Am 25.07.2013 22:17, schrieb Bill Davidsen: > Reindl Harald wrote: >>> On the workstation IPv4 forwarding is on: >>> $ cat /proc/sys/net/ipv4/ip_forward >>> 1 >>> >>> So how do I make firewalld allow pings and ssh from remote hosts? >> >> no idea about firewalld, with iptables.service it is easy >> however you need iptables-forwarding and masquerade for NAT >> >> * vmnet8 -> virtual interface the VM's are running on >> * eth0 -> LAN interface of the host >> * 10.0.0.0/24 -> LAN network (host and other machines) >> * 192.168.197.0 -> Network with the VMs >> >> iptables -A FORWARD -i eth0 -o vmnet8 -s 10.0.0.0/24 -d 192.168.197.0 -j ACCEPT >> iptables -A FORWARD -i vmnet8 -o eth0 -s 192.168.197.0 -d 10.0.0.0/24 -j ACCEPT >> iptables -A POSTROUTING -o vmnet8 -t nat -s 10.0.0.0/24 -j MASQUERADE >> > Several thoughts on this, first this should come after the rule Fedora provides, to ACCEPT packets ESTABLISHED or > RELATED. That means that once the connection is set up, the first rule will accept the packets, and reduce CPU > usage as well as latency. that's a different thing and if i come up here with my 548 line iptables-script resulting in 1318 lines i would hardly have helped someone :-) [root@srv-rhsoft:~]$ cat /scripts/iptables.sh | wc -l 548 [root@srv-rhsoft:~]$ /usr/sbin/iptables --list --numeric --verbose | grep -v LOG | wc -l 1318 > The other is less obvious, these rules should be qualified with tests for NEW connections, so some tricks involving > sending in a packet as if it were part of an existing connection won't work. > So if you add: > -m state --state NEW > to those rules before -j, you will cheaply protect machines beyond the firewall. Yes, there are some obscure > protocols which fail to be set ESTABLISHED, hopefully these are uncommon enough that if you use them you can put > other qualifiers on the connect uhm no - the intention of my example was to make the machines behind the virtual NAT accesable the same way as they would be physical machines on the same network that you can add source / target / port / multiport-specific rules is a different topic, my intention was to show how forwarding/masquerading between different NAT's works and assuming that the VM network is inside a LAN the above would be OK if you need to access the guests from the internet you need to specify ports and single addresses to be on the safe side anyways
Attachment:
signature.asc
Description: OpenPGP digital signature
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
