Michael Johannes
2014-Jul-09 16:28 UTC
Using Shorewall as a gateway EC2 Instance on Ubuntu in AWS: Rule/Policy Problem
I have a question about a secure way to firewall and route traffic from an EC2 instance in AWS. The setup is different from any other shorewall configuration i have used (OpenWRT, OpenVPN, etc). In this case there are two subnets in one VPC VPC - 10.252.0.0/16 1) Public - 10.252.128.0/17 2) Private - 10.252.0.0/17 I have created an instance in the Public subnet with an elastic IP 54.x.x.100 which is NAT'ed to the eth0 interface on that server: NAT/GW/VPN Shorewall Server: 10.252.128.200 (1 interface - ETH0) Traffic flows in and out to the internet without issue. The IGW (internet gateway) on AWS is properly configured. The route tables are correct. In the private subnet, there is a test windows server with IP address 10.252.0.10. It is currently configured to use the Shorewall Server as it's gateway. When I configure the Shorewall policy file to use ALL to ALL ACCEPT (I know this is not secure - obviously...) it works. Traffic comes in and out to 10.252.0.10. With Shorewall simply passing packets with no firewalling, everything works as expected. But when I try to secure it, I end up with this error in the log no matter how many rules I try to use: kernel: [ 5138.802818] Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0 So instead of a typical configuration with an eth1 (loc) and eth0 (net) interface, there is only one 'physical' interface which is eth0 The masq file looks like this: #MASQ eth0 0.0.0.0/0 #--> allow any server to be masq'd as eth0 How can I keep the correct Shorewall policy (all all REJECT info) while using the rules file to allow traffic in/out through the same eth0 interface? I cannot do the following like I could on a physical server (which would work) loc net ACCEPT Mike ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft