OpenVZ Forum: Support » *SOLVED* How to provide access between Virtual servers

Home » General » Support » *SOLVED* How to provide access between Virtual servers

Show: Today's Messages :: Show Polls :: Message Navigator
E-mail to friend

*SOLVED* How to provide access between Virtual servers [message #4669]

Fri, 21 July 2006 09:23

laurent
Messages: 18
Registered: April 2006

Junior Member

Hello All,

i have a Host H with 3 virtual server
i can access from a VPS to the internet , and with NAt rule (Via Shorewall) i can access from Internet to the 3 VPS
i want that all the 3 VPS can communicate between them.
i can't do a tcp connection from a VPS to an other , in my shorewall log in the Host, i have this error :
kernel: Shorewall:FORWARD:REJECT:IN=venet0 OUT=venet0 SRC=192.168.7.185 DST=192.168.7.152 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=48986 DF PROTO=TCP SPT=47559 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0

some body here have the solution ?

thanks in advance

[Updated on: Fri, 21 July 2006 20:01] by Moderator

Report message to a moderator

Re: How to provide access between Virtual servers [message #4670 is a reply to message #4669]

Fri, 21 July 2006 09:33

Vasily Tarasov
Messages: 1345
Registered: January 2006

Senior Member

As I understand you just set REJECT-rule for ip-forwarding from one VE to another... To be sure, please give the command on host:

# iptables -L -nv

If so, just remove this rule.

[Updated on: Fri, 21 July 2006 09:36]

Report message to a moderator

Re: How to provide access between Virtual servers [message #4674 is a reply to message #4670]

Fri, 21 July 2006 11:19

laurent
Messages: 18
Registered: April 2006

Junior Member

Thanks for your answer
i m using a shorwall firewall
i have this in my default policy, my Host is fw

net all DROP info
fw all ACCEPT
loc all ACCEPT
loc venet ACCEPT #
venet all ACCEPT
all all REJECT info

And it doesn't work.

But if i replace the last line with
all all ACCEPT
it work. but this rule is very permissive

i triyed many combination ... no good result !

Perhaps the problem is that venet0 isn't a real ethernet interface ? so we can't do this simply ...

Thanks.

[Updated on: Fri, 21 July 2006 11:21]

Report message to a moderator

Re: How to provide access between Virtual servers [message #4676 is a reply to message #4674]

Fri, 21 July 2006 11:42

Vasily Tarasov
Messages: 1345
Registered: January 2006

Senior Member

Please try change

loc venet ACCEPT

all venet ACCEPT

HTH! =)

Report message to a moderator

Re: How to provide access between Virtual servers [message #4679 is a reply to message #4676]

Fri, 21 July 2006 13:19

laurent
Messages: 18
Registered: April 2006

Junior Member

Same error !

Report message to a moderator

Re: How to provide access between Virtual servers [message #4680 is a reply to message #4679]

Fri, 21 July 2006 13:26

Vasily Tarasov
Messages: 1345
Registered: January 2006

Senior Member

Is it possible for you to post here the output of

# iptables -L -nv

here.
Shorewall is based on iptables and I want to see exact iptables rules, that Shorewall has set.

Thanks!

[Updated on: Fri, 21 July 2006 13:28]

Report message to a moderator

Re: How to provide access between Virtual servers [message #4681 is a reply to message #4680]

Fri, 21 July 2006 13:45

laurent
Messages: 18
Registered: April 2006

Junior Member

attached

Attachment: iptables.txt
(Size: 19.88KB, Downloaded 546 times)

Report message to a moderator

Re: How to provide access between Virtual servers [message #4682 is a reply to message #4681]

Fri, 21 July 2006 14:15

Vasily Tarasov
Messages: 1345
Registered: January 2006

Senior Member

This is quick analysis.

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 3595  331K eth0_fwd   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
 4006 2992K venet0_fwd  all  --  venet0 *       0.0.0.0/0            0.0.0.0/0
    0     0 eth1_fwd   all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

You can see the string "Shorewall:FORWARD:REJECT" - that is what in your error message, thus packets are droped here. Therefore the packet isn't catched by the rule "venet0_fwd". Look at it:

Chain venet0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
  199 15876 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID,NEW
 4006 2992K venet2all  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 venet2all  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0

Really! out equals eth0 and eth1, but in our case, when two VEs speake, out must equals venet0 too.

Report message to a moderator

Re: How to provide access between Virtual servers [message #4683 is a reply to message #4682]

Fri, 21 July 2006 14:24

laurent
Messages: 18
Registered: April 2006

Junior Member

Perhaps because venet0 isn't a real network's interface. it's a virtual one.
So i must do other thinks ...

Report message to a moderator

Re: How to provide access between Virtual servers [message #4684 is a reply to message #4683]

Fri, 21 July 2006 14:44

laurent
Messages: 18
Registered: April 2006

Junior Member

Ok i found
in the /etc/shorewall/interfaces i must add rooteback like :
venet venet0 detect routeback

thanks

Report message to a moderator

Re: *SOLVED* How to provide access between Virtual servers [message #8970 is a reply to message #4669]

Tue, 12 December 2006 11:44

zenny
Messages: 48
Registered: November 2006

Member

I have also tried to do the same and added the venet line in the /etc/shorewall/interfaces also but the shorewall just terminates with an error message that reads:

ERROR: Invalid zone (venet) in record "venet venet0 detect routeback"

Where did I go wrong? This is basically based on the 3-interface setup of shorewall. find below the output of iptables -L -nv:

Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1049 76734 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 eth2_in all -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
387 60317 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0
730 313K eth2_fwd all -- eth2 * 0.0.0.0/0 0.0.0.0/0
37 1924 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
37 1924 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
37 1924 reject all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
816 214K fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 fw2loc all -- * eth1 0.0.0.0/0 192.168.0.0/24
0 0 fw2loc all -- * eth1 0.0.0.0/0 255.255.255.255
0 0 fw2loc all -- * eth1 0.0.0.0/0 224.0.0.0/4
404 229K fw2dmz all -- * eth2 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0

Chain Drop (4 references)
pkts bytes target prot opt in out source destination
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
50 6966 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
31 6434 dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445
2 156 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535
17 944 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900
2 96 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53

Chain Reject (13 references)
pkts bytes target prot opt in out source destination
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
441 271K dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
441 271K dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900
37 1924 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53

Chain all2all (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0

Chain dmz2all (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:dmz2all:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0

Chain dmz2fw (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:dmz2fw:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0

Chain dmz2loc (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:dmz2loc:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0

Chain dmz2net (1 references)
pkts bytes target prot opt in out source destination
326 43723 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
404 269K Reject all -- * * 0.0.0.0/0 0.0.0.0/0
404 269K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:dmz2net:REJECT:'
404 269K reject all -- * * 0.0.0.0/0 0.0.0.0/0

Chain dropBcast (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 81.216.202.223
0 0 DROP all -- * * 0.0.0.0/0 192.168.0.255
0 0 DROP all -- * * 0.0.0.0/0 192.168.1.255
0 0 DROP all -- * * 0.0.0.0/0 255.255.255.255
19 532 DROP all -- * * 0.0.0.0/0 224.0.0.0/4

Chain dropInvalid (2 references)
pkts bytes target prot opt in out source destination
1 40 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID

Chain dropNotSyn (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fw2loc (3 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * ...

[ Show the rest of the message ]

[Updated on: Tue, 12 December 2006 11:46]

Report message to a moderator

Re: *SOLVED* How to provide access between Virtual servers [message #8984 is a reply to message #8970]

Tue, 12 December 2006 14:10

jbond007
Messages: 78
Registered: January 2006
Location: Miami

Member

the best way is Use easy Gui form webmin !
firewall is very easy !

then check the files cat /etc/syconfig/iptables

Report message to a moderator

Re: *SOLVED* How to provide access between Virtual servers [message #9002 is a reply to message #8984]

Wed, 13 December 2006 05:57

zenny
Messages: 48
Registered: November 2006

Member

Let me clear my situation to explain why webmin is not the way to go. I tried yum install webmin in the hostnode, but reported that there is no such maches.

I am using 3-interface home network with eth0 (internet), eth1 (local) and eth2 (dmz). The host node of the machine serves as firewall and also a gateway to the local and dmz (connected to voip server by a crossove cable). Now the problem whatever I change in the shorewall configurations as stated above and other changes, my voipserver connected to eth2 could not access the termination server as well as the VEs are not accessible.

Does anyone has any clue with the existing stuff?

Report message to a moderator

Previous Topic:	OpenVZ and OSCAR
Next Topic:	Application is being killed by kernel with signal 11

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

] [

]

Current Time: Fri Nov 15 22:37:34 GMT 2024

Total time taken to generate the page: 0.03329 seconds