[Firehol-support] firehol and openvz

Grigory Fateyev greg at anastasia.ru
Wed May 14 15:15:51 BST 2008 

Hello!

I use firehol like firewall on server with OpenVZ. VE's have
172.16.1.0/24 ips, all is working ok, but telnet from inside VE to
remote smtp couldn't be connect. Where was I wong?

Thanks!

server_ips=""
ovz_net="172.16.1.0/24"

#snat to "${server_ips}" outface eth0 src "${ovz_net}"

dnat to 172.16.1.101:80 inface eth0 dst "${server_ips}" proto tcp dport
80 
dnat to 172.16.1.101:21 inface eth0 dst "${server_ips}" proto tcp dport
21 
dnat to 172.16.1.101:443 inface eth0 dst "${server_ips}" proto tcp
dport 443

dnat to 172.16.1.102:80 dst "${server_ips}" proto tcp dport 80
dnat to 172.16.1.102:21 proto tcp dport 10221
dnat to 172.16.1.103:53 dst "${server_ips}" proto tcp dport 53
dnat to 172.16.1.103:53 dst "${server_ips}" proto udp dport 53
dnat to 172.16.1.103:53 dst "${server_ips}" proto tcp dport 53
dnat to 172.16.1.103:53 dst "${server_ips}" proto udp dport 53

#c mail
dnat to 172.16.1.103:25 proto tcp dport 25
dnat to 172.16.1.103:465 proto tcp dport 465
dnat to 172.16.1.103:110 proto tcp dport 110
dnat to 172.16.1.103:143 proto tcp dport 143
dnat to 172.16.1.103:993 proto tcp dport 993
dnat to 172.16.1.103:995 proto tcp dport 995

interface "eth0" main_net #dst ${server_ips}
        protection strong 200/sec 400
        server ident reject with tcp-reset
	server ssh      accept #src "${trust_ips}"
	server icmp     accept limit 3/m 5
	server webmin	accept

	client "smtp smtps icmp dns ftp http ssh ntp irc"       accept

# Venet interfeces describe
interface "venet0" openvz src "${ovz_net}"
        server all      accept
        client all	accept

# Routing venet ifaces to internet
router openvz2local inface "venet0" outface "eth0"
        masquerade
        route all accept

# Routing between VE
router "ve2ve" inface "venet0" outface "venet0"
	route all accept

# Routing DNAT ports
router "ext2int" inface "eth0" outface "venet0"
	route "http https ftp dns smtp smtps pop3 pop3s imap imaps"
accept dst "${ovz_net}"

-- 
Всего наилучшего! Григорий
greg [at] anastasia [dot] ru
Письмо отправлено: 2008/05/14 17:59

More information about the Firehol-support mailing list