Quantcast

SuSEfirewall2 und libvirt/kvm

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

SuSEfirewall2 und libvirt/kvm

Christian
Hi,

having a problem and hope someone can help ...
All IPs are just examples

Having a Server (Host) (IP: 1.2.3.4/24, GW 1.2.3.254) on which I use KVM
i.c.w libvirt. So far everything is working ...
The physical interface 'eth0' is bound to 'br0'.
Now I have a VM, which also has an 'official IP' (e.g. 5.6.7.8/32, GW:
1.2.3.254). The VM has an 'allowed' MAC, for using in 'bridged' mode ...

so far everything works, from outside. I am able to ping VM (5.6.7.8)
from outside.
SuSEfirewall2 is active on Host, on VM not yet ...
finally I am not able to ping to outside on VM.

If firewall on 'Host' is OFF and I start pinging on VM to outside, the
ping works ... Even if I start the firewall on 'Host' the ping continues.
But if I stop ping and start again the ping does not work anymore

Sadly there are no DROPS in the LOG. It also does not matter if
FW_FORWARD_ALLOW_BRIDGING is ON or OFF ...

I tried to experiment a bit (added new vars ... functions)

FW_FORWARD_EXT_TO_BRIDGED_VM="yes"
FW_DEV_EXT_PHYS="eth0"
FW_DEV_VM_PHYS="fw0"

allow_ext_to_bridge()
{
    local iptables
    case "${FW_FORWARD_EXT_TO_BRIDGED_VM}" in
        yes) ;;
        no)  return ;;
    esac
    for iptables in "$IPTABLES" "$IP6TABLES"; do
        $iptables -A FORWARD -m physdev --physdev-in
"${FW_DEV_EXT_PHYS}" --physdev-out "${FW_DEV_VM_PHYS}" -j ACCEPT
        $iptables -A FORWARD -m physdev --physdev-in "${FW_DEV_VM_PHYS}"
--physdev-out "${FW_DEV_EXT_PHYS}" -j ACCEPT
    done
}

an iptables.save will show my stuff like the following
---snip---
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
-A FORWARD -m physdev --physdev-in eth0 --physdev-out fw0 -j ACCEPT
-A FORWARD -m physdev --physdev-in fw0 --physdev-out eth0 -j ACCEPT
-A FORWARD -i br0 -j forward_ext
---snip---

hopefully someone can push me into the right direction ...
Thank you

--

Christian
----------------------------------------------------
   - Please do not 'CC' me on list mails.
          Just reply to the list :)
----------------------------------------------------
Der ultimative shop für Sportbekleidung und Zubehör

http://www.sc24.de
----------------------------------------------------
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SuSEfirewall2 und libvirt/kvm

Alexander Bergmann
Hi Christian,

I didn't fully understand your setup, so let me repeat what it looks
to me right now.

VM:       5.6.7.8/32 (fw0) \
                            + (br0) <--> GW: 1.2.3.254 <--> Internet?
KVM-Host: 1.2.3.4/24 (eth0)/

Your gateway knows that 5.6.7.8 is reachable inside the internal network
and forwards all traffic to it. So if someone from the Internet sends a
ping to 5.6.7.8 it gets accepted from your gateway and routed.

On the other hand a ping from 5.6.7.8 to the internet is not working,
right? So obviously something gets blocked in your iptables setup.

The reason why your ping to the outside world is working when you turn
off and on the firewall of the KVM host is simple. The connection
tracking is still in place and allows the forward of the ICMP packages
after the firewall has started.

From my experience the best way to find out which rule is missing to
accept the outgoing packages is by modifying the iptables rules
manually. Just save the iptables-save output and edit it.

#> iptables-save > firewall.tmp

#> iptables-restore < firewall.tmp

Usually the OUTPUT policy is set to ACCEPT. So I'm a bit confused why
the outgoing connection has problems.

A simple way to analyse this issue is by adding some LOG rules to the
end of your iptables setup.

-A OUTPUT -s 5.6.7.8/32 -p icmp -j LOG --log-prefix "TROUBLESHOOTING: "

After you identified which rule is missing you can do some
SuSEfirewall2 modifications to add that rule.

