Re: bridges, NAT, virtual machines, brain hurt :-).

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

OK, I have a few comments and suggestions.  Worth every cent you paid
for them.

On 12/28/2011 10:35 AM, Tom Horsley wrote:
> echo 1 > /proc/sys/net/ipv4/ip_forward

You'll want to make this persistent by setting net.ipv4.ip_forward = 1
in /etc/sysctl.conf.

> iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE

This rule is catching everything going out br0, including local traffic.
I would do something like:

  iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o br0 -j MASQUERADE

> iptables -A FORWARD -i br0 -o bifrost -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i bifrost -o br0 -j ACCEPT

These two rules allow your "DMZ" machine to make connections to pretty
much anything.  I would suggest the following.

First, allow the DMZ machine to make connections to hosts that are not
on your local network:

  iptables -A FORWARD -i bifrost ! -d 192.168.100.0/24 -j ACCEPT

Then allow traffic on *all* established connections.

  iptables -A FORWARD -m state --state RELATED,ESTABLISHED, -j ACCEPT

This combination will restrict the DMZ guest from initiating connections
to machines on your local network, but you'll still be able to make
inbound connections the other way, if you wish.

One very important note is that you also need to add appropriate rules
to the INPUT chain on your host.  The rules in the FORWARD chain don't
affect traffic destined for the local host.

Personally, I find bifrost to be an extremely weird name for a network
interface.  I would recommend using something that is more obviously an
interface; it makes reading the iptables stuff much easier.

HTH

-- 
========================================================================
Ian Pilcher                                         arequipeno@xxxxxxxxx
"If you're going to shift my paradigm ... at least buy me dinner first."
========================================================================

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux