> I've given up on trying to set up a Private Virtual Network in virt-manager
> (KVM), as it does not work. (CentOS7.4 all 'round)
>
> So I've now assigned a hardware ethernet port to the DMZ VM and one to the
> router VM, just like all the other VMs. The DMZ and router have their own IP
> class C's (different from the LAN). I'm uneasy with this, as if an interface
> could be put in promiscuous...
>
> But what else am I going to do? Using a bridge isn't very secure as it
> depends on a software driver, and if a flaw is found/exists in that? It is
> hard to get bolt-sure isolation from some VMs, with communication in others.
>
> With hardware interfaces and SNAT MASQUERADE defined for the LAN IP and DMZ
> IP, the LAN can get out to the WAN -- but not the DMZ machine. Nothing in
> the logs, as usual.
Presuming that my LAN has to be NATted to the DMZ in the router to SSH into it,
I added in snat:
SNAT(10.1.111.3) 192.168.1.2 10.1.111.2 ssh
Not understanding what to put in () (and it doesn't work without something) I
put in an IP that's in the same class C as the DMZ, which otherwise isn't being
used. 192.168.1.2 is the source IP in the LAN and 10.1.111.2 is the DMZ
interface in the router which is supposed to point to the DMZ machine at
10.1.111.30.
But now Shorewall won't start because it does not recognize the service ssh!
WTH? I knew it's good but just to be sure I checked /etc/services, and yep,
port 22.
Even if this worked, another problem with this is that if I snat all SSH
traffic to the DMZ, I can no longer SSH out to The Internets. Everything gets
turned around to the DMZ.
I can't believe there isn't a writeup on this anywhere.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
