[Users] OpenVZ & shorewall. Did'nt work acl based on ip range.
Galia Lisovskaya
mail-lists4shaggy_cat at shaggy-cat.ru
Sat Nov 1 09:32:25 EDT 2008
Hello all,
It's my first letter on this list, and, my English is not very well.
Please take me indulgence
for grammar/syntax and over erorrs :))
It's cross-post (also, i send letter for shorewall mail list).
I have trouble for acl's of ip range. But, acl for one host (with ip
adress) work fine.
Please help me for make work acl/find erorr in acl.
Becouse I'm new shorewall user, and, not guru in VZ technology,
I maked test configuration on Virtual Mashine (VirtualBOX) with bridge network.
Prodaction OVZ server work with iptables, and I'm afraid destroy work
configuration.
Work, but not fine. I want simple create new subnetworks, DMZ and overs.
===========Scheme======================
Host system (simple desktop of Fedora 8 with network bridge and
VirtualBOX) ---> Guest System with openvz kernel ---> some Virtual
Private Servers.
I think, you may forgot about VirtualBOX, but, you need remember about
OpenVZ. Hardware hosts in LAN see virtual OpenVZ? becouse, it use
bridge
with host system, and, VPS servers see also. All work, if whorewall
with virtual OpenVZ disabled.
-------------------Host-system:--------------------------
[shaggycat at desktop ~]$ cat /etc/redhat-release
Fedora release 8 (Werewolf)
[shaggycat at desktop ~]$ uname -a
Linux desktop.loc 2.6.26.5-28.fc8 #1 SMP Sat Sep 20 09:12:30 EDT 2008
x86_64 x86_64 x86_64 GNU/Linux
[shaggycat at desktop ~]$ ifconfig
br0 Link encap:Ethernet HWaddr **************
inet addr:10.0.5.2 Bcast:10.0.5.255 Mask:255.255.255.0
inet6 addr: fe80::211:d8ff:fe91:a3da/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1246145 errors:0 dropped:0 overruns:0 frame:0
TX packets:1563590 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:975442995 (930.2 MiB) TX bytes:1051074268 (1002.3 MiB)
eth0 Link encap:Ethernet HWaddr ********
inet6 addr: fe80::211:d8ff:fe91:a3da/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1246044 errors:0 dropped:0 overruns:0 frame:0
TX packets:1563463 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:998007741 (951.7 MiB) TX bytes:1057556364 (1008.5 MiB)
Interrupt:17
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1353 errors:0 dropped:0 overruns:0 frame:0
TX packets:1353 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2680004 (2.5 MiB) TX bytes:2680004 (2.5 MiB)
vbox0 Link encap:Ethernet HWaddr 00:FF:9E:34:22:E5
inet6 addr: fe80::2ff:9eff:fe34:22e5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:5161 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
vbox1 Link encap:Ethernet HWaddr 00:FF:EE:80:DA:5C
inet6 addr: fe80::2ff:eeff:fe80:da5c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:119 errors:0 dropped:0 overruns:0 frame:0
TX packets:142 errors:0 dropped:5142 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:15192 (14.8 KiB) TX bytes:12786 (12.4 KiB)
virbr0 Link encap:Ethernet HWaddr B2:12:B1:BF:97:CB
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
inet6 addr: fe80::b012:b1ff:febf:97cb/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:30 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:4855 (4.7 KiB)
-------------------end of Host-system:--------------------------
-----------------------VirtualBOX with host
system:-------------------------------------
[shaggycat at desktop ~]$ rpm -qa | grep Virtual
VirtualBox-2.0.2_36488_fedora8-1
-----------------------end of VirtualBOX with host
system:-------------------------------
------------------------------ Guest system with
ovz-kernel------------------------------
[root at localhost ~]# cat /etc/redhat-release
CentOS release 5.2 (Final)
[root at localhost ~]# uname -a
Linux localhost.localdomain 2.6.18-92.1.13.el5.028stab059.3 #1 SMP Wed
Oct 15 17:48:55 MSD 2008 i686 athlon i386 GNU/Linux
[root at localhost ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:89:FF:82
inet addr:10.0.5.4 Bcast:10.0.5.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe89:ff82/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:47 errors:0 dropped:0 overruns:0 frame:0
