From: Michael J. <mic...@ya...> - 2014-07-09 16:28:40
|
I have a question about a secure way to firewall and route traffic from an EC2 instance in AWS. The setup is different from any other shorewall configuration i have used (OpenWRT, OpenVPN, etc). In this case there are two subnets in one VPC VPC - 10.252.0.0/16 1) Public - 10.252.128.0/17 2) Private - 10.252.0.0/17 I have created an instance in the Public subnet with an elastic IP 54.x.x.100 which is NAT'ed to the eth0 interface on that server: NAT/GW/VPN Shorewall Server: 10.252.128.200 (1 interface - ETH0) Traffic flows in and out to the internet without issue. The IGW (internet gateway) on AWS is properly configured. The route tables are correct. In the private subnet, there is a test windows server with IP address 10.252.0.10. It is currently configured to use the Shorewall Server as it's gateway. When I configure the Shorewall policy file to use ALL to ALL ACCEPT (I know this is not secure - obviously...) it works. Traffic comes in and out to 10.252.0.10. With Shorewall simply passing packets with no firewalling, everything works as expected. But when I try to secure it, I end up with this error in the log no matter how many rules I try to use: kernel: [ 5138.802818] Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0 So instead of a typical configuration with an eth1 (loc) and eth0 (net) interface, there is only one 'physical' interface which is eth0 The masq file looks like this: #MASQ eth0 0.0.0.0/0 #--> allow any server to be masq'd as eth0 How can I keep the correct Shorewall policy (all all REJECT info) while using the rules file to allow traffic in/out through the same eth0 interface? I cannot do the following like I could on a physical server (which would work) loc net ACCEPT Mike |