Re: [Shorewall-users] Setting Up a DMZ Fail

Mon, 13 Nov 2017 09:50:04 -0800 

On 11/13/2017 08:02 AM, Colony.three via Shorewall-users wrote:
> 
>> Typical setup.  All systems running CentOS7.4 on KVM.  Shorewall
>> 5.0.14.1.  Communication with DMZ by a virtual private bridge built in
>> virt-manager, and communication between LAN machines is by SRIOT
>> ethernet hardware.
>>
>> The router is a VM with 3 interfaces -- fiberoptic, LAN, DMZ. -- and I
>> followed the doc for 3 interface, setting the SNAT file:
>> .MASQUERADE      10.1.111.30/32,192.168.1.0/24   eth1
>> (DMZ: 10.  LAN: 192.)
>>
>> LAN masquerades through the router fine.  From the router I can ping
>> the dmz and ssh to it just fine.
>>
>> Problem is the dmz machine can't ping out;  can't even get
>> nameservice.  And dmesg in both the dmz and router show -nothing- in
>> dmesg.
>>
>> Also I can't ssh from the lan to the dmz machine.  I can ping it from
>> the router, and ssh in, but not from the LAN.
>>
> 
> Here's the routing table on the router:
> 
> # route
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> default         50-105-82-1.hll 0.0.0.0         UG    0      0        0 eth1
> 10.1.111.0        0.0.0.0         255.255.255.0   U     0      0       
> 0 eth0
> 50.105.82.0     0.0.0.0         255.255.240.0   U     0      0        0 eth1
> link-local      0.0.0.0         255.255.0.0     U     1002   0        0
> ens10
> link-local      0.0.0.0         255.255.0.0     U     1003   0        0 eth1
> link-local      0.0.0.0         255.255.0.0     U     1004   0        0 eth0
> 192.168.1.0   0.0.0.0         255.255.255.0   U     0      0        0 ens10
> 
> 
> 
> I can see why the LAN and DMZ should masquerade through the router to
> the world (although the DMZ does not).  But how would I wire it so I can
> ssh from the LAN to the DMZ?  Seems like SSH should go from the LAN into
> the router, and then out the DMZ because that's where its destination
> address is.  So no masquerading should be necessary?  Unfortunately it
> is not, and there's nothing in the logs.
> 

We need to see the output of 'shorewall dump'. Please forward it as a
compressed attachment; you can send it to me privately if you like.

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to