OK, I have a few comments and suggestions. Worth every cent you paid for them.
On 12/28/2011 10:35 AM, Tom Horsley wrote: > echo 1 > /proc/sys/net/ipv4/ip_forward You'll want to make this persistent by setting net.ipv4.ip_forward = 1 in /etc/sysctl.conf. > iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE This rule is catching everything going out br0, including local traffic. I would do something like: iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o br0 -j MASQUERADE > iptables -A FORWARD -i br0 -o bifrost -m state --state RELATED,ESTABLISHED -j > ACCEPT > iptables -A FORWARD -i bifrost -o br0 -j ACCEPT These two rules allow your "DMZ" machine to make connections to pretty much anything. I would suggest the following. First, allow the DMZ machine to make connections to hosts that are not on your local network: iptables -A FORWARD -i bifrost ! -d 192.168.100.0/24 -j ACCEPT Then allow traffic on *all* established connections. iptables -A FORWARD -m state --state RELATED,ESTABLISHED, -j ACCEPT This combination will restrict the DMZ guest from initiating connections to machines on your local network, but you'll still be able to make inbound connections the other way, if you wish. One very important note is that you also need to add appropriate rules to the INPUT chain on your host. The rules in the FORWARD chain don't affect traffic destined for the local host. Personally, I find bifrost to be an extremely weird name for a network interface. I would recommend using something that is more obviously an interface; it makes reading the iptables stuff much easier. HTH -- ======================================================================== Ian Pilcher arequip...@gmail.com "If you're going to shift my paradigm ... at least buy me dinner first." ======================================================================== -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
