how to create a simle DMZ?
 

hello
i need to learn how to create a simple dmz with iptable.

my senario:
a company have a internal web server and wants to become available for internet users.for it they decide to create a dmz to service to internal and external users.
we use only these ports 80,8080
please help us

thanks alot

I suggest you grab an old PC from the cupboard and install IPCop on it. Use that to segregate your DMZ from your internal network. It's easy to install and very reliable.

Cheers,

"simple dmz with iptable" is a bit of an oxymoron.

Use IPCop or SmoothWall Express or one of the other specialty firewall distros. I know that both IPCop & SmoothWall Express have a DMZ built in. They both call it the "Orange" interface.

Links:
http://freshmeat.net/projects/ipcop/
http://freshmeat.net/projects/smoothwall/
http://en.wikipedia.org/wiki/IPCop
http://en.wikipedia.org/wiki/SmoothWall

Having a DMZ is a good idea and one that isn't too hard to implement. It is my standard when I set up commercial networks. What it basically takes is two routers. One, the first one, will be your router to the world and will have your public IP address(s). On the other side of that router will exist your DMZ. This is where you would put your web servers, mail servers, file servers (if needed to access from the outside), etc. On the other side of this subnet, you would place another router. This router will provide the DMZ on one side and your private LAN on the other. This way your private LAN is two subnets deep and can be firewalled by two different firewalls.

These two routers can be linux boxes or what ever you desire. I would stay away from the Big Box store type of routers. If you want you can use full blown desktops, but that is such a waste of good hardware to do something really simple. I would take a look at http://www.routerboard.com

These routers are all built on a Linux kernel and use linux commands. They are inexpensive but provide a whole bunch of functionality. Anyway, hope this helps you in your endeavors.

Assumptions: You've got a GNU/Linux box with three network interfaces: LAN, DMZ, and WAN.
- Your LAN is: 192.168.1.0/24
- Your DMZ is: 192.168.2.0/24 (The IP of the server in your DMZ is: 192.168.2.101)

Simple example:

I did, & they are interesting.

I ran a Google Linux search on their RouterOS: http://www.google.com/linux?q=RouterOS
& read the linux.com article it found: http://www.linux.com/feature/54302
I tracked down the OS pricing page on their Wiki: http://wiki.mikrotik.com/wiki/Software_levels

From the few example commands I saw, it's not obviously Linux; yet the article calls it "Linux-based".

Do you have any idea how to prove this?

Isn't this a violation of the GPL?

I would have to say that I guess I don't other than the fact that all of the commands that I use from the command line in my distro's work from their command line. While it isn't pure linux (they obviously have built their on OS), it is based on it and that is good enough for me. I'm not a lawyer, so I couldn't comment on whether or not it's a violation of the GPL.

All I can tell you is that their stuff works well, is inexpensive, and does what I need it to. It seems to be based on the Linux kernel and works great from the command line.

ScooterB wrote:If you use up to date machines for this then I would agree entirely, but one of the joys of using IPCop or Smoothwall is that you can use fairly low-spec equipment. Recycled desktops are fine as IPCop and Smoothwall Firewalls.

There are also lots of add-ons you can install to extend the firewall functionality - e.g. VPN connectivity, anti-virus, anti-spam, http and ftp filters, intrusion detection, URL filters - the list goes on.

Why lock in to a hardware vendor and spend money, when you can get all these features for free from IPCop/Smoothwall and run it all on recycle iron?

Cheers,

Ian