Shorewall not routing to VM

[Gerhard]

Hello all,

I am using my host as a firewall (using Shorewall) in a 3 interface configuration with net (eth0), loc (eth1) and dmz (vmbr0/eth2) zones. I have installed a web server and mail server in two separate KVM virtual machines in the dmz and I have another physical web server running in the loc zone. My problem is that traffic from the internet is not reaching the two servers in the dmz but it is reaching the web server in the loc zone. I have confirmed (with tcpdump) that packets hit eth0 on the host but not the vm's. I am suspecting that the network bridge on eth2 is the problem. My interfaces file looks like this (i.t.o. eth2):

iface eth2 inet manual​

auto vmbr0
iface vmbr0 inet static
address 192.168.2.254
netmask 255.255.255.0
bridge_ports eth2
bridge_stp off
bridge_fd 0​

Am I on the right track suspecting the bridge or is there something else I am missing?

Thanks.

 

[JustaGuy]

It's kindof difficult to make any determination based on the information provided.
It would help if you were to post your /etc/network/interfaces or explain how the Shorewall is configured.

So you have Proxmox at 192.168.2.254 & shorewall's installed to the same Operating environment as Proxmox, not a VM inside?
What do you mean when you say (i.t.o. eth2)?

Seems Shorewall isn't distributing the eth0 to the right places somehow.

I'm not at all an expert with Shorewall, so I can't help much but there's a tutorial for how that can be configured with Proxmox- there's a special repo to install from and something about only one bridge being supported, so I don't use it but some people say these articles work.
http://montanalinux.org/proxmox-ve-with-shorewall.html
http://www.montanalinux.org/proxmox-ve-with-shorewall-part2.html

 

[Gerhard]

Thank you for the reply. There is was a problem higher up in my rules file!

FWIW, It seems that there are no specific tricks required to get network bridges to work with Shorewall - they work like any other interface in my experience.