[CentOS] routing and virtual machines: how to access dmz if bridged to two networks

Mon Mar 5 15:37:52 UTC 2012
Peter Peltonen <peter.peltonen at gmail.com>

I am not quite sure if this issue relates to iptables, routing or Xen
virtual machines. Too many variables for my simple mind, so I'm asking
some advice  :)


This is my network setup:


Internet --- eth2 + CentOS dom0 / firewall / router + eth1 (xenbr1)
--- LAN with private IPs --- separate file server and workstations
                            +
                           eth0 (xenbr0)
                             |
                           DMZ network with public IPs --- CentOS6
domU web server


Lets assume my dom0's eth2 public ip is 1.2.3.33 and my dmz network
11.22.33.96/255.255.255.224 . I have created NAT from my LAN with
iptables. You can see my /etc/sysconfig/iptables here:
http://pastebin.com/1FqSTvPH

And this is my routing table:

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
1.2.3.32          0.0.0.0         255.255.255.252 U     0      0        0 eth2
11.22.33.96   0.0.0.0         255.255.255.224 U     0      0        0 xenbr0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 xenbr1
169.254.0.0     0.0.0.0         255.255.0.0     U     1004   0        0 eth2
169.254.0.0     0.0.0.0         255.255.0.0     U     1005   0        0 xenbr0
169.254.0.0     0.0.0.0         255.255.0.0     U     1006   0        0 xenbr1
0.0.0.0         1.2.3.34   0.0.0.0         UG    0      0        0 eth2


My goal:

To access NFS shares on a (non-virtualized) file server in the LAN
network from the domU web server in the DMZ network.


What I tried:

I attached the domU to both bridges using this Xen config:

vif = [ "mac=00:0c:29:de:3a:fe,bridge=xenbr0","mac=00:0C:29:76:19:85,bridge=xenbr1"
]

and then created two eth interfaces inside the domU mapping to the MAC
addresses above, giving eth1 an IP from the DMZ (11.22.33.111) and
giving eth2 an IP from the LAN (192.168.0.12). After this I mounted
the NFS share from the file server (192.168.0.2).


My problem:

If my domU web server is connected to both LAN and DMZ using the two
bridges xenbr0 and xenbr1, I can access the NFS share from the domU
web server and everything else works as expected, except for one thing
-- my workstations in the LAN cannot anymore access the web server:
web pages do not open anymore and from the workstations I cannot ping
the domU. If the web server domU is only connected to DMZ via xenbr0,
the workstations can access it ok.


Any advice what I am doing wrong and I could fix my setup?


Regards,
Peter