Am 25.07.2013 22:17, schrieb Bill Davidsen:
Reindl Harald wrote:
>> On the workstation IPv4 forwarding is on:
>> $ cat /proc/sys/net/ipv4/ip_forward
>> 1
>>
>> So how do I make firewalld allow pings and ssh from remote hosts?
>
> no idea about firewalld, with iptables.service it is easy
> however you need iptables-forwarding and masquerade for NAT
>
> * vmnet8 -> virtual interface the VM's are running on
> * eth0 -> LAN interface of the host
> * 10.0.0.0/24 -> LAN network (host and other machines)
> * 192.168.197.0 -> Network with the VMs
>
> iptables -A FORWARD -i eth0 -o vmnet8 -s 10.0.0.0/24 -d 192.168.197.0 -j ACCEPT
> iptables -A FORWARD -i vmnet8 -o eth0 -s 192.168.197.0 -d 10.0.0.0/24 -j ACCEPT
> iptables -A POSTROUTING -o vmnet8 -t nat -s 10.0.0.0/24 -j MASQUERADE
>
Several thoughts on this, first this should come after the rule Fedora provides, to
ACCEPT packets ESTABLISHED or
RELATED. That means that once the connection is set up, the first rule will accept the
packets, and reduce CPU
usage as well as latency.
that's a different thing and if i come up here with my 548 line iptables-script
resulting in 1318 lines i would hardly have helped someone :-)
[root@srv-rhsoft:~]$ cat /scripts/iptables.sh | wc -l
548
[root@srv-rhsoft:~]$ /usr/sbin/iptables --list --numeric --verbose | grep -v LOG | wc -l
1318
The other is less obvious, these rules should be qualified with tests
for NEW connections, so some tricks involving
sending in a packet as if it were part of an existing connection won't work.
So if you add:
-m state --state NEW
to those rules before -j, you will cheaply protect machines beyond the firewall. Yes,
there are some obscure
protocols which fail to be set ESTABLISHED, hopefully these are uncommon enough that if
you use them you can put
other qualifiers on the connect
uhm no - the intention of my example was to make the machines behind the virtual NAT
accesable the same way as they would be physical machines on the same network
that you can add source / target / port / multiport-specific rules is a different
topic, my intention was to show how forwarding/masquerading between different NAT's
works and assuming that the VM network is inside a LAN the above would be OK
if you need to access the guests from the internet you need to specify ports
and single addresses to be on the safe side anyways