On 11/16/2020 12:34 PM, Łukasz Czerpak wrote: > Hi, > > I've been struggling to setup filtering on a bridge interface. When I > added "routeback=0", shorewall started blocking communication on the > bridge. Then I added rules to allow certain connections and Shorewall > processes them when building iptables script, but it still doesn't work > (connections are blocked). > > Here is my setup: > > **interfaces:** > > net eth0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 > lxd lxdbr0 > dhcp,tcpflags,nosmurfs,routefilter,logmartians,bridge,routeback=0 > > > **policy:** > > lxd net ACCEPT > fw net ACCEPT > fw lxd ACCEPT > net all DROP $LOG_LEVEL > all all REJECT $LOG_LEVEL > > > **relevant fragment from rules:** > > # access to mysql database from containers > ACCEPT lxd lxd:$DB_IP tcp mysql > > **some traces from Shorewall's execution:** > > # shorewall trace restart -c 2>&1 | grep mysql > IN===> ACCEPT lxd lxd:10.0.0.11 tcp mysql > > # shorewall -vv restart -c | grep lxd-lxd > Policy ACCEPT from lxd to lxd using chain lxd-lxd > Chain lxd-lxd deleted > > **Sample log line:** > > kernel: FORWARD REJECT IN=lxdbr0 OUT=lxdbr0 PHYSIN=veth17392b4a > PHYSOUT=veth7e32a5a5 MAC=00:16:3e:24:31:30:00:16:3e:51:d6:59:08:00 > SRC=10.0.0.13 DST=10.0.0.11 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=30577 DF > PROTO=TCP SPT=54706 DPT=3306 WINDOW=64240 RES=0x00 SYN URGP=0 > > > What I do not understand is the following: > - why lxd-lxd policy is ACCEPT (I haven't defined it explicitly anywhere..) > - why lxd-lxd chain is deleted (although have a gut feeling it's > consequence of the above) > > When I add iptables rule manually it all works fine. I have no idea why > I can't get it workin in Shorewall, it's simple setup :( > If anyone have any suggestion on how to troubleshoot further, or how to > fix it, I would very appreciate any such help. >
Are you using lxd firewall capabilities (1)?: - If yes, This is unlikely to work as Shorewall will probably modify what is created by lxd - If no, have you looked at (2) 1) https://lxd.readthedocs.io/en/latest/networks/ 2) https://shorewall.org/bridge-Shorewall-perl.html -- Matt Darfeuille <[email protected]> Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/ SPC: https://sourceforge.net/p/shorewall/mailman/message/36596609/ Homepage: https://shorewall.org _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
