3

I have this scenario and everything it's working OK, but I want to configure my Shorewall and I can't do it.

My interfaces are:

br0 (bridge of eth0)
tun0 (OpenVPN)
vnet* (each one of bridged interfaces with public IP's)


Public Main IP: 188.165.X.Y
OpenVPN IP's: 172.28.0.x
Bridge: public ip's

So, I have the next configuration for shorewall:

/etc/shorewall/zones

#ZONE   TYPE        OPTIONS     IN          OUT
#                               OPTIONS     OPTIONS
fw      firewall
inet    ipv4
road    ipv4

/etc/shorewall/interfaces

#ZONE   INTERFACE   BROADCAST       OPTIONS
inet    br0         detect          routeback
road    tun+        detect          routeback

/etc/shorewall/policy

#SOURCE DEST    POLICY      LOG LIMIT:      CONNLIMIT:
#               LEVEL   BURST       MASK
$FW  all     ACCEPT
inet    $FW  DROP       info
road    all     DROP
inet    road    DROP

/etc/shorewall/tunnels

#TYPE           ZONE        GATEWAY     GATEWAY
#                                       ZONE
openvpnserver:1194          inet      0.0.0.0/0

The problem is that even with shorewall running I am able to ping or connect to the virtual machines behind the bridge

blacksoul
  • 244
  • 6
  • 21

1 Answers1

4

You shouldn't be firewalling interfaces which are members of a bridge, only the bridge interface itself. A bridge is a layer 2 domain, whereas iptables is a layer 3 firewall, so it only works when the host is routing packets at layer 3.

In your case Shorewall should only know about br0 and tun+, since eth0 and vnet+ are members of br0. If you want to police traffic between the VMs and the Internet then you must change your configuration to not bridge the VMs onto the LAN (i.e. take eth0 out of br0).

mgorven
  • 30,036
  • 7
  • 76
  • 121
  • 1
    So your proposal is to remove `eth0` and `vnet+` from interfaces and set `br0` to `inet` zone? – blacksoul Jun 28 '12 at 23:15
  • @JavierMartinez Correct. – mgorven Jun 28 '12 at 23:24
  • Ok, I did it and now I have access to Internet from OpenVPN and from virtual machines of the bridge. The point is that, with my policy rules, I won't be able to ping or connect to the bridge public ip's and however I can – blacksoul Jun 29 '12 at 08:06
  • i have just updated the question with your configuration changes and the problem now – blacksoul Jun 29 '12 at 10:47
  • @JavierMartinez As I said in my answer, if you want to control the traffic between the LAN and the VMs you need to not bridge them onto the LAN and route the traffic instead. – mgorven Jun 29 '12 at 16:27
  • So I could not `DROP` all the traffic `INET -> VM's net (bridge vnet+)` with the actual configuration? I thought that I could do that with my configuration. I only want to allow some traffic to certain ports and interfaces. I thought that I only need to do with the `masq` file – blacksoul Jun 29 '12 at 16:37
  • @JavierMartinez iptables needs to be in the routing path in order to enforce your rules. Packets going across a bridge are not in the routing path, it's a layer 2 hop. – mgorven Jun 29 '12 at 16:41
  • let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/3930/discussion-between-javier-martinez-and-mgorven) – blacksoul Jun 29 '12 at 16:46