I have shorewall on xen DomU, which will firewall virtual machines in dmz and internal network. Successfully got it to nat httpd connections to machine in DMZ, so key functionality is in place.
Somehow I managed to break the ability of the machine in DMZ to access the internet (which it needs to do in order to use yum, amongst other things).
Can anyone spot where I have messed up? Relevant settings below:
net eth0 192.168.0.99 tcpflags,nosmurfs,routefilter
dmz eth1 10.10.10.1 tcpflags,nosmurfs,routefilter
net all DROP info
all all REJECT info
DNAT net dmz:10.10.10.2 tcp www
HTTP(ACCEPT) dmz net
HTTP(ACCEPT) $FW dmz
HTTP(ACCEPT) $FW net
DNS(ACCEPT) dmz net
DNS(ACCEPT) $FW net
From firewall I can access httpd page on dmz and can ping both ways (other rules). Can also access the nat'd dmz server from the 'external' network (machine is on a local 192.168.0 network for building).