> Typical setup. All systems running CentOS7.4 on KVM. Shorewall 5.0.14.1.
> Communication with DMZ by a virtual private bridge built in virt-manager, and
> communication between LAN machines is by SRIOT ethernet hardware.
>
> The router is a VM with 3 interfaces -- fiberoptic, LAN, DMZ. -- and I
> followed the doc for 3 interface, setting the SNAT file:
> .MASQUERADE 10.1.111.30/32,192.168.1.0/24 eth1
> (DMZ: 10. LAN: 192.)
>
> LAN masquerades through the router fine. From the router I can ping the dmz
> and ssh to it just fine.
>
> Problem is the dmz machine can't ping out; can't even get nameservice. And
> dmesg in both the dmz and router show -nothing- in dmesg.
>
> Also I can't ssh from the lan to the dmz machine. I can ping it from the
> router, and ssh in, but not from the LAN.
Here's the routing table on the router:
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 50-105-82-1.hll 0.0.0.0 UG 0 0 0 eth1
10.1.111.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
50.105.82.0 0.0.0.0 255.255.240.0 U 0 0 0 eth1
link-local 0.0.0.0 255.255.0.0 U 1002 0 0 ens10
link-local 0.0.0.0 255.255.0.0 U 1003 0 0 eth1
link-local 0.0.0.0 255.255.0.0 U 1004 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ens10
I can see why the LAN and DMZ should masquerade through the router to the world
(although the DMZ does not). But how would I wire it so I can ssh from the LAN
to the DMZ? Seems like SSH should go from the LAN into the router, and then
out the DMZ because that's where its destination address is. So no
masquerading should be necessary? Unfortunately it is not, and there's nothing
in the logs.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
