[Users] Re: Netfilter connection tracking not working in VE?

Frederik freggy at gmail.com
Thu Mar 6 06:43:27 EST 2008


On Thu, 06 Mar 2008 12:21:03 +0100, MailingListe wrote:

>> As you can see in the shorewall show output, no packets matched the
>> RELATED,ESTABLISHED rule in the net2fw rule, but instead packets are
>> matched by the fallback rule forwarding them to the Drop chain, and
>> they eventually seem to be dropped in the DropInvalid chain because of
>> state INVALID.
 
> The available features of iptables depend on the kernel modules loaded.
> By default it is not possible to load additional kernel modules on
> demand inside the VE. Older kernels even need to enable firewall inside
> the VE to get it work but i don't know for which version this have
> changed. So double check if the necessary modules are loaded at startup

I think shorewall checks this at start-up, and AFAIK this looks good.

>From /var/log/shorewall-init.log on VE:
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Not available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Available
   Connection Tracking Match: Available
   Packet Type Match: Available
   Policy Match: Available
   Physdev Match: Available
   Physdev-is-bridged Support: Available
   Packet length Match: Available
   IP range Match: Available
   Recent Match: Available
   Owner Match: Available
   Ipset Match: Not available
   CONNMARK Target: Available
   Extended CONNMARK Target: Available
   Connmark Match: Available
   Extended Connmark Match: Available
   Raw Table: Not available
   IPP2P Match: Not available
   CLASSIFY Target: Available
   Extended REJECT: Available
   Repeat match: Available
   MARK Target: Available
   Extended MARK Target: Available
   Mangle FORWARD Chain: Available
   Comments: Available
   Address Type Match: Available
   TCPMSS Match: Available
   Hashlimit Match: Available
   NFQUEUE Target: Available


> and if the kernel log /proc/kmesg is available inside the VE.

It exists:
# ls -lh /proc/kmsg 
-r-------- 1 root root 0 Mar  6 12:28 /proc/kmsg

klogd is started, but I cannot find anything in the logs when nmapping 
the host.

Actually now I found out why looking at the shorewall show output after 
nampping: when the firewall is enabled, all packets which are correctly 
dropped, are not dropped (and hence logged) because of my shorewall 
policy, but because they end up matching the state INVALID rule, which 
drops without logging. So this is actually exactly the same problem as 
above.

-- 
Frederik



More information about the Users mailing list