Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
1 de 7
http://www.cyberciti.biz/faq/linux-demilitarized-zone-howto/
Main menu
BASH Shell
Linux
CentOS
Debian / Ubuntu
Ubuntu Linux
Suse
RedHat and Friends
Slackware Linux
UNIX
AIX
Mac os x
FreeBSD
FreeBSD Jails (VPS)
Openbsd
Solaris
Troubleshooting
Nginx
Networking
MySQL
See all tutorial topics
Blog
About
Contact us
Forum
RSS/FEED
(Fig 01: A typical Linux based DMZ setup [ Image modified from Wikipedia article] )
10/10/2012 15:02
2 de 7
http://www.cyberciti.biz/faq/linux-demilitarized-zone-howto/
incoming mail traffic from internet (202.54.1.1) can be send to DMZ mail server (192.168.2.2) with the following iptables prerouting rule (assuming
default DROP all firewall policy):
### end init firewall .. Start DMZ stuff ####
# forward traffic between DMZ and LAN
iptables -A FORWARD -i eth0 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# forward traffic between DMZ and WAN servers SMTP, Mail etc
iptables -A FORWARD -i eth2 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Route incoming SMTP (port 25 ) traffic to DMZ server 192.168.2.2
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 25 -j DNAT --to-destination 192.168.2.2
# Route incoming HTTP (port 80 ) traffic to DMZ server load balancer IP 192.168.2.3
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 80 -j DNAT --to-destination 192.168.2.3
# Route incoming HTTPS (port 443 ) traffic to DMZ server reverse load balancer IP 192.168.2.4
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 443 -j DNAT --to-destination 192.168.2.4
### End DMZ .. Add other rules ###
Where,
-i eth1 : Wan network interface
-d 202.54.1.1 : Wan public IP address
--dport 25 : SMTP Traffic
-j DNAT : DNAT target used set the destination address of the packet with --to-destination
--to-destination 192.168.2.2: Mail server ip address (private IP)
Pitfalls
Above design has few pitfalls:
1. Single point of failure - The firewall becomes a single point of failure for the network.
2. Hardware - The firewall Host must be able to handle all of the traffic going to the DMZ as well as the internal network.
Further readings:
Wes Sonnenreich. Building Linux And Openbsd Firewalls. - A step-by-step guide to bulding a commercial-grade firewall with open source
software.
Eric Maiwald. Network Security: A Beginner's Guide. Second Edition. - It gives a brief overview of most of the security related topics, perhaps one
of the best books to start with.
Michael Rash. Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort [ILLUSTRATED] - Linux Firewalls discusses the
technical details of the iptables firewall and the Netfilter framework that are built into the Linux kernel, and it explains how they provide strong
filtering, Network Address Translation (NAT), state tracking, and application layer inspection capabilities that rival many commercial tools. You'll
learn how to deploy iptables as an IDS with psad and fwsnort and how to build a strong, passive authentication layer around iptables with fwknop.
Updated for accuracy.
Tweet
18
0
Curtir
14
StumbleUpon
You should follow me on twitter here or grab rss feed to keep track of new changes.
10/10/2012 15:02
3 de 7
http://www.cyberciti.biz/faq/linux-demilitarized-zone-howto/
to-destination 192.168.2.2. The problem is coming from -i eth2, the correct way is -i eth1 because we want packets coming from internet to be
redirect to the DMZ.
Reply
vivek January 2, 2008 at 4:21 pm
George,
Thanks for the heads up.
Reply
Sathish August 1, 2008 at 8:35 am
Hi,
I have configured the DMZ mentioned in the above article. Routing concept is working fine, where as if I click on my LAN/Other networks by
accessing the web-page [ex :www.xyz.com or http://xyz.com, it showing Apache test page, where as domain related page not working, what may
be the problem.
Please help me out.
Thanks,
Sathish
Reply
vivek August 1, 2008 at 9:09 am
You need to configure Apache properly.
Reply
mirza August 5, 2008 at 2:38 am
after Georges correction.
is the script already updated ?
Reply
vivek August 5, 2008 at 5:41 am
mirza,
Yes, it was updated after Georges correction..
Reply
umesh October 7, 2008 at 6:09 pm
Hi,
I have 8 public Ips and want to configure FreeBSD as router and firewall and also want to use all 8 public IPs for my servers so pls can you suggest
me how to do this. I am very confused.
Pls help.
Reply
Gerald Sagoonick January 19, 2009 at 8:54 pm
Nice one
Reply
satya February 27, 2009 at 7:32 am
I tried with 2 network card to set as gateway server on Ubuntu 8.10 lts, its not working. Is thr any tips to troubleshoot
Reply
Vivek Gite February 27, 2009 at 7:51 am
DMZ needs 3 network card.
Reply
Nepguy February 27, 2009 at 9:00 am
Hey,
Great Stuff !
But i have a little different case with me and wondering if you could help me.
I want to put a server ( Mail and proxy) in same machine and instead of assigning Private IP in the server in DMZ, I want to assign a public Ip.
10/10/2012 15:02
4 de 7
http://www.cyberciti.biz/faq/linux-demilitarized-zone-howto/
So can you please help me out with the iptables and routing in the linux server having 3 Nics.
Thanks in advance.
Reply
Vivek Gite February 27, 2009 at 11:09 am
Rules remains same and replace private IP with public one.
Reply
Nepguy March 2, 2009 at 9:48 am
Doesnt any NATing thing required here?
Reply
satya March 19, 2009 at 6:32 am
I am having 3 network card with
1..public Ip
2. 192.168.0.0-servers
3. 192.168.1.0-Lan
I tried setting as router to allow internet access on lan , it dint work, can u help me out
Reply
V.Balaviswanathan April 29, 2009 at 2:32 pm
How to use iptables on a Debian or Ubuntu systems? You the ufw utility as a firewall and so how can one use that to forward or deny the ip
packets?
Please help me
Reply
yshri June 4, 2009 at 8:34 am
hey, great article. Very informative and helped me a lot. But in my case, i found it risky and dont want to use 3 interfaces on the same machine.
Instead, I want to configure two firewall machines one sits in front of DMZ and other sits in front of Local LAN. Could you please explore in
little in depth the configuration and setup required in this ? If you could give a diagram of it would be of great help to me. Thanks a lot.
Reply
PG June 16, 2009 at 10:32 am
Does this iptables rules share internet to the local LAN users?
I want to implement like this:
INTERNET(pub ip)LINUX ROUTER(pvt ip) PROXY/MAIL SVR
|
LAN
how will be the iptable rules change if i want to direct the LAN internet access through the proxy server?
Thanks in advance.
Prakash
What will be the rules if i need to direct
Reply
PG June 16, 2009 at 10:41 am
hey,
in the earlier post, the LAN actually connects to one other NIC of LINUX Router.
Reply
Sachin March 13, 2010 at 7:29 pm
My Network setup :I have 3 network card in CentOS firewall machine connected to ADSL router
1)Public ip > 59.181.x.x which is nat on router to 192.168.1.1
2) eth0 (External interface) which had IP ADDR 192.168.1.5 and Gateway 192.168.1.1
In ifcfg-eth0 I have entry GATEWAY=192.168.1.1
3) eth1 (Lan network) which has IP ADDR 192.168.2.1 and connected to switch1
In ifcfg-eth1 I have not mentioned any GAETWAY
4) eth2 (DMZ) which has IP ADDR 192.168.0.50 and connected to switch2
10/10/2012 15:02
5 de 7
http://www.cyberciti.biz/faq/linux-demilitarized-zone-howto/
You can use these HTML tags and attributes for your code and commands: <strong> <em> <ol> <li> <u> <ul> <kbd> <blockquote> <pre> <a href=""
title="">
10/10/2012 15:02
6 de 7
http://www.cyberciti.biz/faq/linux-demilitarized-zone-howto/
Tagged as: apache dmz, demilitarized zone, dmz configuration, dmz firewall, dmz host, dmz router, dnat, forward traffic, internal servers, iptables dmz, linux dmz, linux firewall dmz, load
balancer, private ip address, private servers, public interface, public traffic, route traffic, sendmail dmz, shorewall dmz, smoothwall dmz
nixCraft no Facebook
Curtir
24,586 pessoas curtiram nixCraft.
Ashish
Nyaradzo
George
Tahiri
Febrian
Puneet
Antonio
Nazmul
Phisit
Sysadmin To Be Resources
20 Linux system monitoring tools every sysAdmin should know
20 Linux server hardening security tips
Linux: 20 Iptables examples for new sysAdmins
My 10 Unix command line mistakes
Top 25 PHP security best practices for Sys admins
The novice guide to buying a Linux laptop
Top 20 OpenSSH server best security practices
Related FAQs
Troubleshoot Linux / UNIX bind dns server zone problems with named-checkzone tool
How To Run Linux Web Server / Service on Private IP Network
10/10/2012 15:02
7 de 7
http://www.cyberciti.biz/faq/linux-demilitarized-zone-howto/
2006-2012 nixCraft. All rights reserved. Cannot be reproduced without written permission.
Privacy Policy | Terms of Service | Questions or Comments | Sitemap
10/10/2012 15:02