one DomU to the other (within the same zone - the DMZ).

My config is below.

My Zones:
fw              firewall
net     ipv4                            # Raw Internet (Cable Modem)
gige    ipv4                            # Gigabit Ethernet on the Home Network.
dmz     ipv4                            # DMZ

Interfaces:
gige    eth0            detect          dhcp # Internal network; 192.168.1.1
net     eth1            detect          dhcp # Raw internet.
dmz     eth2            detect          dhcp # DMZ; 192.168.2.1
# eth[3,4] are mapped to Xen DomU vif''s
dmz     eth3            detect          optional # 192.168.2.2
dmz     eth4            detect          optional # 192.168.2.3

Masq:
eth1        192.168.1.0/24,\
            192.168.2.0/24

Policy: (The only entries that affect the DMZ zone)
dmz     net             ACCEPT
all     all             DROP

Proxyarp:
192.168.2.2             eth3            eth2            yes
192.168.2.3             eth4            eth2            yes

Rules: (again, only ones that affect the DMZ Zone)
dropNotSyn net  dmz     tcp
# Debian apt-cacher-ng
ACCEPT          dmz:192.168.2.2 $FW tcp 3142
ACCEPT          dmz:192.168.2.3 $FW tcp 3142
# ZNC IRC Bouncer
DNAT:info       net     dmz:192.168.2.3 tcp 6667
DNAT:info       net     dmz:192.168.2.3 udp 6667
DNAT            gige    dmz:192.168.2.3 tcp 6667
DNAT            gige    dmz:192.168.2.3 udp 6667
# SSH
ACCEPT          $FW     dmz tcp ssh
ACCEPT          gige    dmz tcp ssh

I''d appreciate knowing what I''ve not configured properly - as
I''ve said
- I seem to have the firewall working as I''d expect with the exception 
of DMZ->DMZ communication between Xen DomU''s.
-- 
Troy Telford



------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you''ll get a free "Love Thy Logs" t-shirt
when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev

Tom Eastep

2011-Sep-05 13:12 UTC

head link

Re: XEN (routed Dom0) and domu - VM''s can''t talk to each other.

On Sun, 2011-09-04 at 22:57 -0600, Troy Telford wrote:> I''ve set up something similar to
http://www.shorewall.net/XenMyWay-Routed.html
> 
> Shorewall runs on the Dom0 host, and the VM''s are in my DMZ.
> 
> As far as I can tell, I Shorewall is working as I''d expect, with
one
> exception: I can''t get the DomU machines to connect to each other.
> 
> I see the following in dmesg/kern.log
> 
> Sep  4 22:20:41 pilot kernel: [427181.381412] 
> Shorewall:sfilter1:DROP:IN=eth3 OUT=eth4 
> MAC=fe:ff:ff:ff:ff:ff:00:16:3e:7f:a0:b9:08:00 SRC=192.168.2.2 
> DST=192.168.2.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP 
> TYPE=8 CODE=0 ID=10893 SEQ=2
> 
> The thing that''s stumping me is the "sfilter" - I
don''t have anything
> named that in my shorewall config - it''s not a typical zone2zone 
> message, nor does it seem to be coming from the rules.
> 
This is actually a bug in the compiler''s rule promotion logic. You can
work around it by specifying ''routefilter'' on eth3 and eth4
in /etc/shorewall/interfaces.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you''ll get a free "Love Thy Logs" t-shirt
when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev

Shorewall users - Sep 2011 - XEN (routed Dom0) and domu - VM's can't talk to each other.

XEN (routed Dom0) and domu - VM''s can''t talk to each other.

Re: XEN (routed Dom0) and domu - VM''s can''t talk to each other.