bridges, NAT, virtual machines, brain hurt :-).

[Ian Pilcher]

OK, I have a few comments and suggestions.  Worth every cent you paid
for them.

On 12/28/2011 10:35 AM, Tom Horsley wrote:
> echo 1 > /proc/sys/net/ipv4/ip_forward

You'll want to make this persistent by setting net.ipv4.ip_forward = 1
in /etc/sysctl.conf.

> iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE

This rule is catching everything going out br0, including local traffic.
I would do something like:

  iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o br0 -j MASQUERADE

> iptables -A FORWARD -i br0 -o bifrost -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i bifrost -o br0 -j ACCEPT

These two rules allow your "DMZ" machine to make connections to pretty
much anything.  I would suggest the following.

First, allow the DMZ machine to make connections to hosts that are not
on your local network:

  iptables -A FORWARD -i bifrost ! -d 192.168.100.0/24 -j ACCEPT

Then allow traffic on *all* established connections.

  iptables -A FORWARD -m state --state RELATED,ESTABLISHED, -j ACCEPT

This combination will restrict the DMZ guest from initiating connections
to machines on your local network, but you'll still be able to make
inbound connections the other way, if you wish.

One very important note is that you also need to add appropriate rules
to the INPUT chain on your host.  The rules in the FORWARD chain don't
affect traffic destined for the local host.

Personally, I find bifrost to be an extremely weird name for a network
interface.  I would recommend using something that is more obviously an
interface; it makes reading the iptables stuff much easier.

HTH

-- 
========================================================================
Ian Pilcher                                         arequipeno at gmail.com
"If you're going to shift my paradigm ... at least buy me dinner first."
========================================================================