Hello,

I’m running Shorewall 4.6.4.3 on Debian Linux 8.5. Debug data can be found here:

https://gist.github.com/datenimperator/997547efff3fcc2b9270ec870d60021c

I’m using LXC containers w/ external addresses, connected to a bridge. I’m trying to blacklist IPs from accessing the LXC containers.

The IPs which should be blacklisted show up in the output of `shorewall dump` but those clients are still able to access port 80 on an apache server running inside one of the containers. I can’t say why.

Any help is appreciated. Kind regards

Christian Aust

The problem here is that your Shorewall configuration doesn't match
your IP configuration. You have defined 'net' as an ipv4 zone
associated with eth0, but eth0 is a port on a bridge. While you could
define 'net' as bport zone, Netfilter imposes restrictions which make
that approach less than optimal. With 'net' as a bport zone, you would
not be able to define priv->net rules or policies.

So a better approach is to remove eth0 from vmbr0 and give it a public
IP address. Assuming that 149.202.201.254 is the only external host in
149.202.201.0/24 that your system (including VMs) needs to access:

a) Configure the address as a /32 rather than a /24 (you can actually
use 149.202.201.227 for both vmbr0 and eth0).
b) Define a host route out of eth0 to 149.202.201.254 out of eth0.
c) Redefine your default gateway to be out of eth0.
d) Set the 'proxyarp' option in the eth0 entry in
/etc/shorewall/interfaces.

Regards,
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________