Hi all,
I've got a RHEVM 3.0 machine running RHEL6. I have it set up with two interfaces, em1 (facing the rhev network) and em2 (facing our company's network, or for all intents and purposes, the outside world.)
The interfaces are configured as follows:
Code:
DEVICE=em1
BOOTPROTO=none
IPADDR=192.168.10.100
NETMASK=255.255.255.0
NETWORK=192.168.10.0
HWADDR=00:21:9b:a7:40:4c
NM_CONTROLLED=no
ONBOOT=yes
TYPE=Ethernet
UUID="1331ac7b-3faa-4dcc-a3ba-61c0f75fce60"
DHCP_HOSTNAME=rhevm-01.MMC.DOMAIN
DNS2=192.168.1.150
GATEWAY=192.168.1.16
DNS1=192.168.1.39
IPV6INIT=no
USERCTL=no
Code:
DEVICE=em2
BOOTPROTO=none
NM_CONTROLLED=yes
ONBOOT=yes
TYPE=Ethernet
UUID="3b68f8f2-88b5-40e4-a62f-cf778232eef3"
HWADDR=00:21:9b:a7:40:4e
IPADDR=192.168.1.16
PREFIX=24
GATEWAY=192.168.1.244
DNS1=192.168.1.39
DNS2=192.168.1.150
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME="System em2"
NETMASK=255.255.255.0
USERCTL=no
As far as routing internet traffic, all nodes on the 192.168.10.0/24 network are able to access google, facebook, etc.
I am also able to VNC into the RHEVM machine from the 192.168.1.0/24 network. I am able to access the RHEVM web interface from both networks, but when I access it from 192.168.1.0?24, I am unable to run the VM consoles. All I have to do is switch which subnet I'm on and I am immediately able to access this feature. I am assuming it is a firewall issue, but I am pretty inexperiences with iptables commands. My current iptables config is as follows:
Code:
#Custom Firewall
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o em2 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
#IP Forwarding
-A FORWARD -i em2 -o em1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i em1 -o em2 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
COMMIT
Is there a quick and dirty way to make this machine allow any any to and from both networks? Or can I just add a line to allow spice?
Thanks!
-Ryan