On 4/25/2021 10:51 PM, Martijn Goedhart wrote: > Hello everyone, > > I hope someone can help me with a rather weird (from my point of view) > problem. I first give the problem in the hope someone can point me in > the right direction without reading the full detailed description. I > hope someone can help me out on this. > > SUMMARY > There is a problem with packages in the FORWARD chain not being > processed properly (they are dropped even if they were (suppose to be) > part of an already established connection. While packages from/to > another host are being processed properly. > > DETAILED DESCRIPTION > SITUATION > I have a (remote) VPS that I would like to connect to my local (home) > network with VPN. This VPS is a Xen dom0 system intent to run multiple > guest systems (domU's). > On the VPS i have: > - eth0: this is the internet connection with ip address and route > information from DHCP (DHCP from VPS provider) > - xenbr0: this is an openvswitch bridge with ip address from DHCP > (from home DNS/DHCP server) > - tap0: openVPN tunnel end-point which connects over eth0 towards my > openVPN server at home; this is a port on xenbr0 > - multiple vifX.0: these are attached to xenbr0 as port to provide a > (virtual) ethernet link towards the guest systems > > IP(v4) addresses: > - home network: 10.0.0.0/8, with 10.0.0.1 being the DHCP/DNS server; > public ip address eee.fff.ggg.hhh > - VPS eth0: aa.bbb.ccc.ddd (public ip address) > - VPS xenbr0: 10.2.0.1 > - DomU (guest system): 10.2.0.12 > - desktop: 10.0.0.100 (part of home network) > > What i want: > 1) from my home network connect to every "machine" (DomU's) on the VPS > 2) from the VPS and all guests(DomU's) connect to the home network > 3) from the VPS and all guests(DomU's) route internet traffic over eth0 > 4) from internet do NAT/portforwarding towards DomU > > what works: > - everything (except 4) works with empty iptables (INPUT, OUTPUT and > FORWARD on ACCEPT) > - VPS itself works fully, able to connect to internet and home > network (both ways) > - ssh and ping to DomU from my desktop > - ping between DomU and desktop (both ways) > - DomU receives ip address from DHCP/DNS (at 10.0.0.1; so some sort > of traffic is coming thru) > > what does not work: > DomU connecting to 10.0.0.1 after a few seconds(?); ipaddress + > hostame is received but doing a `ping 10.0.0.1` anytime later fails, > therefor DNS fails as well (that needs the DNS from 10.0.0.1). Strange > enough `ping 10.0.0.100` (to desktop) works. Also ssh or ping from > desktop towards domU works (in the local network, over the VPN). In > addition to this, NAT (DNAT) seems to work partly, a network package > is forwarded by VPS to DomU firewall, but no response comes back from > DomU to desktop, as the services on DomU are working properly, I > suspect that these response packages are "stuck" at VPS. > > PROBLEM > On VPS I see a lot of DROP messages like: > kernel: Shorewall:sfilter:DROP:IN=xenbr0 OUT=xenbr0 > MAC=00:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=10.0.0.1 > DST=10.2.0.12 LEN=119 TOS=0x00 PREC=0x00 TTL=63 ID=21617 PROTO=UDP > SPT=53 DPT=46861 LEN=99 > and while executing `ping 10.0.0.1` n DomU: > kernel: Shorewall:fw-home:ACCEPT:IN= OUT=xenbr0 SRC=10.2.0.1 > DST=10.0.0.1 LEN=112 TOS=0x00 PREC=0xC0 TTL=64 ID=42340 PROTO=ICMP > TYPE=5 CODE=1 GATEWAY=10.2.0.12 [SRC=10.0.0.1 DST=10.2.0.12 LEN=84 > TOS=0x00 PREC=0x00 TTL=63 ID=35699 PROTO=ICMP TYPE=0 CODE=0 ID=9134 > SEQ=3 ] > kernel: Shorewall:sfilter:DROP:IN=xenbr0 OUT=xenbr0 > MAC=00:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=10.0.0.1 > DST=10.2.0.12 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=28115 PROTO=ICMP > TYPE=0 CODE=0 ID=7593 SEQ=3 > > The VPS drops the messages from 10.0.0.1 for 10.2.0.12. It seems that > these messages (ping and DNS) are not considered "Established", but > treated as new connections. I can not seem to find a way to tell > Shorewall that packages from 10.0.0.1 (or 10.0.0.0/8) designated for > 10.2.0.0/16 arriving and leaving xenbr0 are to be "accepted". Also the > NAT/portforwarding is not working properly. My first thought is that > there is some problem with connection tracking or something. > > What I tried: > I tried various config options. Specifying routeback and routefilter > for interface xenbr0 got sfilter out of the way, but then the packages > would be dropped at the end of the FORWARD chain anyway. changing the > last policy to "all all ACCEPT" made the setup work, but this is not > the desired solution as it will open the whole firewall. > > Below is my shorewall config and the output of shorewall dump is attached. > > /etc/shorewall/interfaces: > - xenbr0 detect dhcp,tcpflags,nosmurfs > - eth0 detect dhcp,tcpflags,nosmurfs > > /etc/shorewall/zones: > fw firewall > home ipv4 - - - > net ipv4 - - - > > /etc/shorewall/hosts: > home xenbr0:10.0.0.0/8 - > net eth0:0.0.0.0/0 - > > /etc/shorewall/policy: > $FW all ACCEPT info > home $FW REJECT info > home home ACCEPT info > all all DROP info > > /etc/shorewall/rules: > ?SECTION NEW > ACCEPT home $FW tcp 22 > Ping/ACCEPT home $FW > Ping/DROP net $FW > ACCEPT net $FW tcp 22 > DNAT net home:10.2.0.12 tcp 25 > DNAT net home:10.2.0.12 tcp 993 > > /etc/shorewall/snat: > SNAT(detect) 10.0.0.0/8 eth0 > > /etc/shorewall/conntrack: > ?FORMAT 3 > CT:notrack:PO - 127.0.0.0/8 > > shorewall.conf: > ACCOUNTING=No > IP_FORWARDING=Yes > MACLIST_DISPOSITION=DROP > MACLIST_TTL= > ROUTE_FILTER=No > STARTUP_ENABLED=Yes > VERBOSITY=1 > LOGFILE=systemd > EXPAND_POLICIES=Yes > > $ip route > default via aaa.bbb.ccc.1 dev eth0 proto dhcp > 10.0.0.0/8 dev xenbr0 proto kernel scope link src 10.2.0.1 > aaa.bbb.ccc.0/24 dev eth0 proto kernel scope link src aaa.bbb.ccc.ddd >
For connection issues, we would need a dump collected as described at (1). If you can not send the dump publickly, please do so when requested. 1) https://shorewall.org/support.htm#Guidelines -- Matt Darfeuille <m...@shorewall.org> Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/ SPC: https://sourceforge.net/p/shorewall/mailman/message/36596609/ Homepage: https://shorewall.org _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
