Package: linux-image-openvz-686 Version: 2.6.32+29 I have one Dell server, running Debian 6 with only one network port connected to my test LAN (eth0), and two test containers, also running Debian 6. On those containers I have installed Shorewall 4.4.11.6 from the Debian repositories and configured it as described in the attached files. The physical server doesn't have Shorewall installed. This is a clean install, the only modifications I made from the base install was installing the OpenVZ kernel and userland utilities. I have tested these same configuration files on a VMware virtual machine and it worked without any problems. Now for the problem: Whenever I enable shorewall (shorewall safe-start or boot), it allows SSH and MySQL from the LAN, but it's impossible to access anything from within the container to the outside world. Simply disabling shorewall, or setting ALLOW in the net section of /etc/shorewall/policy resolves the problem. I have tested this by using PING and SSH to the IP addresses of other machines on the LAN, the other OpenVZ container and the physical server. -- I've reported this issue on the Shorewall mailing list and received the folowing response from Tom Eastep I looked at this exact same problem with another user recently. The problem is that the OpenVZ kernel is miss-categorizing incoming packets. Look at this: Chain net2fw (1 references) pkts bytes target prot opt in out source destination 585 45057 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 585 45057 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 9 790 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Not one packet has matched the 'cstate RELATED,ESTABLISHED' rule. Incoming SSH works but all outgoing connections all fail because the response packets are dropped. I took a quick look at the Debian Bugtrack system and didn't see any reports against the kernel package you are using but I would have thought that the user I tried to help earlier would have filed a report so you might want to poke around there.
Attachment:
shorewall.tar.gz
Description: application/gzip