Hi,
I've been struggling to setup filtering on a bridge interface. When I
added "routeback=0", shorewall started blocking communication on the
bridge. Then I added rules to allow certain connections and Shorewall
processes them when building iptables script, but it still doesn't work
(connections are blocked).
Here is my setup:
**interfaces:**
net eth0
dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
lxd lxdbr0
dhcp,tcpflags,nosmurfs,routefilter,logmartians,bridge,routeback=0
**policy:**
lxd net ACCEPT
fw net ACCEPT
fw lxd ACCEPT
net all DROP $LOG_LEVEL
all all REJECT $LOG_LEVEL
**relevant fragment from rules:**
# access to mysql database from containers
ACCEPT lxd lxd:$DB_IP tcp mysql
**some traces from Shorewall's execution:**
# shorewall trace restart -c 2>&1 | grep mysql
IN===> ACCEPT lxd lxd:10.0.0.11 tcp mysql
# shorewall -vv restart -c | grep lxd-lxd
Policy ACCEPT from lxd to lxd using chain lxd-lxd
Chain lxd-lxd deleted
**Sample log line:**
kernel: FORWARD REJECT IN=lxdbr0 OUT=lxdbr0 PHYSIN=veth17392b4a
PHYSOUT=veth7e32a5a5 MAC=00:16:3e:24:31:30:00:16:3e:51:d6:59:08:00
SRC=10.0.0.13 DST=10.0.0.11 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=30577 DF
PROTO=TCP SPT=54706 DPT=3306 WINDOW=64240 RES=0x00 SYN URGP=0
What I do not understand is the following:
- why lxd-lxd policy is ACCEPT (I haven't defined it explicitly anywhere..)
- why lxd-lxd chain is deleted (although have a gut feeling it's
consequence of the above)
When I add iptables rule manually it all works fine. I have no idea why
I can't get it workin in Shorewall, it's simple setup :(
If anyone have any suggestion on how to troubleshoot further, or how to
fix it, I would very appreciate any such help.
--
Best regards,
Łukasz Czerpak
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
