LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 02-03-2009, 12:38 AM   #1
8211534635
LQ Newbie
 
Registered: Feb 2009
Posts: 1

Rep: Reputation: 0
how to create a simle DMZ?


hello
i need to learn how to create a simple dmz with iptable.

my senario:
a company have a internal web server and wants to become available for internet users.for it they decide to create a dmz to service to internal and external users.
we use only these ports 80,8080
please help us

thanks alot
 
Old 02-03-2009, 02:58 AM   #2
blacky_5251
Member
 
Registered: Oct 2004
Location: Adelaide Hills, South Australia
Distribution: RHEL 4&5, Fedora 10, CentOS 5.4, IPCop
Posts: 569

Rep: Reputation: 55
I suggest you grab an old PC from the cupboard and install IPCop on it. Use that to segregate your DMZ from your internal network. It's easy to install and very reliable.

Cheers,
 
Old 02-03-2009, 06:13 AM   #3
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 231Reputation: 231Reputation: 231
"simple dmz with iptable" is a bit of an oxymoron.

Use IPCop or SmoothWall Express or one of the other specialty firewall distros. I know that both IPCop & SmoothWall Express have a DMZ built in. They both call it the "Orange" interface.

Links:
http://freshmeat.net/projects/ipcop/
http://freshmeat.net/projects/smoothwall/
http://en.wikipedia.org/wiki/IPCop
http://en.wikipedia.org/wiki/SmoothWall
 
Old 02-04-2009, 11:48 AM   #4
ScooterB
Member
 
Registered: Sep 2003
Location: NW Arkansas
Distribution: Linux Redhat 9.0, Fedora Core 2,Debian 3.0, Win 2K, Win95, Win98, WinXp Pro
Posts: 344

Rep: Reputation: 31
Having a DMZ is a good idea and one that isn't too hard to implement. It is my standard when I set up commercial networks. What it basically takes is two routers. One, the first one, will be your router to the world and will have your public IP address(s). On the other side of that router will exist your DMZ. This is where you would put your web servers, mail servers, file servers (if needed to access from the outside), etc. On the other side of this subnet, you would place another router. This router will provide the DMZ on one side and your private LAN on the other. This way your private LAN is two subnets deep and can be firewalled by two different firewalls.

These two routers can be linux boxes or what ever you desire. I would stay away from the Big Box store type of routers. If you want you can use full blown desktops, but that is such a waste of good hardware to do something really simple. I would take a look at http://www.routerboard.com

These routers are all built on a Linux kernel and use linux commands. They are inexpensive but provide a whole bunch of functionality. Anyway, hope this helps you in your endeavors.
 
Old 02-04-2009, 12:43 PM   #5
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by 8211534635 View Post
hello
i need to learn how to create a simple dmz with iptable.

my senario:
a company have a internal web server and wants to become available for internet users.for it they decide to create a dmz to service to internal and external users.
we use only these ports 80,8080
please help us

thanks alot
Assumptions: You've got a GNU/Linux box with three network interfaces: LAN, DMZ, and WAN.
- Your LAN is: 192.168.1.0/24
- Your DMZ is: 192.168.2.0/24 (The IP of the server in your DMZ is: 192.168.2.101)

Simple example:
Code:
iptables -P FORWARD DROP

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -s 192.168.1.0/24 \
-m state --state NEW -j ACCEPT

iptables -A FORWARD -p TCP -i $WAN_IFACE -o $DMZ_IFACE -m multiport \
--dports 80,8080 -d 192.168.2.101 -m state --state NEW -j ACCEPT

iptables -t nat -A PREROUTING -p TCP -i $WAN_IFACE -m multiport \
--dports 80,8080 -j DNAT --to-destination 192.168.2.101

iptables -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE

Last edited by win32sux; 02-04-2009 at 01:05 PM.
 
Old 02-05-2009, 07:30 AM   #6
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 231Reputation: 231Reputation: 231
Quote:
Originally Posted by ScooterB View Post
I would take a look at http://www.routerboard.com

These routers are all built on a Linux kernel and use linux commands. They are inexpensive but provide a whole bunch of functionality. Anyway, hope this helps you in your endeavors.
I did, & they are interesting.

I ran a Google Linux search on their RouterOS: http://www.google.com/linux?q=RouterOS
& read the linux.com article it found: http://www.linux.com/feature/54302
I tracked down the OS pricing page on their Wiki: http://wiki.mikrotik.com/wiki/Software_levels

From the few example commands I saw, it's not obviously Linux; yet the article calls it "Linux-based".

Do you have any idea how to prove this?

Isn't this a violation of the GPL?
 
Old 02-05-2009, 09:31 AM   #7
ScooterB
Member
 
Registered: Sep 2003
Location: NW Arkansas
Distribution: Linux Redhat 9.0, Fedora Core 2,Debian 3.0, Win 2K, Win95, Win98, WinXp Pro
Posts: 344

Rep: Reputation: 31
Quote:
Do you have any idea how to prove this?
I would have to say that I guess I don't other than the fact that all of the commands that I use from the command line in my distro's work from their command line. While it isn't pure linux (they obviously have built their on OS), it is based on it and that is good enough for me. I'm not a lawyer, so I couldn't comment on whether or not it's a violation of the GPL.

All I can tell you is that their stuff works well, is inexpensive, and does what I need it to. It seems to be based on the Linux kernel and works great from the command line.
 
Old 02-06-2009, 04:06 PM   #8
blacky_5251
Member
 
Registered: Oct 2004
Location: Adelaide Hills, South Australia
Distribution: RHEL 4&5, Fedora 10, CentOS 5.4, IPCop
Posts: 569

Rep: Reputation: 55
ScooterB wrote:
Quote:
If you want you can use full blown desktops, but that is such a waste of good hardware to do something really simple.
If you use up to date machines for this then I would agree entirely, but one of the joys of using IPCop or Smoothwall is that you can use fairly low-spec equipment. Recycled desktops are fine as IPCop and Smoothwall Firewalls.

There are also lots of add-ons you can install to extend the firewall functionality - e.g. VPN connectivity, anti-virus, anti-spam, http and ftp filters, intrusion detection, URL filters - the list goes on.

Why lock in to a hardware vendor and spend money, when you can get all these features for free from IPCop/Smoothwall and run it all on recycle iron?

Cheers,

Ian

Last edited by blacky_5251; 02-06-2009 at 04:11 PM.
 
  


Reply

Tags
dmz, firewall, ipcop, smoothwall


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
To DMZ or not to DMZ. That is the question. MykeV Linux - Networking 6 10-02-2007 02:12 PM
question about iptables (DMZ machine connect to other DMZ machine 's publuic IP) wingmak Linux - Security 1 01-20-2007 05:01 PM
what is dmz blackzone Linux - Networking 3 01-06-2005 06:46 AM
DMZ help phishman3579 Linux - Security 1 07-15-2003 05:47 PM
i cant configure my Xserver despite the simle steps layed out by linux7.0 lewy Linux - Software 1 06-05-2001 09:35 AM


All times are GMT -5. The time now is 10:13 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration