bridges, NAT, virtual machines, brain hurt :-).
Ian Pilcher
arequipeno at gmail.com
Thu Dec 29 16:44:05 UTC 2011
OK, I have a few comments and suggestions. Worth every cent you paid
for them.
On 12/28/2011 10:35 AM, Tom Horsley wrote:
> echo 1 > /proc/sys/net/ipv4/ip_forward
You'll want to make this persistent by setting net.ipv4.ip_forward = 1
in /etc/sysctl.conf.
> iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
This rule is catching everything going out br0, including local traffic.
I would do something like:
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o br0 -j MASQUERADE
> iptables -A FORWARD -i br0 -o bifrost -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i bifrost -o br0 -j ACCEPT
These two rules allow your "DMZ" machine to make connections to pretty
much anything. I would suggest the following.
First, allow the DMZ machine to make connections to hosts that are not
on your local network:
iptables -A FORWARD -i bifrost ! -d 192.168.100.0/24 -j ACCEPT
Then allow traffic on *all* established connections.
iptables -A FORWARD -m state --state RELATED,ESTABLISHED, -j ACCEPT
This combination will restrict the DMZ guest from initiating connections
to machines on your local network, but you'll still be able to make
inbound connections the other way, if you wish.
One very important note is that you also need to add appropriate rules
to the INPUT chain on your host. The rules in the FORWARD chain don't
affect traffic destined for the local host.
Personally, I find bifrost to be an extremely weird name for a network
interface. I would recommend using something that is more obviously an
interface; it makes reading the iptables stuff much easier.
HTH
--
========================================================================
Ian Pilcher arequipeno at gmail.com
"If you're going to shift my paradigm ... at least buy me dinner first."
========================================================================
More information about the users
mailing list