Bug#631234: OpenVZ firewall issue
forwarded 631234 http://bugzilla.openvz.org/show_bug.cgi?id=1939
thanks
Hi Martin
Thanks a lot for the report. I have now forwarded this upstream
as you can see in http://bugzilla.openvz.org/show_bug.cgi?id=1939.
However I have a question to you about the HW configuration so we
know more when this happens. You write that this is a Dell server
but that could be a lot of things. I would like to know more about
the CPU used. i386, amd64 or something else.
Best regards,
// Ola
On Tue, Jun 21, 2011 at 09:08:49PM +0100, Martin wrote:
> Package: linux-image-openvz-686
> Version: 2.6.32+29
>
> I have one Dell server, running Debian 6 with only one network port
> connected to my test LAN (eth0), and two test containers, also running
> Debian 6. On those containers I have installed Shorewall 4.4.11.6 from
> the Debian repositories and configured it as described in the attached
> files. The physical server doesn't have Shorewall installed. This is a
> clean install, the only modifications I made from the base install was
> installing the OpenVZ kernel and userland utilities. I have tested these
> same configuration files on a VMware virtual machine and it worked
> without any problems.
>
> Now for the problem:
>
> Whenever I enable shorewall (shorewall safe-start or boot), it allows
> SSH and MySQL from the LAN, but it's impossible to access anything from
> within the container to the outside world. Simply disabling shorewall,
> or setting ALLOW in the net section of /etc/shorewall/policy resolves
> the problem. I have tested this by using PING and SSH to the IP
> addresses of other machines on the LAN, the other OpenVZ container and
> the physical server.
>
> --
>
> I've reported this issue on the Shorewall mailing list and received the
> folowing response from Tom Eastep
>
> I looked at this exact same problem with another user recently. The
> problem is that the OpenVZ kernel is miss-categorizing incoming
> packets.
>
> Look at this:
>
> Chain net2fw (1 references)
> pkts bytes target prot opt in out source destination
> 585 45057 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
> 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
> 585 45057 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
> 9 790 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
> 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
>
> Not one packet has matched the 'cstate RELATED,ESTABLISHED' rule.
> Incoming SSH works but all outgoing connections all fail because the
> response packets are dropped.
>
> I took a quick look at the Debian Bugtrack system and didn't see any
> reports against the kernel package you are using but I would have
> thought that the user I tried to help earlier would have filed a report
> so you might want to poke around there.
>
--
--------------------- Ola Lundqvist ---------------------------
/ opal@debian.org Annebergsslingan 37 \
| ola@inguza.com 654 65 KARLSTAD |
| http://inguza.com/ +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
Reply to: