According to the Network Info, create the following KVM Networks:
virsh # net-dumpxml iptables-public
<network>
<name>iptables-public</name>
<uuid>3637b3c4-29fa-49dd-8f0e-f8c9b2d8f8a8</uuid>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
</forward>
<bridge name='virbr6' stp='on' delay='0'/>
<mac address='52:54:00:b3:79:f2'/>
<domain name='ab.lab'/>
<ip address='10.0.0.1' netmask='255.255.255.0'>
</ip>
</network>
virsh # net-dumpxml iptables-dmz1
<network>
<name>iptables-dmz1</name>
<uuid>2a777b89-a347-48ab-bff6-5d010eca04a0</uuid>
<bridge name='virbr7' stp='on' delay='0'/>
<mac address='52:54:00:42:76:64'/>
<domain name='ab.lab'/>
<ip address='172.16.11.1' netmask='255.255.255.0'>
</ip>
</network>
virsh # net-dumpxml iptables-dmz2
<network>
<name>iptables-dmz2</name>
<uuid>df1d7b5d-e8c2-4b2c-9177-c572508f5cdb</uuid>
<bridge name='virbr8' stp='on' delay='0'/>
<mac address='52:54:00:c1:2c:2f'/>
<domain name='ab.lab'/>
<ip address='192.168.20.1' netmask='255.255.255.0'>
</ip>
</network>
virsh # net-dumpxml iptables-interna
<network>
<name>iptables-interna</name>
<uuid>729552eb-a768-48b6-88b0-119f6a5f86e5</uuid>
<bridge name='virbr10' stp='on' delay='0'/>
<mac address='52:54:00:fb:a7:7d'/>
<domain name='ab.lab'/>
<ip address='192.168.21.1' netmask='255.255.255.0'>
</ip>
</network>
Change route path for Web Tier(Tier1), Middleware Tier (Tier2) and Application Tier (Tier3) to be gone through the public Tier:
[root@base iptables-lab]# hostname
base.lab
[root@base iptables-lab]# route -n | grep -e Gateway -e 10.0.0.0 -e 172.16.11.0 -e 192.168.20.0 -e 192.168.21.0
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr6
172.16.11.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr7
192.168.20.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr8
192.168.21.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr10
[root@base iptables-lab]# route add -net 172.16.11.0 netmask 255.255.255.0 gw 10.0.0.254
[root@base iptables-lab]# route add -net 192.168.20.0 netmask 255.255.255.0 gw 10.0.0.254
[root@base iptables-lab]# route add -net 192.168.21.0 netmask 255.255.255.0 gw 10.0.0.254
[root@base iptables-lab]# route -n | grep -e Gateway -e 10.0.0.0 -e 172.16.11.0 -e 192.168.20.0 -e 192.168.21.0
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr6
172.16.11.0 10.0.0.254 255.255.255.0 UG 0 0 0 virbr6
172.16.11.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr7
192.168.20.0 10.0.0.254 255.255.255.0 UG 0 0 0 virbr6
192.168.20.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr8
192.168.21.0 10.0.0.254 255.255.255.0 UG 0 0 0 virbr6
192.168.21.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr10
No comments:
Post a Comment