jmpoby
n00b
Joined: 06 Feb 2008
Posts: 2
Location: Lyon
|
 Posted: Fri Feb 29, 2008 8:40 am Post subject: vserver+shorewall+loopback |
 |
|
hello everybody, and first of all, sorry for my english is not so good.
I install a gentoo host(64 bit) with gentoo vservers on it, and shorewall to set up iptables.
I see that vservers and host communicate by the loopback, and i want to make a zone
in shorewall for control that by subnetting the loopback. How can i subnet the host's loopback interface in gentoo like 127.0.0.0/16 ? in the init script net.lo ?
I see strange result with shorewall and DNAT also.
My shorewall config
shorewall.conf :
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=No
RETAIN_ALIASES=No
TC_ENABLED=Internal
TC_EXPERT=No
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=No
ROUTE_FILTER=No
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=No
MODULE_SUFFIX=
DISABLE_IPV6=Yes
BRIDGING=No
DYNAMIC_ZONES=No
PKTTYPE=Yes
RFC1918_STRICT=No
MACLIST_TABLE=filter
MACLIST_TTL=
SAVE_IPSETS=No
MAPOLDACTIONS=No
FASTACCEPT=No
IMPLICIT_CONTINUE=Yes
HIGH_ROUTE_MARKS=No
USE_ACTIONS=Yes
OPTIMIZE=0
EXPORTPARAMS=Yes
zone :
fw firewall
net ipv4
dmz ipv4
interfaces :
net eth1 123.456.789.255 dhcp,routefilter,logmartians,tcpflags
dmz dummy0 192.168.1.255 routefilter,routeback,tcpflags,logmartians
masq :
eth1 192.168.1.0/24
policy :
$FW net ACCEPT info
dmz net ACCEPT info
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
And for DNAT work i do in rules :
DNAT:info net fw:192.168.1.xxx tcp 80
DNAT:info net fw:192.168.1.xxx tcp 443
I don't understand why, if i put in the dnat's rules dmz:192.168.1.xxx it won't work.
Thank you for you answer |
|
Networking & Security
