On 11/03/2012 04:24 AM, Bram Jansen wrote: > Hi, > > I’m trying to configure shorewall 4.5.8.2 on a debian squeeze box with > the latest backport kernel together with. I like to filter traffic but > for some reason my rules get ignored. > > Kernel+iptables have physdev match support and bridge-nf-call-iptables > is set to 1 aswell as ip_forward. > > I cannot find a way to restrict access to the vnet+ devices. The host > (ip is on br0) and the vm’s (ip’s are set inside vm, the vnet+ devices > on the host have no ip) all are in the same public subnet. I’m still > able to ping and telnet to the vm’s attached to the vnet+ interfaces > with the configs I’ll post below. This is done from a machine outside > the kvm host on the internet. > > My goal is that I can filter some ports for each individual vm. But > first I need all traffic to get dropped to the vm’s so that I can open > the ports that I need. > > I hope someone can shine a light for me on this one. Thx. > > Bram > > ---- > > This is what brctl shows: > > bridge name bridge id STP enabled interfaces > > br0 8000.3c4a92dbc2c0 no eth0 > > > vnet0 > > > vnet1 > > /etc/shorewall/interfaces: > > net br0 - bridge > > vmnet br0:eth0 > > vmkin br0:vnet0 > > vmbso br0:vnet1 > > /etc/shorewall/zones: > > fw firewall > > net ipv4 > > vmnet:net bport4 > > vmkin:net bport4 > > vmbso:net bport4 > > /etc/shorewall/policy: > > fw all ACCEPT > > net all DROP > > vmnet all DROP > > all all REJECT
Sounds like you have IMPLICIT_CONTINUE=Yes in shorewall.conf. For a full bridge configuration like this one, you want IMPLICIT_CONTINUE=No. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
