Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 773
  • Last Modified:

Shorewall config, allow dmz to access internet

I have shorewall on xen DomU, which will firewall virtual machines in dmz and internal network.  Successfully got it to nat httpd connections to machine in DMZ, so key functionality is in place.

Somehow I managed to break the ability of the machine in DMZ to access the internet (which it needs to do in order to use yum, amongst other things).  

Can anyone spot where I have messed up? Relevant settings below:

net     eth0      tcpflags,nosmurfs,routefilter
dmz    eth1        tcpflags,nosmurfs,routefilter

eth0                    eth1

net             all             DROP            info
all             all             REJECT          info

DNAT                   net              dmz:  tcp     www
HTTP(ACCEPT)    dmz            net
HTTP(ACCEPT)    $FW            dmz
HTTP(ACCEPT)    $FW            net

DNS(ACCEPT)     dmz             net
DNS(ACCEPT)     $FW            net

From firewall I can access httpd page on dmz and can ping both ways (other rules). Can also access the nat'd dmz server from the 'external' network (machine is on a local 192.168.0 network for building).

  • 3
  • 2
1 Solution
Where do you have the internet connected? You only list two interfaces - internal network and DMZ.
richp10Author Commented:
net is the internet.

Dom0 is bridged to firewall DomU - so eth0 on the firewall is a public ip address - so is an external public ip address (choice of ip is just for internal setup and configuration, this will be changed in production).

From rest of the network, I can browse to and see the Apache welcome page served from domU, which is just what I wanted.

Problem now is that cannot reach the internet itself - so yum install does not work there..

Annoyingly, it was working but I lost track of changes I made and broke it..

Regards R
What is the default gateway on the machine? What is the default gateway on
richp10Author Commented:
You pointed me in the right direction...

Added this to firewall Domu ifcfg-eth0

And now all is happy in xen domu world..

Many thanks for your assistance..
richp10Author Commented:
More a 'direction' rather than solution, but was spot on the right place to look..

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now