Ciao,
Alex~

On Mon, Jun 13, 2016 at 01:45:23PM +0200, Christian wrote:

> Hi,
>
> having a problem and hope someone can help ...
> All IPs are just examples
>
> Having a Server (Host) (IP: 1.2.3.4/24, GW 1.2.3.254) on which I use KVM
> i.c.w libvirt. So far everything is working ...
> The physical interface 'eth0' is bound to 'br0'.
> Now I have a VM, which also has an 'official IP' (e.g. 5.6.7.8/32, GW:
> 1.2.3.254). The VM has an 'allowed' MAC, for using in 'bridged' mode ...
>
> so far everything works, from outside. I am able to ping VM (5.6.7.8)
> from outside.
> SuSEfirewall2 is active on Host, on VM not yet ...
> finally I am not able to ping to outside on VM.
>
> If firewall on 'Host' is OFF and I start pinging on VM to outside, the
> ping works ... Even if I start the firewall on 'Host' the ping continues.
> But if I stop ping and start again the ping does not work anymore
>
> Sadly there are no DROPS in the LOG. It also does not matter if
> FW_FORWARD_ALLOW_BRIDGING is ON or OFF ...
>
> I tried to experiment a bit (added new vars ... functions)
>
> FW_FORWARD_EXT_TO_BRIDGED_VM="yes"
> FW_DEV_EXT_PHYS="eth0"
> FW_DEV_VM_PHYS="fw0"
>
> allow_ext_to_bridge()
> {
>     local iptables
>     case "${FW_FORWARD_EXT_TO_BRIDGED_VM}" in
>         yes) ;;
>         no)  return ;;
>     esac
>     for iptables in "$IPTABLES" "$IP6TABLES"; do
>         $iptables -A FORWARD -m physdev --physdev-in
> "${FW_DEV_EXT_PHYS}" --physdev-out "${FW_DEV_VM_PHYS}" -j ACCEPT
>         $iptables -A FORWARD -m physdev --physdev-in "${FW_DEV_VM_PHYS}"
> --physdev-out "${FW_DEV_EXT_PHYS}" -j ACCEPT
>     done
> }
>
> an iptables.save will show my stuff like the following
> ---snip---
> -A INPUT -j DROP
> -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
> --clamp-mss-to-pmtu
> -A FORWARD -m physdev --physdev-in eth0 --physdev-out fw0 -j ACCEPT
> -A FORWARD -m physdev --physdev-in fw0 --physdev-out eth0 -j ACCEPT
> -A FORWARD -i br0 -j forward_ext
> ---snip---
>
> hopefully someone can push me into the right direction ...
> Thank you
>
> --
>
> Christian
> ----------------------------------------------------
>    - Please do not 'CC' me on list mails.
>           Just reply to the list :)
> ----------------------------------------------------
> Der ultimative shop für Sportbekleidung und Zubehör
>
> http://www.sc24.de
> ----------------------------------------------------
> --
> To unsubscribe, e-mail: [hidden email]
> To contact the owner, e-mail: [hidden email]
>
>
--
Alexander Bergmann <[hidden email]>, Security Engineer, GPG:9FFA4886
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SuSEfirewall2 und libvirt/kvm

Christian
Hi Alexander,

Am 15.06.2016 um 12:13 schrieb Alexander Bergmann:

> Hi Christian,
>
> I didn't fully understand your setup, so let me repeat what it looks
> to me right now.
>
> VM:       5.6.7.8/32 (fw0) \
>                             + (br0) <--> GW: 1.2.3.254 <--> Internet?
> KVM-Host: 1.2.3.4/24 (eth0)/
>
> Your gateway knows that 5.6.7.8 is reachable inside the internal network
> and forwards all traffic to it. So if someone from the Internet sends a
> ping to 5.6.7.8 it gets accepted from your gateway and routed.
Yes ... incoming traffic is no problem.


>
> On the other hand a ping from 5.6.7.8 to the internet is not working,
> right? So obviously something gets blocked in your iptables setup.
Yes ... but what. The usual log of SuSEfirewall2 does not show the drops :(

>
> The reason why your ping to the outside world is working when you turn
> off and on the firewall of the KVM host is simple. The connection
> tracking is still in place and allows the forward of the ICMP packages
> after the firewall has started.
Ahh ... ok. Is this the called 'stateful' ?

>
> From my experience the best way to find out which rule is missing to
> accept the outgoing packages is by modifying the iptables rules
> manually. Just save the iptables-save output and edit it.
>
> #> iptables-save > firewall.tmp
>
> #> iptables-restore < firewall.tmp
Ahhh ... this I didn't know. Good idea to try :)


>
> Usually the OUTPUT policy is set to ACCEPT. So I'm a bit confused why
> the outgoing connection has problems.
>
> A simple way to analyse this issue is by adding some LOG rules to the
> end of your iptables setup.
>
> -A OUTPUT -s 5.6.7.8/32 -p icmp -j LOG --log-prefix "TROUBLESHOOTING: "
OK ... will give it a try and see what it will show up ...

>
> After you identified which rule is missing you can do some
> SuSEfirewall2 modifications to add that rule.
Usually the 'physical' interfaces don't need to mentioned in
/etc/sysconfig/SuSEfirewall2. Do you agree ?


--

Christian
----------------------------------------------------
   - Please do not 'CC' me on list mails.
          Just reply to the list :)
----------------------------------------------------
Der ultimative shop für Sportbekleidung und Zubehör

http://www.sc24.de
----------------------------------------------------
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Loading...