From: Steve T. <sm...@vg...> - 2012-09-09 14:12:02
|
On Sat, 8 Sep 2012, Tom Eastep wrote: > But that raises the question of what problem you are reporting -- if the > log messages aren't relevant then what is the issue? Here is the situation. The shorewall system has an IP address in 192.168.0.0/22 subnet (zone "pub") on bridge br2 (192.168.0.3 and also 192.168.0.1), and an IP address in 192.168.4.0/22 (zone "hpc") on bridge br1 (192.168.4.3 and also 192.168.4.1). The .1 addresses are the default gateways for the clients in the relevant subnet. These addresses can fail over to a second identical shorewall box, but this is not relevant here. The KVM virtual machine on the shorewall box (also CentOS 6.3) has interface eth0 with IP address 192.168.3.254 bridged to br2, and an interface eth1 with IP address 192.168.7.254 bridged to br1. Subnet mask is 255.255.252.0 (/22). >From a client in the 192.168.0.0/22 subnet (IP address 192.168.0.172), I can issue: ssh 192.168.3.254 and this will successfully log on to the virtual machine, since it is on the same subnet and thus goes directly. I can issue: ssh 192.168.7.254 and this will eventually time out. There are NO log message on the shorewall box; it appears that no packets are passed to the virtual machine (and a traceroute ends at the shorewall box). >From a client in the 192.168.4.0/22 subnet (IP address 192.168.5.241), I can issue: ssh 192.168.7.254 and this will successfully log on to the virtual machine. I can issue: ssh 192.168.3.254 and this will eventually time out. There are NO log message on the shorewall box; it appears that no packets are passed to the virtual machine (and a traceroute ends at the shorewall box). I have the following entries, amongst others, in /etc/shorewall/policy: pub hpc ACCEPT hpc pub ACCEPT net all DROP info <- internet zone all all REJECT info and in /etc/shorewall/interfaces: hpc br1 - bridge,routeback,tcpflags,nosmurfs pub br2 - bridge,routeback,tcpflags,nosmurfs from which I have removed the maclist option. This is the configuration from which the attached shorewall dump was taken. Removing the maclist option makes no difference to the outcome. I do not understand why packets that reach the firewall from a client on the opposing subnet do not reach the virtual machine, since the policy file would appear to allow them. Again, there are no log messages. For any other machines that are NOT virtual machines on the shorewall box, everything works OK. Steve |