topology:
+------------------------+
. | physical machine, dom0 |
. | +---------------+ |
-- Internet -------+ Firewall domU +--------- Intranet
. | +------+--------+ |
. | | |
. | | DMZ |
. | +-----+-+-------+ |
. | | | | |
. | +--+--+ +--+--+ +--+--+|
. | |domU1| |domU2| |domU3||
. | +-----+ +-----+ +-----+|
. +------------------------+
gateway 192.168.1.1
dom0 eth0 192.168.1.199
dom0 virbr0 192.168.122.1
on dom0 firewall.
REJECT all access to dom0, but accept only from local network.
# iptables -P INPUT ACCEPT
# iptables -P FORWARD ACCEPT
# iptables -P OUTOUT DROP
# iptables -A INPUT -i eth0 -j ACCEPT //accept all access from local network
# iptables -A INPUT -j REJECT //reject all access where not come from local network
next SNAT package for domU subnet, snat tcp,udp protocol from domU subnet where destination not to domU subnet to eth0 192.168.1.199
# iptables -A POSTROUTING -p tcp -s 192.168.122.0/24 -d ! 192.168.122.0/24 -j SNAT --to 192.168.1.199
# iptables -A POSTROUTING -p udp -s 192.168.122.0/24 -d ! 192.168.122.0/24 -j SNAT --to 192.168.1.199
# iptables -A POSTROUTING -s 192.168.122.0/24 -d ! 192.168.122.0/24 -j SNAT --to 192.168.1.199
Comments
Post a Comment