DMZ help...
 

Can someone help me, I would like to set-up a DMZ in my iptables script. Is there a howto out there? I've been searching the forum and have found no good examples or howto's.

I basically want to let all traffic thru to my 192.168.0.252 dhcp client.

Why dont you post your network setup I think a dmz may be more than your asking for.

i dont see the purpose as well...

as i was aware dmz just routes all new traffic to the dmz then to virtuals then dropped if nothing.

Basically, I can't get my ps2 to work thru my current firewall. I get's online but can't get past that. I am assuming that it is getting firewalled because when I hook it up to the modem (without firewall intervention), it works fine.

I basically want everything in and out of 192.168.0.252 to be untouched but I can't seem to find the way. If you all have a better suggestion, im all ears but the best advice I heard was a DMZ.

basically my net setup is...
eth0 is internet
eth1 is LAN

I have about 4 computers on the net 192.168.0.254..192.168.0.251..

My ps2 is 192.168.0.252, I would like all info to be passed without any kind of firewall intervention in and out of that IP. Right now, the ps2 can get online but some of the ports are closed (it's diff for each game), so I want to open all ports to the ps2 incoming and outgoing.

I think your looking for something liKE this

$IPTABLES -t nat -A PREROUTING -p TCP -i $INTERNAL_IFACE --dport $whateverports -j DNAT --to-destination $PS2_IP

This will redirect tcp $whateverports traffic to the ps2 ip.

would 0:65000 forward every port?

I dont see why not. I've never tried it though.

I still can't get online with this gosh darb ps2... This makes no sence...

Um this post is useless... I have to read a little more carefully next time ;)

Sorry guys...


It sounds like you're trying to set up a DMZ with 2 boxen. From my experience you need at least 3, one for routing (3 NIC's), one for "the trenches", and one for DMZ. The idea is that your servers are on a different subnet than your workstation(s), and even this isn't exactly killer security. Any DMZ I set up would be a gateway firewall on the front lines, then my servers, alongside an "invisible slut" bridge* (no ip's, promiscuous mode) which leads to my workstations, and silently drops virtually all inbound traffic without a record in the state table. This setup makes it extremely difficult to attack the DMZ workstations, as you have to get past the initial routing firewall, then the slut bridge, which has no IP address to attack. It may be a good idea to put 3 NIC's in the DMZ bridge, so that you can retrieve log files etc. and administrate remotely, just make sure the one with an IP is on the workstation side so it utilizes the security of the other two.

HTH

B.

0:65535 would, in theory...

B.

The only think I have in my DMZ would be the PS2 and from my limited knowldge. You can't do jack squat to a ps2 box that's firewall-less.

I can get thru my windows firewall with the ps2, so there HAS to be a way for it to work with linux. I just have no freakin idea what is holding it up. It can get online but can't connect to any game servers.

iptables -t nat PREROUTING -p tcp -s ! 192.168.0.0./255.255.255.0 --dport 0-65000 -j DNAT --to 192.168.0.2:0-65000
iptables -t nat PREROUTING -p udp -s ! 192.168.0.0./255.255.255.0 --dport 0-65000 -j DNAT --to 192.168.0.2:0-65000

Why dont you just post your firewall script. Those prerouting rules are worthless if your just running client services behind your firewall.

i put them up for shear testing