how to create a simle DMZ?
hello
i need to learn how to create a simple dmz with iptable. my senario: a company have a internal web server and wants to become available for internet users.for it they decide to create a dmz to service to internal and external users. we use only these ports 80,8080 please help us thanks alot |
I suggest you grab an old PC from the cupboard and install IPCop on it. Use that to segregate your DMZ from your internal network. It's easy to install and very reliable.
Cheers, |
"simple dmz with iptable" is a bit of an oxymoron.
Use IPCop or SmoothWall Express or one of the other specialty firewall distros. I know that both IPCop & SmoothWall Express have a DMZ built in. They both call it the "Orange" interface. Links: http://freshmeat.net/projects/ipcop/ http://freshmeat.net/projects/smoothwall/ http://en.wikipedia.org/wiki/IPCop http://en.wikipedia.org/wiki/SmoothWall |
Having a DMZ is a good idea and one that isn't too hard to implement. It is my standard when I set up commercial networks. What it basically takes is two routers. One, the first one, will be your router to the world and will have your public IP address(s). On the other side of that router will exist your DMZ. This is where you would put your web servers, mail servers, file servers (if needed to access from the outside), etc. On the other side of this subnet, you would place another router. This router will provide the DMZ on one side and your private LAN on the other. This way your private LAN is two subnets deep and can be firewalled by two different firewalls.
These two routers can be linux boxes or what ever you desire. I would stay away from the Big Box store type of routers. If you want you can use full blown desktops, but that is such a waste of good hardware to do something really simple. I would take a look at http://www.routerboard.com These routers are all built on a Linux kernel and use linux commands. They are inexpensive but provide a whole bunch of functionality. Anyway, hope this helps you in your endeavors. |
Quote:
- Your LAN is: 192.168.1.0/24 - Your DMZ is: 192.168.2.0/24 (The IP of the server in your DMZ is: 192.168.2.101) Simple example: Code:
iptables -P FORWARD DROP |
Quote:
I ran a Google Linux search on their RouterOS: http://www.google.com/linux?q=RouterOS & read the linux.com article it found: http://www.linux.com/feature/54302 I tracked down the OS pricing page on their Wiki: http://wiki.mikrotik.com/wiki/Software_levels From the few example commands I saw, it's not obviously Linux; yet the article calls it "Linux-based". Do you have any idea how to prove this? Isn't this a violation of the GPL? |
Quote:
All I can tell you is that their stuff works well, is inexpensive, and does what I need it to. It seems to be based on the Linux kernel and works great from the command line. |
ScooterB wrote:
Quote:
There are also lots of add-ons you can install to extend the firewall functionality - e.g. VPN connectivity, anti-virus, anti-spam, http and ftp filters, intrusion detection, URL filters - the list goes on. Why lock in to a hardware vendor and spend money, when you can get all these features for free from IPCop/Smoothwall and run it all on recycle iron? Cheers, Ian |
All times are GMT -5. The time now is 03:15 AM. |