Put FireWall on dom0 XEN

topology: 
+------------------------+
.              | physical machine, dom0 |
.              |   +---------------+    |
-- Internet -------+ Firewall domU +--------- Intranet
.              |   +------+--------+    |
.              |          |             |
.              |          |   DMZ       |
.              |    +-----+-+-------+   |
.              |    |       |       |   |
.              | +--+--+ +--+--+ +--+--+|
.              | |domU1| |domU2| |domU3||
.              | +-----+ +-----+ +-----+|
.              +------------------------+

gateway     192.168.1.1
dom0 eth0   192.168.1.199
dom0 virbr0 192.168.122.1

on dom0 firewall.
REJECT all access to dom0, but accept only from local network.

# iptables -P INPUT ACCEPT
# iptables -P FORWARD ACCEPT
# iptables -P OUTOUT DROP
# iptables -A INPUT  -i eth0 -j ACCEPT    //accept all access from local network
# iptables -A INPUT -j REJECT               //reject all access where not come from local network
next SNAT package for domU subnet, snat tcp,udp protocol from domU subnet where destination not to domU subnet to eth0 192.168.1.199

# iptables -A POSTROUTING -p tcp -s 192.168.122.0/24 -d ! 192.168.122.0/24 -j SNAT --to 192.168.1.199 
# iptables -A POSTROUTING -p udp -s 192.168.122.0/24 -d ! 192.168.122.0/24 -j SNAT --to 192.168.1.199 
# iptables -A POSTROUTING -s 192.168.122.0/24 -d ! 192.168.122.0/24 -j SNAT --to 192.168.1.199 

Comments