How to setup dmz

satish · 06-28-2006, 08:43 AM

i have following setup
Redhat 9.0 linux proxy server

eth0 192.168.1.2 internal
eth1 59.144.124.58 external

i want to configure dmz on eth2.so how i do this.my isp is giving me only one static ip.we want to access our application server(192.168.1.249:8500)from internet.i heard about dmz all do that stuff.so please give me full deatils on dmz as iam newbie to linux.

saavik · 06-28-2006, 09:02 AM

Actually DMZ is not any service, it just means an area which is like the lobby of a hotel.

It is the area where you should place the servers which you want to access from the internet like SMTP / Web or Application Servers like you want it.

I looks like this

DMZ
Internet <---> Router <----> Server 1 / Server2 <----> Router <----> Intranet

Some more infos you will find using Google (which you know yourself, I think).

So DMZ just means an potential unsecure area which is connected to the internet but not directy to your ethernet.

What you can do to access you Applicationserver from the Internet is to use IPTables to make a Portforwarding from your Router or Proxy (which is connected to the Internet) to your Applicationserver.

satish · 06-29-2006, 09:20 AM

i had searched in google but not found any article on how to start with dmz.please send me the link.also give me iptables commands for port forwarding because i am new to iptables.

saavik · 06-30-2006, 01:08 AM

1) unfortunattely GERMAN http://www.chkorn.de/tutorials-und-co/firewall-theorie/
2) http://www.tldp.org/HOWTO/IPCHAINS-HOWTO-7.html
3) http://publib.boulder.ibm.com/infoce.../07010307.html
4) http://www.mikrotik.com/docs/ros/2.8/appex/dmz

Checking for iptables command........please wait

Concerning iptables

prerouting <---> Forward <--> Postrouting
........................|..............|
........................|..............|
........................I..............O
........................N..............U
........................P..............T
........................U..............P
........................T..............U
.......................................T

For Portforwarding you need to make a DNAT (Destination Network Adress Translation) before
the routing desission is made.

So the exact command would be like

iptables -t nat -A PREROUTING -p tcp --dport 80 -i ppp0 -j DNAT --to XXX.XX.XX.XX:80

This meens that you forward anything that is comming on port 80 to the server with the IP xxx.xx.xx.xx. So you just need to find out which service you want to forward an there you go!