From: Tom E. <te...@sh...> - 2012-09-09 14:26:17
|
On 09/09/2012 07:11 AM, Steve Thompson wrote: > On Sat, 8 Sep 2012, Tom Eastep wrote: > >> But that raises the question of what problem you are reporting -- if the >> log messages aren't relevant then what is the issue? > > Here is the situation. The shorewall system has an IP address in > 192.168.0.0/22 subnet (zone "pub") on bridge br2 (192.168.0.3 and also > 192.168.0.1), and an IP address in 192.168.4.0/22 (zone "hpc") on bridge > br1 (192.168.4.3 and also 192.168.4.1). The .1 addresses are the default > gateways for the clients in the relevant subnet. These addresses can > fail over to a second identical shorewall box, but this is not relevant > here. > > The KVM virtual machine on the shorewall box (also CentOS 6.3) has > interface eth0 with IP address 192.168.3.254 bridged to br2, and an > interface eth1 with IP address 192.168.7.254 bridged to br1. Subnet mask > is 255.255.252.0 (/22). > >> From a client in the 192.168.0.0/22 subnet (IP address 192.168.0.172), I > can issue: > > ssh 192.168.3.254 > > and this will successfully log on to the virtual machine, since it is on > the same subnet and thus goes directly. I can issue: > > ssh 192.168.7.254 > > and this will eventually time out. There are NO log message on the > shorewall box; it appears that no packets are passed to the virtual > machine (and a traceroute ends at the shorewall box). > >> From a client in the 192.168.4.0/22 subnet (IP address 192.168.5.241), I > can issue: > > ssh 192.168.7.254 > > and this will successfully log on to the virtual machine. I can issue: > > ssh 192.168.3.254 > > and this will eventually time out. There are NO log message on the > shorewall box; it appears that no packets are passed to the virtual > machine (and a traceroute ends at the shorewall box). > > I have the following entries, amongst others, in /etc/shorewall/policy: > > pub hpc ACCEPT > hpc pub ACCEPT > net all DROP info <- internet zone > all all REJECT info > > and in /etc/shorewall/interfaces: > > hpc br1 - bridge,routeback,tcpflags,nosmurfs > pub br2 - bridge,routeback,tcpflags,nosmurfs > > from which I have removed the maclist option. This is the configuration > from which the attached shorewall dump was taken. Removing the maclist > option makes no difference to the outcome. > > I do not understand why packets that reach the firewall from a client on > the opposing subnet do not reach the virtual machine, since the policy > file would appear to allow them. Again, there are no log messages. For > any other machines that are NOT virtual machines on the shorewall box, > everything works OK. And if you temporarily 'shorewall clear', this all works perfectly? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ |