Hello everyone,

I hope someone can help me with a rather weird (from my point of view)
problem. I first give the problem in the hope someone can point me in
the right direction without reading the full detailed description. I
hope someone can help me out on this.

SUMMARY
There is a problem with packages in the FORWARD chain not being
processed properly (they are dropped even if they were (suppose to be)
part of an already established connection. While packages from/to
another host are being processed properly.

DETAILED DESCRIPTION
SITUATION
I have a (remote) VPS that I would like to connect to my local (home)
network with VPN. This VPS is a Xen dom0 system intent to run multiple
guest systems (domU's).
On the VPS i have:
 - eth0: this is the internet connection with ip address and route
information from DHCP (DHCP from VPS provider)
 - xenbr0: this is an openvswitch bridge with ip address from DHCP
(from home DNS/DHCP server)
 - tap0: openVPN tunnel end-point which connects over eth0 towards my
openVPN server at home; this is a port on xenbr0
 - multiple vifX.0: these are attached to xenbr0 as port to provide a
(virtual) ethernet link towards the guest systems

IP(v4) addresses:
 - home network: 10.0.0.0/8, with 10.0.0.1 being the DHCP/DNS server;
public ip address eee.fff.ggg.hhh
 - VPS eth0: aa.bbb.ccc.ddd (public ip address)
 - VPS xenbr0: 10.2.0.1
 - DomU (guest system): 10.2.0.12
 - desktop: 10.0.0.100 (part of home network)

What i want:
 1) from my home network connect to every "machine" (DomU's) on the VPS
 2) from the VPS and all guests(DomU's) connect to the home network
 3) from the VPS and all guests(DomU's) route internet traffic over eth0
 4) from internet do NAT/portforwarding towards DomU

what works:
 - everything (except 4) works with empty iptables (INPUT, OUTPUT and
FORWARD on ACCEPT)
 - VPS itself works fully, able to connect to internet and home
network (both ways)
 - ssh and ping to DomU from my desktop
 - ping between DomU and desktop (both ways)
 - DomU receives ip address from DHCP/DNS (at 10.0.0.1; so some sort
of traffic is coming thru)

what does not work:
DomU connecting to 10.0.0.1 after a few seconds(?); ipaddress +
hostame is received but doing a `ping 10.0.0.1` anytime later fails,
therefor DNS fails as well (that needs the DNS from 10.0.0.1). Strange
enough `ping 10.0.0.100` (to desktop) works. Also ssh or ping from
desktop towards domU works (in the local network, over the VPN). In
addition to this, NAT (DNAT) seems to work partly, a network package
is forwarded by VPS to DomU firewall, but no response comes back from
DomU to desktop, as the services on DomU are working properly, I
suspect that these response packages are "stuck" at VPS.

PROBLEM
On VPS I see a lot of DROP messages like:
kernel: Shorewall:sfilter:DROP:IN=xenbr0 OUT=xenbr0
MAC=00:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=10.0.0.1
DST=10.2.0.12 LEN=119 TOS=0x00 PREC=0x00 TTL=63 ID=21617 PROTO=UDP
SPT=53 DPT=46861 LEN=99
and while executing `ping 10.0.0.1` n DomU:
kernel: Shorewall:fw-home:ACCEPT:IN= OUT=xenbr0 SRC=10.2.0.1
DST=10.0.0.1 LEN=112 TOS=0x00 PREC=0xC0 TTL=64 ID=42340 PROTO=ICMP
TYPE=5 CODE=1 GATEWAY=10.2.0.12 [SRC=10.0.0.1 DST=10.2.0.12 LEN=84
TOS=0x00 PREC=0x00 TTL=63 ID=35699 PROTO=ICMP TYPE=0 CODE=0 ID=9134
SEQ=3 ]
kernel: Shorewall:sfilter:DROP:IN=xenbr0 OUT=xenbr0
MAC=00:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=10.0.0.1
DST=10.2.0.12 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=28115 PROTO=ICMP
TYPE=0 CODE=0 ID=7593 SEQ=3

The VPS drops the messages from 10.0.0.1 for 10.2.0.12. It seems that
these messages (ping and DNS) are not considered "Established", but
treated as new connections. I can not seem to find a way to tell
Shorewall that packages from 10.0.0.1 (or 10.0.0.0/8) designated for
10.2.0.0/16 arriving and leaving xenbr0 are to be "accepted". Also the
NAT/portforwarding is not working properly. My first thought is that
there is some problem with connection tracking or something.

What I tried:
I tried various config options. Specifying routeback and routefilter
for interface xenbr0 got sfilter out of the way, but then the packages
would be dropped at the end of the FORWARD chain anyway. changing the
last policy to "all all ACCEPT" made the setup work, but this is not
the desired solution as it will open the whole firewall.

Below is my shorewall config and the output of shorewall dump is attached.

/etc/shorewall/interfaces:
- xenbr0 detect dhcp,tcpflags,nosmurfs
- eth0 detect dhcp,tcpflags,nosmurfs

/etc/shorewall/zones:
fw firewall
home ipv4 - - -
net ipv4 - - -

/etc/shorewall/hosts:
home xenbr0:10.0.0.0/8 -
net eth0:0.0.0.0/0 -

/etc/shorewall/policy:
$FW all ACCEPT info
home $FW REJECT info
home home ACCEPT info
all all DROP info

/etc/shorewall/rules:
?SECTION NEW
ACCEPT home $FW tcp 22
Ping/ACCEPT home $FW
Ping/DROP net $FW
ACCEPT net $FW tcp 22
DNAT net home:10.2.0.12 tcp 25
DNAT net home:10.2.0.12 tcp 993

/etc/shorewall/snat:
SNAT(detect) 10.0.0.0/8 eth0

/etc/shorewall/conntrack:
?FORMAT 3
CT:notrack:PO - 127.0.0.0/8

shorewall.conf:
ACCOUNTING=No
IP_FORWARDING=Yes
MACLIST_DISPOSITION=DROP
MACLIST_TTL=
ROUTE_FILTER=No
STARTUP_ENABLED=Yes
VERBOSITY=1
LOGFILE=systemd
EXPAND_POLICIES=Yes

$ip route
default via aaa.bbb.ccc.1 dev eth0 proto dhcp
10.0.0.0/8 dev xenbr0 proto kernel scope link src 10.2.0.1
aaa.bbb.ccc.0/24 dev eth0 proto kernel scope link src aaa.bbb.ccc.ddd

Attachment: shorewall_dump.txt.gz
Description: application/gzip

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to