Couldn't the be done more simply using ebtables. Sorry if the has already been discussed.<div><a href="http://serverfault.com/questions/388544/is-it-possible-to-enable-port-isolation-on-linux-bridges">http://serverfault.com/questions/388544/is-it-possible-to-enable-port-isolation-on-linux-bridges</a> <br>
<div><br></div><div>This would provide port based isolation on each existing bridge. This would provide true isolation not just ipv4.</div><div><br></div><div>I will see if I can get something setup and passed along.</div>
<div><br></div><div><br><div class="gmail_quote">On Wed, Aug 1, 2012 at 4:31 PM, Loiseleur Michel <span dir="ltr"><<a href="mailto:michel@loiseleur.com" target="_blank">michel@loiseleur.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br>
<br>
I finally manage to have something which seems to be a working setup with Shorewall. I am able to filter within, with or without on a simple bridged ipv4 network. Here are the necessary steps:<br>
<br>
0) Preliminary steps<br>
a) apt-get install shorewall.<br>
b) set IP_FORWARDING=On in /etc/shorewall/shorewall.conf<br>
c) set sysctl parameter allowing netfilter for bridge (in /etc/sysctl.d/pve.conf or with sysctl cli)<br>
net.bridge.bridge-nf-call-<u></u>iptables = 1<br>
<br>
1) You need to define your /etc/shorewall/interfaces. With one bridge on one interface, it will look like:<br>
#ZONE INTERFACE BROADCAST OPTIONS<br>
world vmbr0 detect bridge<br>
net eth0<br>
dmz vmbr0:tap+<br>
<br>
2) You need to define more precisely the range of your vms. It can be done in /etc/shorewall/hosts:<br>
#ZONE HOST(S) OPTIONS<br>
dmz vmbr0:<a href="http://172.16.0.0/24" target="_blank">172.16.0.0/24</a><br>
<br>
3) and help shorewall understand your bridge in /etc/shorewall/zones:<br>
#ZONE TYPE OPTIONS IN OPT OUT OPT<br>
fw firewall<br>
world ipv4<br>
net ipv4<br>
dmz:world bport<br>
<br>
4) You can then start to define your global policy, in /etc/shorewall/policy ("info" loglevel is quite handy when trying to understand what's going and can be removed later)<br>
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST<br>
# Internet Connections<br>
dmz net ACCEPT<br>
# Allow FW to use internet<br>
$FW world ACCEPT<br>
net all DROP info<br>
# THE FOLLOWING POLICY MUST BE LAST<br>
all all REJECT info<br>
<br>
5) And a simple rules file, in /etc/shorewall/rules, allowing dns, ssh, proxmox and ping between vms but not outside:<br>
#ACTION SOURCE DEST PROTO DEST PORT ...<br>
<br>
# Accept DNS connections from the firewall to the network<br>
DNS(ACCEPT) dmz $FW udp 67<br>
<br>
# Accept SSH connections<br>
SSH(ACCEPT) net $FW<br>
SSH(ACCEPT) dmz $FW<br>
SSH(ACCEPT) world $FW<br>
<br>
# Permit access to Proxmox Manager and Console<br>
ACCEPT dmz $FW tcp 5900:5999<br>
HTTPS(ACCEPT) dmz $FW tcp 443,8006<br>
HTTP(ACCEPT) dmz $FW<br>
<br>
# Allow Ping only within the local vm network<br>
Ping(ACCEPT) dmz dmz<br>
<br>
<br>
There are two key points in this setup. First is to specify the link between your interfaces (vmbr0:tap+) and your zones (dmz:world). Second one is to define more precisely internal range of the bridge, in hosts file. If you do not, shorewall won't be able to distinguish your vm network from the internet.<br>
<br>
Now that I hope to have gained my "you're not anymore a complete noob in shorewall networking" medal, maybe I would be able to see what can I do about multiple bridges. It seems there's a start of answer here:<br>
<a href="http://www1.shorewall.net/bridge-Shorewall-perl.html#Multiple" target="_blank">http://www1.shorewall.net/<u></u>bridge-Shorewall-perl.html#<u></u>Multiple</a><br>
<br>
According to this page, one should be able to use a logical name in order to workaround uniqueness on port name.<span class="HOEnZb"><font color="#888888"><br>
<br>
-- <br>
Michel Loiseleur<br>
______________________________<u></u>_________________<br>
pve-devel mailing list<br>
<a href="mailto:pve-devel@pve.proxmox.com" target="_blank">pve-devel@pve.proxmox.com</a><br>
<a href="http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel" target="_blank">http://pve.proxmox.com/cgi-<u></u>bin/mailman/listinfo/pve-devel</a><br>
</font></span></blockquote></div><br></div></div>