Isolating VMWare Appliance in Linux
I'm running a Mandriva 2010.2 system. Inside of that, I'm runnng a VMWare virtual Mandriva 2010.2 Linux system. My plan was to run a mail server (Postfix) in the virtual environment, protecting the host system should the mail server become compromised. Everything is working, but I am unable to isolate the virtual system from accessing the host system.
Host system has 2 NIC cards, one to the internet (NET), the other to my internal LAN (192.168.0.0 - LOC). The system acts as a firewall for my internal network (using Shorewall).
The virtual system is connected via NAT (VMNET8: 192.168.100.1), virtual system set up with 192.168.100.2 (DMZ).
The virtual system can access the internet with no problems. IPTables is setup for DNAT to pass packets on port 25 to x.x.x.1 (which forwards to x.x.x.2) in the DMZ. The virtual system is able to collect and send mail. Systems on the LAN are able to connect to the virtual system and download mail, as well as remote connect to the virtual system to perform various maintenance items.
My intention was to set up the virtual box to accept connections:
DMZ to NET works fine.
FW and LOC to DMZ works fine.
But I am unable to block connections from DMZ to LOC or FW (I am able to ping from 192.168.100.2 to FW or any IP in LOC).
I have been unable to determine what route pings take to get from 192.168.100.2 to any address in 192.168.0.0. I tried blocking addresses from the DMZ to LOC in a number of different ways, but have been unable to block traffic originating from DMZ to any address in LOC.
I originally tried a Host-Only configuration with the virtual system, but while I was able to segregate the networks, I could not get the VM to access the internet. Changing to NAT solved that problem, but did not isolate the virtual network from the LAN.
Thanks in advance for any advice.