On 11/13/2017 03:25 PM, Colony.three via Shorewall-users wrote: > >> I've given up on trying to set up a Private Virtual Network in >> virt-manager (KVM), as it does not work. (CentOS7.4 all 'round) >> >> So I've now assigned a hardware ethernet port to the DMZ VM and one to >> the router VM, just like all the other VMs. The DMZ and router have >> their own IP class C's (different from the LAN). I'm uneasy with >> this, as if an interface could be put in promiscuous... >> >> But what else am I going to do? Using a bridge isn't very secure as >> it depends on a software driver, and if a flaw is found/exists in >> that? It is hard to get bolt-sure isolation from some VMs, with >> communication in others. >> >> With hardware interfaces and SNAT MASQUERADE defined for the LAN IP >> and DMZ IP, the LAN can get out to the WAN -- but not the DMZ >> machine. Nothing in the logs, as usual. > > Presuming that my LAN has to be NATted to the DMZ in the router to SSH > into it, I added in snat:
Your LAN does NOT have to be NATted to your DMZ. > SNAT(10.1.111.3) 192.168.1.2 10.1.111.2 ssh > > Not understanding what to put in () (and it doesn't work without > something) I put in an IP that's in the same class C as the DMZ, which > otherwise isn't being used. 192.168.1.2 is the source IP in the LAN and > 10.1.111.2 is the DMZ interface in the router which is supposed to point > to the DMZ machine at 10.1.111.30. > > But now Shorewall won't start because it does not recognize the service > ssh! WTH? I knew it's good but just to be sure I checked > /etc/services, and yep, port 22. You are missing the protocol column. Also, the syntax of the destination column requires an interface name. > > Even if this worked, another problem with this is that if I snat all SSH > traffic to the DMZ, I can no longer SSH out to The Internets. > Everything gets turned around to the DMZ. > > I can't believe there isn't a writeup on this anywhere. > What is different about your configuration and the one shown in the Three Interface Howto (http://www.shorewall.org/ three-interface.htm)? -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
