[CentOS-virt] routing problem with domU bridged to two networks

Wed Mar 7 20:13:26 UTC 2012
Ed Heron <Ed at Heron-ent.com>

On Wed, 2012-03-07 at 20:41 +0200, Peter Peltonen wrote:
> As I received no response on the general CentOS list, I'll repost it
> here as the question is about Xen virtual machine routing.
> 
> 
> This is my network setup:
> http://pastebin.com/kyWpTQYU
> 
> 
> Lets assume my dom0's eth2 public ip is 1.2.3.33 and my dmz network
> 11.22.33.96/255.255.255.224 . I have created NAT from my LAN with
> iptables. You can see my /etc/sysconfig/iptables here:
> http://pastebin.com/1FqSTvPH
> 
> 
> And this is my dom0 routing table:
> http://pastebin.com/gNjTFHp5
> 
> 
> My goal:
> 
> To access NFS shares on a (non-virtualized) file server in the LAN
> network from the domU web server in the DMZ network.
> 
> 
> What I tried:
> 
> I attached the domU to both bridges using this Xen config:
> 
> vif = [ "mac=00:0c:29:de:3a:fe,bridge=xenbr0","mac=00:0C:29:76:19:85,bridge=xenbr1"
> ]
> 
> and then created two eth interfaces inside the domU mapping to the MAC
> addresses above, giving eth1 an IP from the DMZ (11.22.33.111) and
> giving eth2 an IP from the LAN (192.168.0.12). After this I mounted
> the NFS share from the file server (192.168.0.2).
> 
> 
> My problem:
> 
> If my domU web server is connected to both LAN and DMZ using the two
> bridges xenbr0 and xenbr1, I can access the NFS share from the domU
> web server and everything else works as expected, except for one thing
> -- my workstations in the LAN cannot anymore access the web server:
> web pages do not open anymore and from the workstations I cannot ping
> the domU. If the web server domU is only connected to DMZ via xenbr0,
> the workstations can access it ok.
> 
> 
> Any advice what I am doing wrong and I could fix my setup?

  The postrouting command uses -o eth2.  To NAT LAN requests to your DMZ
web server, shouldn't you be using xenbr0?

  Though, I would bridge eth2, as well, and create a virtual firewall
with eth0 (DMZ?), eth1 (LAN) and eth2 (PUB).  I wouldn't want the Dom0
to be directly compromised if my firewall was compromised.

> Regards,
> Peter
> _______________________________________________
> CentOS-virt mailing list
> CentOS-virt at centos.org
> http://lists.centos.org/mailman/listinfo/centos-virt