Shorewall config, allow dmz to access internet

Posted on 2010-01-04
Last Modified: 2013-11-16
I have shorewall on xen DomU, which will firewall virtual machines in dmz and internal network.  Successfully got it to nat httpd connections to machine in DMZ, so key functionality is in place.

Somehow I managed to break the ability of the machine in DMZ to access the internet (which it needs to do in order to use yum, amongst other things).  

Can anyone spot where I have messed up? Relevant settings below:

net     eth0      tcpflags,nosmurfs,routefilter
dmz    eth1        tcpflags,nosmurfs,routefilter

eth0                    eth1

net             all             DROP            info
all             all             REJECT          info

DNAT                   net              dmz:  tcp     www
HTTP(ACCEPT)    dmz            net
HTTP(ACCEPT)    $FW            dmz
HTTP(ACCEPT)    $FW            net

DNS(ACCEPT)     dmz             net
DNS(ACCEPT)     $FW            net

From firewall I can access httpd page on dmz and can ping both ways (other rules). Can also access the nat'd dmz server from the 'external' network (machine is on a local 192.168.0 network for building).

Question by:richp10
    LVL 16

    Expert Comment

    Where do you have the internet connected? You only list two interfaces - internal network and DMZ.

    Author Comment

    net is the internet.

    Dom0 is bridged to firewall DomU - so eth0 on the firewall is a public ip address - so is an external public ip address (choice of ip is just for internal setup and configuration, this will be changed in production).

    From rest of the network, I can browse to and see the Apache welcome page served from domU, which is just what I wanted.

    Problem now is that cannot reach the internet itself - so yum install does not work there..

    Annoyingly, it was working but I lost track of changes I made and broke it..

    Regards R
    LVL 16

    Accepted Solution

    What is the default gateway on the machine? What is the default gateway on

    Author Comment

    You pointed me in the right direction...

    Added this to firewall Domu ifcfg-eth0

    And now all is happy in xen domu world..

    Many thanks for your assistance..

    Author Closing Comment

    More a 'direction' rather than solution, but was spot on the right place to look..

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Users are often faced with high disk consumption without really knowing where the largest amount of data resides. Disk Usage Analyzer (aka Baobab) is is a graphical, menu-driven application to analyse disk usage in any Gnome environment and can e…
    Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now