forwarded 631234 http://bugzilla.openvz.org/show_bug.cgi?id=1939 thanks
Hi Martin Thanks a lot for the report. I have now forwarded this upstream as you can see in http://bugzilla.openvz.org/show_bug.cgi?id=1939. However I have a question to you about the HW configuration so we know more when this happens. You write that this is a Dell server but that could be a lot of things. I would like to know more about the CPU used. i386, amd64 or something else. Best regards, // Ola On Tue, Jun 21, 2011 at 09:08:49PM +0100, Martin wrote: > Package: linux-image-openvz-686 > Version: 2.6.32+29 > > I have one Dell server, running Debian 6 with only one network port > connected to my test LAN (eth0), and two test containers, also running > Debian 6. On those containers I have installed Shorewall 4.4.11.6 from > the Debian repositories and configured it as described in the attached > files. The physical server doesn't have Shorewall installed. This is a > clean install, the only modifications I made from the base install was > installing the OpenVZ kernel and userland utilities. I have tested these > same configuration files on a VMware virtual machine and it worked > without any problems. > > Now for the problem: > > Whenever I enable shorewall (shorewall safe-start or boot), it allows > SSH and MySQL from the LAN, but it's impossible to access anything from > within the container to the outside world. Simply disabling shorewall, > or setting ALLOW in the net section of /etc/shorewall/policy resolves > the problem. I have tested this by using PING and SSH to the IP > addresses of other machines on the LAN, the other OpenVZ container and > the physical server. > > -- > > I've reported this issue on the Shorewall mailing list and received the > folowing response from Tom Eastep > > I looked at this exact same problem with another user recently. The > problem is that the OpenVZ kernel is miss-categorizing incoming > packets. > > Look at this: > > Chain net2fw (1 references) > pkts bytes target prot opt in out source > destination > 585 45057 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 > ctstate RELATED,ESTABLISHED > 585 45057 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 > tcp dpt:22 > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 > tcp dpt:80 > 9 790 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 > > Not one packet has matched the 'cstate RELATED,ESTABLISHED' rule. > Incoming SSH works but all outgoing connections all fail because the > response packets are dropped. > > I took a quick look at the Debian Bugtrack system and didn't see any > reports against the kernel package you are using but I would have > thought that the user I tried to help earlier would have filed a report > so you might want to poke around there. > -- --------------------- Ola Lundqvist --------------------------- / o...@debian.org Annebergsslingan 37 \ | o...@inguza.com 654 65 KARLSTAD | | http://inguza.com/ +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --------------------------------------------------------------- -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110730205745.ga24...@inguza.net
