Hello, Proxmox is great solution and with shorewall excelent combination, but my ideal configuration is a little complicated and i am not sure, where i have a mistake. Is here anybody who can help me please? Current working installation is with eth0 and vmbr0 and without bonding (old server). After migration to new hardware and some changes (ex. vmbr2 becouse vmbr0 is for cluster and vmbr1 for vms, bonding etc.), its not working (i am not able to connect from internet (net) to proxmox server (fw), dnat is not working - i cant save vmbr2 as eth0 in virtual machine, hosted on second node (venet and lo in proc, no eth0 device = network problem with dnat and masq).
1. web server (http) with dnat for specific vm (but https is hosted on each vms)
2. access to proxmox webadmin
3. vm in dmz with bonding line - bond0 (eth0, eth1) and venet0
4. vmbr0 for cluster communication (eth2)
/etc/network/interfaces
/etc/shorewall/interfaces
/etc/shorewall/proxyarp
/etc/shorewall/rules
/etc/shorewall/policy
/etc/shorewall/zones
/etc/shorewall/masq
Regards,
Zdenek
1. web server (http) with dnat for specific vm (but https is hosted on each vms)
2. access to proxmox webadmin
3. vm in dmz with bonding line - bond0 (eth0, eth1) and venet0
4. vmbr0 for cluster communication (eth2)
/etc/network/interfaces
Code:
# network interface settings
auto lo
iface lo inet loopback
iface eth0 inet manual
iface eth1 inet manual
iface eth2 inet manual
auto bond0
iface bond0 inet manual
slaves eth0 eth1
bond_miimon 100
bond_mode active-backup
post-up echo 1 > /proc/sys/net/ipv4/conf/bond0/proxy_arp
auto vmbr0
iface vmbr0 inet static
address 10.213.38.2 (10.213.38.1 Proxmox master)
netmask 255.255.255.0
gateway 10.213.38.2
bridge_ports eth2
bridge_stp off
bridge_fd 0
auto vmbr1
iface vmbr1 inet static
address PUBLIC_IP
netmask PUBLIC_MASK
gateway PUBLIC_GW
bridge_ports bond0
bridge_stp off
bridge_fd 0
auto vmbr2
iface vmbr2 inet static
address 10.213.31.2
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
brigde_ports none/etc/shorewall/interfaces
Code:
#ZONE INTERFACE BROADCAST OPTIONS
net bond0 detect blacklist,tcpflags,routefilter,nosmurfs,logmartians
dmz venet0 detect routeback
dmz vmbr1 detect routeback,bridge
dmz vmbr2 detect routeback,bridge
loc vmbr0 detect routeback
Code:
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
xx.xx.xx.xxx venet0 bond0 no yes
xx.xx.xx.xxx vmbr1 bond0 no yes
10.213.31.3 vmbr2 bond0 no yes
Code:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# Accept SSH connections for administration
#
SSH/ACCEPT net $FW
# Permit access to Proxmox Manager and Console
#
ACCEPT net $FW tcp 5900:5999
HTTPS/ACCEPT net $FW
# Permit web access to VMs
#
HTTPS/ACCEPT net dmz
HTTP/ACCEPT net dmz
# Shared (hidden in private net) HTTP Web server for specific VM
DNAT net dmz:10.213.31.3 tcp 80 - x.x.x.x (VM - public IP)
Code:
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
# From Firewall Policy
$FW $FW ACCEPT
$FW net ACCEPT
$FW dmz ACCEPT
$FW loc ACCEPT
# From DMZ Policy
dmz dmz ACCEPT
dmz net ACCEPT
dmz $FW DROP info 1/sec:2
dmz loc REJECT info
# From Net Policy
net net DROP
net $FW DROP info 1/sec:2
net dmz DROP info 8/sec:30
net loc REJECT info
# From Loc Policy
loc loc ACCEPT
loc $FW ACCEPT
loc dmz REJECT info
loc net REJECT info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
Code:
#ZONE TYPE OPTIONS IN OUT
fw firewall
net ipv4
dmz ipv4
loc ipv4
Code:
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
bond0 10.213.31.1/24Zdenek