I have a server who's only purpose is to run a bunch of virtualized guests
(libvirt/kvm).
The server has 4 NIC's that are all bridged. 2 are connected to internet,
2 to private lan.
The guests have their own firewall and get their ip either fixed or from a
DHCP elsewhere on the network, some guests have 2 NIC's assigned, one
to local lan and one with a public ip (for example NIC1 is
assigned to br0 + NIC2 is assigned to br2.
Only one bridge has an ip address assigned (on a local lan) so i can SSH
into the virtual host from the local lan, the host doesn't need connection
to the internet itself.
This is the setup:
NIC Bridge + IP Connected to
eth0 br0 10.1.0.10 10.1.0.0/8
eth1 br1 - 192.168.178.0/24
eth2 br2 - internet ISP1
eth3 br3 - internet ISP2
I am not worried about traffic flowing between guests on a bridge, and the
virtual host doesn't have a ipv4/ipv6 address assigned to it on any of the
other interfaces but I guess firewall the virtual host is a good thing to
do. The virtual guests have their own firewall running (which was a
fairly straightforward configuration).
I thought up a setup like this :
/etc/shorewall/interfaces:
lan1 br0 - tcpflags,nosmurfs,bridge
lan2 br1 - tcpflags,nosmurfs,bridge
net1 br2 -
tcpflags,bridge,routefilter,nosmurfs,logmartians,blacklist,arp_filter
net2 br3 -
tcpflags,bridge,routefilter,nosmurfs,logmartians,blacklist,arp_filter
(Will i need to add 'routeback' in addition to 'bridge'?)
/etc/shorewall/zones:
fw firewall
lan1 ipv4
lan2 ipv4
net1 ipv4
net2 ipv4
How should i configure /etc/shorewall/policy ? In principle I don't want
to directly connect local LAN to internet, some guests do function as a
gateway (but take care of that themselves), will i need to allow traffic
between the zones, i.e. :
lan1 net1 ACCEPT
lan1 net2 ACCEPT
lan2 net1 ACCEPT
lan2 net2 ACCEPT
lan1 lan2 ACCEPT
lan2 lan1 ACCEPT
net all DROP info
all all REJECT info
Or I don't need any rules for LANx<->NETx since the guests do their own
routing between their interfaces on either bridge ?
The virtual host isn't a router/gateway and shouldn't become one.
Anything else I should beware of?
Thanks for any advice!
Remco
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
