OpenVZ Forum: Support » [solved] openvz and shorewall

Home » General » Support » [solved] openvz and shorewall

Show: Today's Messages :: Show Polls :: Message Navigator
E-mail to friend

[solved] openvz and shorewall [message #36349]

Fri, 12 June 2009 06:04

novazur
Messages: 11
Registered: June 2009

Junior Member

Hi,

First, sorry for my bad english.
On my VN, I have shorewall running with :

policy
fw              net             ACCEPT
fw              vps             ACCEPT
vps             fw              ACCEPT
vps             net             ACCEPT
net             all             REJECT          info
all             all             REJECT          info

interfaces
net     eth0            detect          norfc1918,routefilter,tcpflags,blacklist
vps     venet0          -               routeback

masq
eth0                    venet0

zones
fw      firewall
net     ipv4
vps     ipv4

(if needed, I can post shorewall.conf)
My VN has a public IP, and all VEs privates ips.

Each time I create a new VE, so a new private ip, I can :
- ping VN from new VE
- ping new VE from VN
- ping others VE from new VE
- ping new VE from others VE
but I can't ping out (internet) from the new VE.
I spent a lot of time on that, and I found that I needed to restart shorewall to make it working.

Do you think it's possible to find something to change in shorewall config to not having to restart it ?

Thanks for your help (and for this fabulous tool).

PS: this post follows http://forum.openvz.org/index.php?t=msg&goto=36345&# msg_36345

[Updated on: Fri, 12 June 2009 17:05] by Moderator

Report message to a moderator

Re: openvz and shorewall [message #36354 is a reply to message #36349]

Fri, 12 June 2009 10:25

khorenko
Messages: 533
Registered: January 2006
Location: Moscow, Russia

Senior Member

Hi,

first of all i think you need to understand the reason why shorewall restart helps.

i think you can get it by the following:
1) your system is up and running
2) you create a new CT with new IP
3) check that you cannot ping the internet and save the iptables configuration (iptables-save should be enough?)
4) restart shorewall
5) check that you can ping the internet now and save the iptables configuration once more
6) compare the iptables configurations.

Hope this helps.

--
Konstantin

If your problem is solved - please, report it!
It's even more important than reporting the problem itself...

Report message to a moderator