[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[opensuse-security] SuSEfirewall2 und libvirt/kvm



Hi,

having a problem and hope someone can help ...
All IPs are just examples

Having a Server (Host) (IP: 1.2.3.4/24, GW 1.2.3.254) on which I use KVM
i.c.w libvirt. So far everything is working ...
The physical interface 'eth0' is bound to 'br0'.
Now I have a VM, which also has an 'official IP' (e.g. 5.6.7.8/32, GW:
1.2.3.254). The VM has an 'allowed' MAC, for using in 'bridged' mode ...

so far everything works, from outside. I am able to ping VM (5.6.7.8)
from outside.
SuSEfirewall2 is active on Host, on VM not yet ...
finally I am not able to ping to outside on VM.

If firewall on 'Host' is OFF and I start pinging on VM to outside, the
ping works ... Even if I start the firewall on 'Host' the ping continues.
But if I stop ping and start again the ping does not work anymore

Sadly there are no DROPS in the LOG. It also does not matter if
FW_FORWARD_ALLOW_BRIDGING is ON or OFF ...

I tried to experiment a bit (added new vars ... functions)

FW_FORWARD_EXT_TO_BRIDGED_VM="yes"
FW_DEV_EXT_PHYS="eth0"
FW_DEV_VM_PHYS="fw0"

allow_ext_to_bridge()
{
    local iptables
    case "${FW_FORWARD_EXT_TO_BRIDGED_VM}" in
        yes) ;;
        no)  return ;;
    esac
    for iptables in "$IPTABLES" "$IP6TABLES"; do
        $iptables -A FORWARD -m physdev --physdev-in
"${FW_DEV_EXT_PHYS}" --physdev-out "${FW_DEV_VM_PHYS}" -j ACCEPT
        $iptables -A FORWARD -m physdev --physdev-in "${FW_DEV_VM_PHYS}"
--physdev-out "${FW_DEV_EXT_PHYS}" -j ACCEPT
    done
}

an iptables.save will show my stuff like the following
---snip---
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
-A FORWARD -m physdev --physdev-in eth0 --physdev-out fw0 -j ACCEPT
-A FORWARD -m physdev --physdev-in fw0 --physdev-out eth0 -j ACCEPT
-A FORWARD -i br0 -j forward_ext
---snip---

hopefully someone can push me into the right direction ...
Thank you

-- 

Christian
----------------------------------------------------
   - Please do not 'CC' me on list mails.
          Just reply to the list :)
----------------------------------------------------
Der ultimative shop für Sportbekleidung und Zubehör

http://www.sc24.de
----------------------------------------------------
-- 
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx