Hello everyone, I hope someone can help me with a rather weird (from my point of view) problem. I first give the problem in the hope someone can point me in the right direction without reading the full detailed description. I hope someone can help me out on this.
SUMMARY There is a problem with packages in the FORWARD chain not being processed properly (they are dropped even if they were (suppose to be) part of an already established connection. While packages from/to another host are being processed properly. DETAILED DESCRIPTION SITUATION I have a (remote) VPS that I would like to connect to my local (home) network with VPN. This VPS is a Xen dom0 system intent to run multiple guest systems (domU's). On the VPS i have: - eth0: this is the internet connection with ip address and route information from DHCP (DHCP from VPS provider) - xenbr0: this is an openvswitch bridge with ip address from DHCP (from home DNS/DHCP server) - tap0: openVPN tunnel end-point which connects over eth0 towards my openVPN server at home; this is a port on xenbr0 - multiple vifX.0: these are attached to xenbr0 as port to provide a (virtual) ethernet link towards the guest systems IP(v4) addresses: - home network: 10.0.0.0/8, with 10.0.0.1 being the DHCP/DNS server; public ip address eee.fff.ggg.hhh - VPS eth0: aa.bbb.ccc.ddd (public ip address) - VPS xenbr0: 10.2.0.1 - DomU (guest system): 10.2.0.12 - desktop: 10.0.0.100 (part of home network) What i want: 1) from my home network connect to every "machine" (DomU's) on the VPS 2) from the VPS and all guests(DomU's) connect to the home network 3) from the VPS and all guests(DomU's) route internet traffic over eth0 4) from internet do NAT/portforwarding towards DomU what works: - everything (except 4) works with empty iptables (INPUT, OUTPUT and FORWARD on ACCEPT) - VPS itself works fully, able to connect to internet and home network (both ways) - ssh and ping to DomU from my desktop - ping between DomU and desktop (both ways) - DomU receives ip address from DHCP/DNS (at 10.0.0.1; so some sort of traffic is coming thru) what does not work: DomU connecting to 10.0.0.1 after a few seconds(?); ipaddress + hostame is received but doing a `ping 10.0.0.1` anytime later fails, therefor DNS fails as well (that needs the DNS from 10.0.0.1). Strange enough `ping 10.0.0.100` (to desktop) works. Also ssh or ping from desktop towards domU works (in the local network, over the VPN). In addition to this, NAT (DNAT) seems to work partly, a network package is forwarded by VPS to DomU firewall, but no response comes back from DomU to desktop, as the services on DomU are working properly, I suspect that these response packages are "stuck" at VPS. PROBLEM On VPS I see a lot of DROP messages like: kernel: Shorewall:sfilter:DROP:IN=xenbr0 OUT=xenbr0 MAC=00:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=10.0.0.1 DST=10.2.0.12 LEN=119 TOS=0x00 PREC=0x00 TTL=63 ID=21617 PROTO=UDP SPT=53 DPT=46861 LEN=99 and while executing `ping 10.0.0.1` n DomU: kernel: Shorewall:fw-home:ACCEPT:IN= OUT=xenbr0 SRC=10.2.0.1 DST=10.0.0.1 LEN=112 TOS=0x00 PREC=0xC0 TTL=64 ID=42340 PROTO=ICMP TYPE=5 CODE=1 GATEWAY=10.2.0.12 [SRC=10.0.0.1 DST=10.2.0.12 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=35699 PROTO=ICMP TYPE=0 CODE=0 ID=9134 SEQ=3 ] kernel: Shorewall:sfilter:DROP:IN=xenbr0 OUT=xenbr0 MAC=00:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=10.0.0.1 DST=10.2.0.12 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=28115 PROTO=ICMP TYPE=0 CODE=0 ID=7593 SEQ=3 The VPS drops the messages from 10.0.0.1 for 10.2.0.12. It seems that these messages (ping and DNS) are not considered "Established", but treated as new connections. I can not seem to find a way to tell Shorewall that packages from 10.0.0.1 (or 10.0.0.0/8) designated for 10.2.0.0/16 arriving and leaving xenbr0 are to be "accepted". Also the NAT/portforwarding is not working properly. My first thought is that there is some problem with connection tracking or something. What I tried: I tried various config options. Specifying routeback and routefilter for interface xenbr0 got sfilter out of the way, but then the packages would be dropped at the end of the FORWARD chain anyway. changing the last policy to "all all ACCEPT" made the setup work, but this is not the desired solution as it will open the whole firewall. Below is my shorewall config and the output of shorewall dump is attached. /etc/shorewall/interfaces: - xenbr0 detect dhcp,tcpflags,nosmurfs - eth0 detect dhcp,tcpflags,nosmurfs /etc/shorewall/zones: fw firewall home ipv4 - - - net ipv4 - - - /etc/shorewall/hosts: home xenbr0:10.0.0.0/8 - net eth0:0.0.0.0/0 - /etc/shorewall/policy: $FW all ACCEPT info home $FW REJECT info home home ACCEPT info all all DROP info /etc/shorewall/rules: ?SECTION NEW ACCEPT home $FW tcp 22 Ping/ACCEPT home $FW Ping/DROP net $FW ACCEPT net $FW tcp 22 DNAT net home:10.2.0.12 tcp 25 DNAT net home:10.2.0.12 tcp 993 /etc/shorewall/snat: SNAT(detect) 10.0.0.0/8 eth0 /etc/shorewall/conntrack: ?FORMAT 3 CT:notrack:PO - 127.0.0.0/8 shorewall.conf: ACCOUNTING=No IP_FORWARDING=Yes MACLIST_DISPOSITION=DROP MACLIST_TTL= ROUTE_FILTER=No STARTUP_ENABLED=Yes VERBOSITY=1 LOGFILE=systemd EXPAND_POLICIES=Yes $ip route default via aaa.bbb.ccc.1 dev eth0 proto dhcp 10.0.0.0/8 dev xenbr0 proto kernel scope link src 10.2.0.1 aaa.bbb.ccc.0/24 dev eth0 proto kernel scope link src aaa.bbb.ccc.ddd
shorewall_dump.txt.gz
Description: application/gzip
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users