FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Kernel

 
 
LinkBack Thread Tools
 
Old 06-21-2011, 08:08 PM
Martin
 
Default Bug#631234: OpenVZ firewall issue

Package: linux-image-openvz-686
Version: 2.6.32+29

I have one Dell server, running Debian 6 with only one network port
connected to my test LAN (eth0), and two test containers, also running
Debian 6. On those containers I have installed Shorewall 4.4.11.6 from
the Debian repositories and configured it as described in the attached
files. The physical server doesn't have Shorewall installed. This is a
clean install, the only modifications I made from the base install was
installing the OpenVZ kernel and userland utilities. I have tested these
same configuration files on a VMware virtual machine and it worked
without any problems.

Now for the problem:

Whenever I enable shorewall (shorewall safe-start or boot), it allows
SSH and MySQL from the LAN, but it's impossible to access anything from
within the container to the outside world. Simply disabling shorewall,
or setting ALLOW in the net section of /etc/shorewall/policy resolves
the problem. I have tested this by using PING and SSH to the IP
addresses of other machines on the LAN, the other OpenVZ container and
the physical server.

--

I've reported this issue on the Shorewall mailing list and received the
folowing response from Tom Eastep

I looked at this exact same problem with another user recently. The
problem is that the OpenVZ kernel is miss-categorizing incoming
packets.

Look at this:

Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
585 45057 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
585 45057 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
9 790 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Not one packet has matched the 'cstate RELATED,ESTABLISHED' rule.
Incoming SSH works but all outgoing connections all fail because the
response packets are dropped.

I took a quick look at the Debian Bugtrack system and didn't see any
reports against the kernel package you are using but I would have
thought that the user I tried to help earlier would have filed a report
so you might want to poke around there.
 
Old 07-30-2011, 08:57 PM
Ola Lundqvist
 
Default Bug#631234: OpenVZ firewall issue

forwarded 631234 http://bugzilla.openvz.org/show_bug.cgi?id=1939
thanks

Hi Martin

Thanks a lot for the report. I have now forwarded this upstream
as you can see in http://bugzilla.openvz.org/show_bug.cgi?id=1939.

However I have a question to you about the HW configuration so we
know more when this happens. You write that this is a Dell server
but that could be a lot of things. I would like to know more about
the CPU used. i386, amd64 or something else.

Best regards,

// Ola

On Tue, Jun 21, 2011 at 09:08:49PM +0100, Martin wrote:
> Package: linux-image-openvz-686
> Version: 2.6.32+29
>
> I have one Dell server, running Debian 6 with only one network port
> connected to my test LAN (eth0), and two test containers, also running
> Debian 6. On those containers I have installed Shorewall 4.4.11.6 from
> the Debian repositories and configured it as described in the attached
> files. The physical server doesn't have Shorewall installed. This is a
> clean install, the only modifications I made from the base install was
> installing the OpenVZ kernel and userland utilities. I have tested these
> same configuration files on a VMware virtual machine and it worked
> without any problems.
>
> Now for the problem:
>
> Whenever I enable shorewall (shorewall safe-start or boot), it allows
> SSH and MySQL from the LAN, but it's impossible to access anything from
> within the container to the outside world. Simply disabling shorewall,
> or setting ALLOW in the net section of /etc/shorewall/policy resolves
> the problem. I have tested this by using PING and SSH to the IP
> addresses of other machines on the LAN, the other OpenVZ container and
> the physical server.
>
> --
>
> I've reported this issue on the Shorewall mailing list and received the
> folowing response from Tom Eastep
>
> I looked at this exact same problem with another user recently. The
> problem is that the OpenVZ kernel is miss-categorizing incoming
> packets.
>
> Look at this:
>
> Chain net2fw (1 references)
> pkts bytes target prot opt in out source destination
> 585 45057 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
> 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
> 585 45057 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
> 9 790 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
> 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
>
> Not one packet has matched the 'cstate RELATED,ESTABLISHED' rule.
> Incoming SSH works but all outgoing connections all fail because the
> response packets are dropped.
>
> I took a quick look at the Debian Bugtrack system and didn't see any
> reports against the kernel package you are using but I would have
> thought that the user I tried to help earlier would have filed a report
> so you might want to poke around there.
>



--
--------------------- Ola Lundqvist ---------------------------
/ opal@debian.org Annebergsslingan 37
| ola@inguza.com 654 65 KARLSTAD |
| http://inguza.com/ +46 (0)70-332 1551 |
gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110730205745.GA24730@inguza.net">http://lists.debian.org/20110730205745.GA24730@inguza.net
 

Thread Tools




All times are GMT. The time now is 01:49 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org