[Lxc-users] shorewall restart breaks container routing

Nelson Pascoal nelsonp at pressercore.com
Mon Oct 8 06:48:46 UTC 2012


Just an update on my testing so far. If I specify iptable rules directly on the host it seems to work fine. So obviously some rule that Shorewall is setting up that is blocking things. Nothing seems to show up on the logs as being blocked though. Has anyone done this kind of setup before? Help? :)

----- Original Message -----
From: "Nelson Pascoal" <nelsonp at pressercore.com>
To: lxc-users at lists.sourceforge.net
Sent: Monday, October 8, 2012 6:59:29 AM
Subject: shorewall restart breaks container routing


Hi 

I am experimenting with Ubuntu 12.04.1 LTS, apt installed lxc 0.7.5 and shorewall 4.5.8.1 installed from packages on the shorewall site. 

Shorewall is installed on the container and the lxc host. The lxc container is also Ubuntu 12.04.1, installed using lxc-create. 

Shorewall on the container works perfectly and I have no problems there. However, as soon as I start up the Shorewall firewall on the host, routing on the containers breaks. Even stopping Shorewall and running "shorewall clean" does not restore connectivity to the containers (rebooting the host works, and I haven't configured shorewall on the host to auto start yet). I am using the two interface sample files from the Shorewall installation sources. 

Sample of the interfaces file: 
FORMAT 2 
############################################################################### 
#ZONE INTERFACE OPTIONS 
net eth0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 
loc lxcbr0 routeback,bridge,tcpflags,nosmurfs,logmartians 

Sample of the policy file: 
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST 

loc net ACCEPT 
fw net ACCEPT 
net all DROP info 
# THE FOLLOWING POLICY MUST BE LAST 
all all REJECT info 

Sample of the rules file: 
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER 
# PORT PORT(S) DEST LIMIT GROUP 
#SECTION ALL 
#SECTION ESTABLISHED 
#SECTION RELATED 
SECTION NEW 

# Don't allow connection pickup from the net 
# 
Invalid(DROP) net all tcp 
# 
# Accept DNS connections from the firewall to the network 
# 
DNS(ACCEPT) $FW net 
DNS(ACCEPT) loc $FW 
# 
# Accept SSH connections from the local network for administration 
# 
#SSH(ACCEPT) loc $FW 
SSH(ACCEPT) net $FW 
# 
# Allow Ping from the local network 
# 
Ping(ACCEPT) loc $FW 

# 
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. 
# 

Ping(DROP) net $FW 

ACCEPT loc $FW udp 67 
ACCEPT loc $FW udp 68 
ACCEPT $FW loc udp 67 
ACCEPT $FW loc udp 68 

ACCEPT $FW loc icmp 
ACCEPT $FW net icmp 
# 

Regards 
Nelson Pascoal 




More information about the lxc-users mailing list