TX packets:51 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5274 (5.1 KiB) TX bytes:5888 (5.7 KiB)
Interrupt:11 Base address:0xc020
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
venet0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
[root at localhost shorewall]# rpm -qa | grep vz
ovzkernel-2.6.18-92.1.13.el5.028stab059.3
vzrpm44-4.4.1-22.5
vztmpl-fedora-7-1.1-1
vzquota-3.0.11-1
vzctl-3.0.22-1
vzrpm44-python-4.4.1-22.5
vzpkg-2.7.0-18
vzctl-lib-3.0.22-1
vzyum-2.4.0-11
------------------------------ end of Guest system with
ovz-kernel------------------------------
---------------------VE containers with venet network (Fedora 7
distribution)------------------
[root at localhost ~]# vzlist
VEID NPROC STATUS IP_ADDR HOSTNAME
201 5 running 10.0.2.1 test_vps1.loc
202 8 running 10.0.2.2 test_vps2.loc
203 3 running 10.0.2.3 test_vps3.loc
[root at localhost ~]#
---------------------end of VE containers with venet network (Fedora 7
distribution)------------------
===========end of Scheme======================
If service shorewall stoped, and, all iptables policy set for ACCEPT,
all connections successfully:
VPS<-->lan
VPS<-->HN
HN<-->lan
For example, with host computer(from LAN):
[shaggycat at desktop ~]$ ssh root at 10.0.2.1
root at 10.0.2.1's password:
Last login: Sun Oct 26 20:13:56 2008 from 10.0.5.2
[root at test_vps1 ~]#
============Configuration files====================
root at localhost two_work_config_]# cat zones
########################zones#######################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
############ Hardware Local Network ##############
#local Network interface
loci ipv4
#local network
loc:loci
desk1:loc
################################################
############# Venet Local Network ##############
#Virtual Interface
venet ipv4
#Virtual network (see hosts file)
ven1:venet
#VPS servers
web1:ven1
serv2:ven1
dmz:ven1
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
[root at localhost two_work_config_]# cat hosts
################### hosts###################
#ZONE HOST(S) OPTIONS
web1 venet0:10.0.2.1
serv2 venet0:10.0.2.2
dmz venet0:10.0.2.3
ven1 venet0:10.0.2.1-10.0.2.255
loc eth0:10.0.5.0/24
desk1 eth0:10.0.5.2
#inet 0.0.0.0/24
[root at localhost two_work_config_]# cat interfaces
#ZONE INTERFACE BROADCAST OPTIONSnet eth0
loci eth0 detect
venet venet0 - routeback
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
[root at localhost two_work_config_]# cat policy
################## policy
#############################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
#
$FW all ACCEPT
#Remove this string!
all $FW ACCEPT
#May be, it's not need
#loci venet ACCEPT
#venet loci ACCEPT
#loc ven1 ACCEPT
#ven1 loc ACCEPT
#Test DMZ
ven1 dmz ACCEPT
desk1 dmz ACCEPT
dmz all DROP
#Teporary acl for one vps
web1 venet ACCEPT
venet web1 ACCEPT
loc web1 ACCEPT
web1 loc ACCEPT
#ACL for venet network
ven1 venet ACCEPT
venet ven1 ACCEPT
loc ven1 ACCEPT
ven1 loc ACCEPT
#ven1 ven1 ACCEPT
#ven1 loc ACCEPT
#loc ven1 ACCEPT
#temporary for desktop
#desk1 ven1 ACCEPT
#ven1 desk1 ACCEPT
desk1 web1 ACCEPT
web1 desk1 ACCEPT
#loc web1 ACCEPT
#loc serv2 ACCEPT
#serv2 loc ACCEPT
#web1 loc ACCEPT
all all REJECT
#LAST LINE -- DO NOT REMOVE
[root at localhost two_work_config_]#
============end of Configuration files====================
For one test VPS server connection accept:
[shaggycat at desktop ~]$ ping -c 1 10.0.2.1
PING 10.0.2.1 (10.0.2.1) 56(84) bytes of data.
64 bytes from 10.0.2.1: icmp_seq=1 ttl=64 time=1.44 ms
--- 10.0.2.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.440/1.440/1.440/0.000 ms
But for over test VPS connection drop:
[shaggycat at desktop ~]$ ping -c 1 10.0.2.2
PING 10.0.2.2 (10.0.2.2) 56(84) bytes of data.
>From 10.0.5.4 icmp_seq=1 Destination Host Unreachable
--- 10.0.2.2 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
acl ven1 does'nt work.
connection for one VPS accept, becouse in policy file is strings:
#Teporary acl for one vps
web1 venet ACCEPT
venet web1 ACCEPT
loc web1 ACCEPT
web1 loc ACCEPT
Please help me for find erorr
.
Thank you for all answer or ideas.
--
Best regards,
Galia Lisovskaya.
More information about the Users
mailing list