2008/11/1 Tom Eastep <[EMAIL PROTECTED]>:
> The reason that it doesn't work is that 10.0.2.2 is in the serv2 zone.
> And serv2 is a sub-zone of ven1. The policy for desk->serv2 is REJECT.
>
> To make these zone definitions work the way you want them to, you need
> to set IMPLICIT_CONTINUE=Yes in shorewall.conf. That way, if a
> connection doesn't match for one zone that a host is in, it will be
> compared against the rules/policies of the next zone that the host is in.
>
> -Tom
Thanks.
I seted IMPLICIT_CONTINUE=Yes and get, i think. bug of OVZ-kernel:
[EMAIL PROTECTED] shorewall]# shorewall debug start
Compiling...
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
Compiling /etc/shorewall/hosts...
Determining Hosts in Zones...
Preprocessing Action Files...
Pre-processing /usr/share/shorewall/action.Drop...
Pre-processing /usr/share/shorewall/action.Reject...
Compiling /etc/shorewall/policy...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling MAC Filtration -- Phase 1...
Generating Transitive Closure of Used-action List...
Processing /usr/share/shorewall/action.Reject for chain Reject...
Compiling ...
Processing /usr/share/shorewall/action.Drop for chain Drop...
Compiling MAC Filtration -- Phase 2...
Applying Policies...
Generating Rule Matrix...
Creating iptables-restore input...
Compiling iptables-restore input for chain mangle:...
Shorewall configuration compiled to /var/lib/shorewall/.start
Starting Shorewall....
Initializing...
Setting up ARP filtering...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Accept Source Routing...
Setting up Traffic Control...
Preparing iptables-restore input...
Running debug_restore_input...
iptables v1.3.5: Unknown arg `--src-range'
Try `iptables -h' or 'iptables --help' for more information.
ERROR: Command "/sbin/iptables -A venet0_fwd --src-range
10.0.2.1-10.0.2.255 -j ven1_frwd" Failed
IP Forwarding Enabled
/sbin/shorewall: line 435: 15022 Завершено ${VARDIR}/.start
$debugging start
[EMAIL PROTECTED] shorewall]#
One word of Russian is "end" in English.
Light googling take this information:
* http://lists.netfilter.org/pipermail/netfilter/2007-February.txt
=========================================
From michel at mitch-it.com Thu Feb 15 01:49:32 2007
From: michel at mitch-it.com (Michel van der Klei)
Date: Thu Feb 15 02:41:02 2007
Subject: Need help with iptables and iprange module
In-Reply-To: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
On Wed, 14 Feb 2007 19:15:13 -0500 TheNokia <[EMAIL PROTECTED]> wrote:
> Hello everybody, I installed iptables v1.3.7 (the lastest one)
> But when I try to use iprange module (-m iprange) here the error:
>
> debian:~# iptables -A INPUT -m iprange
> iptables v1.3.7: iprange match: You must specify `--src-range' or
> `--dst-range'
> Try `iptables -h' or 'iptables --help' for more information.
> debian:~# iptables -A INPUT -m iprange --src-range
> iptables v1.3.7: Unknown arg `--src-range'
> Try `iptables -h' or 'iptables --help' for more information.
> debian:~# iptables -A INPUT -m iprange --src-range
> xx.xxx.xxx.0-xx.xxx.xxx.255 -j DROP
> iptables: No chain/target/match by that name
>
> I try to install the crap-patch-o-matic, impossible to install without
> 100 years of linux knowledge.
Which kernelversion is there installed on your Debian machine. Since kernel
2.6.18 it's no longer needed to run patch-o-matic.
modprobe ipt_iprange will do that trick for you.
=======================
I load this module:
[EMAIL PROTECTED] shorewall]# lsmod | grep ipt_iprange
ipt_iprange 5888 0
x_tables 19204 46
ip6_tables,xt_realm,xt_comment,xt_policy,ipt_ULOG,ipt_TTL,ipt_ttl,ipt_TOS,ipt_tos,ipt_TCPMSS,ipt_REJECT,ipt_REDIRECT,ipt_recent,ipt_owner,ipt_NETMAP,ipt_MASQUERADE,ipt_LOG,ipt_iprange,ipt_hashlimit,ipt_ECN,ipt_ecn,ipt_DSCP,ipt_dscp,ipt_CLUSTERIP,ipt_ah,ipt_addrtype,xt_tcpmss,xt_pkttype,xt_physdev,xt_NFQUEUE,xt_multiport,xt_MARK,xt_mark,xt_mac,xt_limit,xt_length,xt_helper,xt_dccp,xt_conntrack,xt_CONNMARK,xt_connmark,xt_CLASSIFY,xt_tcpudp,xt_state,iptable_nat,ip_tables
[EMAIL PROTECTED] shorewall]#
But erorr does'nt go away.
What do you think, it's error of ovz kernel, and, i need get help in
openvz mail list?
Thank you for answer.
--
Best regards,
Galia Lisovskaya.
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
