[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#631234: OpenVZ firewall issue

Package: linux-image-openvz-686
Version: 2.6.32+29

I have one Dell server, running Debian 6 with only one network port
connected to my test LAN (eth0), and two test containers, also running
Debian 6. On those containers I have installed Shorewall 4.4.11.6 from
the Debian repositories and configured it as described in the attached
files. The physical server doesn't have Shorewall installed. This is a
clean install, the only modifications I made from the base install was
installing the OpenVZ kernel and userland utilities. I have tested these
same configuration files on a VMware virtual machine and it worked
without any problems.

Now for the problem:

Whenever I enable shorewall (shorewall safe-start or boot), it allows
SSH and MySQL from the LAN, but it's impossible to access anything from
within the container to the outside world. Simply disabling shorewall,
or setting ALLOW in the net section of /etc/shorewall/policy resolves
the problem. I have tested this by using PING and SSH to the IP
addresses of other machines on the LAN, the other OpenVZ container and
the physical server.

--

I've reported this issue on the Shorewall mailing list and received the
folowing response from Tom Eastep

I looked at this exact same problem with another user recently. The
problem is that the OpenVZ kernel is miss-categorizing incoming
packets.

Look at this:

Chain net2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
  585 45057 tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED
  585 45057 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80
    9   790 Drop       all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Not one packet has matched the 'cstate RELATED,ESTABLISHED' rule.
Incoming SSH works but all outgoing connections all fail because the
response packets are dropped.

I took a quick look at the Debian Bugtrack system and didn't see any
reports against the kernel package you are using but I would have
thought that the user I tried to help earlier would have filed a report
so you might want to poke around there.

Attachment: shorewall.tar.gz
Description: application/gzip

Reply to: