[Lxc-users] shorewall restart breaks container routing
Nelson Pascoal
nelsonp at pressercore.com
Mon Oct 8 06:48:46 UTC 2012
Just an update on my testing so far. If I specify iptable rules directly on the host it seems to work fine. So obviously some rule that Shorewall is setting up that is blocking things. Nothing seems to show up on the logs as being blocked though. Has anyone done this kind of setup before? Help? :)
----- Original Message -----
From: "Nelson Pascoal" <nelsonp at pressercore.com>
To: lxc-users at lists.sourceforge.net
Sent: Monday, October 8, 2012 6:59:29 AM
Subject: shorewall restart breaks container routing
Hi
I am experimenting with Ubuntu 12.04.1 LTS, apt installed lxc 0.7.5 and shorewall 4.5.8.1 installed from packages on the shorewall site.
Shorewall is installed on the container and the lxc host. The lxc container is also Ubuntu 12.04.1, installed using lxc-create.
Shorewall on the container works perfectly and I have no problems there. However, as soon as I start up the Shorewall firewall on the host, routing on the containers breaks. Even stopping Shorewall and running "shorewall clean" does not restore connectivity to the containers (rebooting the host works, and I haven't configured shorewall on the host to auto start yet). I am using the two interface sample files from the Shorewall installation sources.
Sample of the interfaces file:
FORMAT 2
###############################################################################
#ZONE INTERFACE OPTIONS
net eth0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
loc lxcbr0 routeback,bridge,tcpflags,nosmurfs,logmartians
Sample of the policy file:
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
fw net ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
Sample of the rules file:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
# Don't allow connection pickup from the net
#
Invalid(DROP) net all tcp
#
# Accept DNS connections from the firewall to the network
#
DNS(ACCEPT) $FW net
DNS(ACCEPT) loc $FW
#
# Accept SSH connections from the local network for administration
#
#SSH(ACCEPT) loc $FW
SSH(ACCEPT) net $FW
#
# Allow Ping from the local network
#
Ping(ACCEPT) loc $FW
#
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
#
Ping(DROP) net $FW
ACCEPT loc $FW udp 67
ACCEPT loc $FW udp 68
ACCEPT $FW loc udp 67
ACCEPT $FW loc udp 68
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
#
Regards
Nelson Pascoal
More information about the lxc-users
mailing list