LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 10-08-2006, 12:18 AM   #1
XaViaR
Member
 
Registered: Dec 2004
Distribution: RHEL, CentOS, SuSE
Posts: 170

Rep: Reputation: 30
IPTables + DMZ Host


hello,

I am trying to setup a DMZ Host on my LAN network. I've used a Linksys router in the past (2 years ago); since then I built my router using Linx and 4 nics (I have three internal private subnets i.e. trusted, wireless and web subnet).

My Linksys router has the follwoing option:

DMZ Host

The DMZ Host setting can allow one local PC to be exposed to the Internet. If a local user wishes to use some special-purpose service such as an Internet game or video-conferencing, Enable DMZ, fill in the IP address, and click the Save Settings button. Select Disable for DMZ, deactivates this feature. When enabling this setting, the Router firewall protection of the local DMZ host will be disabled.

Is this possible to replicate the "DMZ Host" using iptables? If so how? I would like to setup my internal webserver as a DMZ Host from above. Currently, I am using ipforwarding (forwarding port 80 and 443).

Thanks for your time and help!
 
Old 10-08-2006, 01:57 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by XaViaR
Is this possible to replicate the "DMZ Host" using iptables? If so how? I would like to setup my internal webserver as a DMZ Host from above. Currently, I am using ipforwarding (forwarding port 80 and 443).
if you are forwarding ports to a LAN, then by definition you already have a DMZ...
 
Old 10-08-2006, 10:05 AM   #3
XaViaR
Member
 
Registered: Dec 2004
Distribution: RHEL, CentOS, SuSE
Posts: 170

Original Poster
Rep: Reputation: 30
If I check the box "DMZ Host" on the linksys router for computer A, then I don't have to do any type of port forwarding on the linksys router to point port(s) to computer A. And, computer A is made publicly available with ALL ports opened to the world, given that your local firewall on computer A are wide open.

Is this possbile using IPTables?
 
Old 10-08-2006, 12:38 PM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by XaViaR
If I check the box "DMZ Host" on the linksys router for computer A, then I don't have to do any type of port forwarding on the linksys router to point port(s) to computer A. And, computer A is made publicly available with ALL ports opened to the world, given that your local firewall on computer A are wide open.

Is this possbile using IPTables?
sure, although i would recommend avoiding this kinda setup if possible... it's always best to allow *only* the ports you need... that said, to get the whole port range forwarded it's just like regular port-forwarding rules, except that you don't specify any ports (which makes the rule work for all of them)... for example:
Code:
iptables -P FORWARD DROP

iptables -t nat -A PREROUTING -i $WAN_IFACE -j DNAT \
--to-destination $DMZ_HOST_IP

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i $WAN_IFACE -o $DMZ_IFACE -d $DMZ_HOST_IP \
-m state --state NEW -j ACCEPT

iptables -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
keep in mind that this basically kills your ability to accept incoming connections on the firewall box itself (WAN side)... so if you need to have that ability then you'll need to make an exception for a port/range...

the above example would allow clients on the WAN to establish pretty much any connection with the box on the DMZ (by attempting to connect to the WAN IP), which is what you are asking for... the box on the DMZ, however, will still need rules if it is to be allowed to establish connections on its own... typically, one does *NOT* want hosts on a DMZ to be able to start connections of their own, so the rules as they are should suffice...

but in case you do need to allow the DMZ host to establish connections with the outside (for whatever reason), it would look like this:
Code:
iptables -P FORWARD DROP

iptables -t nat -A PREROUTING -i $WAN_IFACE -j DNAT \
--to-destination $DMZ_HOST_IP

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i $WAN_IFACE -o $DMZ_IFACE -d $DMZ_HOST_IP \
-m state --state NEW -j ACCEPT

iptables -A FORWARD -i $DMZ_IFACE -o $WAN_IFACE -s $DMZ_HOST_IP \
-m state --state NEW -j ACCEPT

iptables -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
notice how we are specifying the DMZ and WAN interfaces here also... this way when the box on your DMZ gets owned/rooted, the firewall will still at least prevent the attacker from connecting to your LAN...

optimally you'd wanna make the rules more specific, though... like, let's say that the only type of connection you need the DMZ box to be able to start is (for example) SSH ones... then:
Code:
iptables -P FORWARD DROP

iptables -t nat -A PREROUTING -i $WAN_IFACE -j DNAT \
--to-destination $DMZ_HOST_IP

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i $WAN_IFACE -o $DMZ_IFACE -d $DMZ_HOST_IP \
-m state --state NEW -j ACCEPT

iptables -A FORWARD -p TCP -i $DMZ_IFACE -o $WAN_IFACE \
-s $DMZ_HOST_IP --dport 22 -m state --state NEW -j ACCEPT

iptables -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE

Last edited by win32sux; 10-08-2006 at 01:03 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables + DMZ Braytac Linux - Networking 3 10-06-2006 06:57 AM
DMZ IPtables setup JoeMoer Linux - Networking 1 09-10-2004 10:01 PM
True DMZ using iptables chrisfirestar Linux - Security 8 03-10-2004 04:15 AM
IPTABLES and DMZ Host htimst Linux - Security 1 12-21-2001 08:04 AM
Setting up DMZ with iptables.... ghost-ils Linux - Networking 0 09-09-2001 08:14 PM


All times are GMT -5. The time now is 04:29 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration