LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   how to create a simle DMZ? (http://www.linuxquestions.org/questions/linux-networking-3/how-to-create-a-simle-dmz-701808/)

8211534635 02-02-2009 11:38 PM

how to create a simle DMZ?
 
hello
i need to learn how to create a simple dmz with iptable.

my senario:
a company have a internal web server and wants to become available for internet users.for it they decide to create a dmz to service to internal and external users.
we use only these ports 80,8080
please help us

thanks alot

blacky_5251 02-03-2009 01:58 AM

I suggest you grab an old PC from the cupboard and install IPCop on it. Use that to segregate your DMZ from your internal network. It's easy to install and very reliable.

Cheers,

archtoad6 02-03-2009 05:13 AM

"simple dmz with iptable" is a bit of an oxymoron.

Use IPCop or SmoothWall Express or one of the other specialty firewall distros. I know that both IPCop & SmoothWall Express have a DMZ built in. They both call it the "Orange" interface.

Links:
http://freshmeat.net/projects/ipcop/
http://freshmeat.net/projects/smoothwall/
http://en.wikipedia.org/wiki/IPCop
http://en.wikipedia.org/wiki/SmoothWall

ScooterB 02-04-2009 10:48 AM

Having a DMZ is a good idea and one that isn't too hard to implement. It is my standard when I set up commercial networks. What it basically takes is two routers. One, the first one, will be your router to the world and will have your public IP address(s). On the other side of that router will exist your DMZ. This is where you would put your web servers, mail servers, file servers (if needed to access from the outside), etc. On the other side of this subnet, you would place another router. This router will provide the DMZ on one side and your private LAN on the other. This way your private LAN is two subnets deep and can be firewalled by two different firewalls.

These two routers can be linux boxes or what ever you desire. I would stay away from the Big Box store type of routers. If you want you can use full blown desktops, but that is such a waste of good hardware to do something really simple. I would take a look at http://www.routerboard.com

These routers are all built on a Linux kernel and use linux commands. They are inexpensive but provide a whole bunch of functionality. Anyway, hope this helps you in your endeavors.

win32sux 02-04-2009 11:43 AM

Quote:

Originally Posted by 8211534635 (Post 3429867)
hello
i need to learn how to create a simple dmz with iptable.

my senario:
a company have a internal web server and wants to become available for internet users.for it they decide to create a dmz to service to internal and external users.
we use only these ports 80,8080
please help us

thanks alot

Assumptions: You've got a GNU/Linux box with three network interfaces: LAN, DMZ, and WAN.
- Your LAN is: 192.168.1.0/24
- Your DMZ is: 192.168.2.0/24 (The IP of the server in your DMZ is: 192.168.2.101)

Simple example:
Code:

iptables -P FORWARD DROP

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -s 192.168.1.0/24 \
-m state --state NEW -j ACCEPT

iptables -A FORWARD -p TCP -i $WAN_IFACE -o $DMZ_IFACE -m multiport \
--dports 80,8080 -d 192.168.2.101 -m state --state NEW -j ACCEPT

iptables -t nat -A PREROUTING -p TCP -i $WAN_IFACE -m multiport \
--dports 80,8080 -j DNAT --to-destination 192.168.2.101

iptables -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE


archtoad6 02-05-2009 06:30 AM

Quote:

Originally Posted by ScooterB (Post 3432023)
I would take a look at http://www.routerboard.com

These routers are all built on a Linux kernel and use linux commands. They are inexpensive but provide a whole bunch of functionality. Anyway, hope this helps you in your endeavors.

I did, & they are interesting.

I ran a Google Linux search on their RouterOS: http://www.google.com/linux?q=RouterOS
& read the linux.com article it found: http://www.linux.com/feature/54302
I tracked down the OS pricing page on their Wiki: http://wiki.mikrotik.com/wiki/Software_levels

From the few example commands I saw, it's not obviously Linux; yet the article calls it "Linux-based".

Do you have any idea how to prove this?

Isn't this a violation of the GPL?

ScooterB 02-05-2009 08:31 AM

Quote:

Do you have any idea how to prove this?
I would have to say that I guess I don't other than the fact that all of the commands that I use from the command line in my distro's work from their command line. While it isn't pure linux (they obviously have built their on OS), it is based on it and that is good enough for me. I'm not a lawyer, so I couldn't comment on whether or not it's a violation of the GPL.

All I can tell you is that their stuff works well, is inexpensive, and does what I need it to. It seems to be based on the Linux kernel and works great from the command line.

blacky_5251 02-06-2009 03:06 PM

ScooterB wrote:
Quote:

If you want you can use full blown desktops, but that is such a waste of good hardware to do something really simple.
If you use up to date machines for this then I would agree entirely, but one of the joys of using IPCop or Smoothwall is that you can use fairly low-spec equipment. Recycled desktops are fine as IPCop and Smoothwall Firewalls.

There are also lots of add-ons you can install to extend the firewall functionality - e.g. VPN connectivity, anti-virus, anti-spam, http and ftp filters, intrusion detection, URL filters - the list goes on.

Why lock in to a hardware vendor and spend money, when you can get all these features for free from IPCop/Smoothwall and run it all on recycle iron?

Cheers,

Ian


All times are GMT -5. The time now is 10:58 AM.