I need to setup a server farm behind a firewall using dmz concept. Currently I’m working on setting up a web server using windows server 2003.

there are three NICs in the proxy server which are

201.139.100.90 = eth0 = ExternelAddress
192.168.1.251 = eth1 = InternalAddress
201.139.31.250 = eth2 = DMZ (which I get a block of static ip from our ISP-for the server farm
purpose)

all this network informations, I wrote it like this :

EXTERNALIF="eth0"
EXTERNALADDR="201.139.100.90"
EXTERNALBCAST="201.139.100.255"

INTERNALIF= " eth1 \ eth2"
INTERNALADDR= "192.168.1.251 \ 201.139.31.250"
INTERNALNET= "192.168.1.0/24 \ 201.139.31.0/24"
INTERNALBCAST= "192.168.1.255 \ 201.139.31.255"

# And for the port forwarding option, I put this code to open the port 80 to HTTP service behind the firewall

$IPTABLES -A FORWARD -j ACCEPT -p tcp --dport 80
$IPTABLES -t nat -A PREROUTING -i $EXTERNALIF -p tcp --dport 80 -j DNAT --to 201.139.31.2:80

but unfortunately, the web service do not succesfull, unless accessed from the same Vlan.

What should I do more? What i need to do with the default policies??Di I need to enable the -t nat -P Prerouting,postrouting and output?

As I’m very poor in linux, can anyone help me with this..

thanks in advanced

You need to do the following

Read the information of the site refered by MAXUP

add an alias to the eth0 with the adress 201.139.31.250
add ip adress 10.0.0.1 to your DMZ eth2
give the ms webserver adress 10.0.0.2

Start building the script at that site

and this would be the result

#!/bin/sh

# iptables script generator: V0.1-2002
# Comes with no warranty!
# e-mail: michael@1go.dk

# Diable forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward

LAN_IP_NET='10.0.0.1/8'
LAN_NIC='eth1'
WAN_IP='201.139.100.90'
WAN_NIC='eth0'
FORWARD_IP='10.0.0.2'

# load some modules (if needed)

# Flush
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# enable Masquerade and forwarding
iptables -t nat -A POSTROUTING -s $LAN_IP_NET -j MASQUERADE
iptables -A FORWARD -j ACCEPT -i $LAN_NIC -s $LAN_IP_NET
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# STATE RELATED for router
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Open ports to server on LAN
iptables -A FORWARD -j ACCEPT -p tcp --dport 80
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 10.0.0.2:80

# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

HEY my nick is maxut, NOT MAXUP

but i don think i can easily change the ip configurations, because it was given by the network administrator from the central.

They gave me the 201.139.31.250 for the DMZ_ip (eth2) and i gave the ms web server address as 201.139.31.2.

eth0 = Wan_ip = 201.139.100.90
eth1 = Lan_ip = 192.168.1.251
eth2 = DMZ_ip = 201.139.31.250 (our department received a block of ip 201.139.31.0 to 255 from our ISP - which will be used for our server farm, for example, web server = 201.139.31.1, DNS Server = 201.139.31.2, Mail Server = 201.139.31.3 )

I don think that i can change the DMZ ip to be added as an alias to the eth0. What the difference that i can see is...my DMZ_ip and Lan_ip is not in the same network segment as many example of iptables rules including the ip configuration that arno suggested.

-----errmm...what am i afraid of is i can't explain my problem clearly, but i do hope it will-------

thanks

u better visit www.netfilter.org and read the howtos and docs of iptables. so u will understand how u can do that.

I have adapted a standard script.
You wil see that your xxx.xxx.31 adres range wil be available to the internet but internally you will have to use the 192.168.31

PS never publish your ip adres on the net
does your ISP route the xxx.xxx.31.x range to xxx.xxx.100.90 ?

#!/bin/sh
#
# rc.DMZ.firewall - DMZ IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.net>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA 02111-1307 USA
#

###########
# Configuration options, these will speed you up getting this script to
# work with your own setup.

#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#
# STATIC_IP is used by me to allow myself to do anything to myself, might
# be a security risc but sometimes I want this. If you don't have a static
# IP, I suggest not using this option at all for now but it's stil
# enabled per default and will add some really nifty security bugs for all
# those who skips reading the documentation=)

INET_IP="xxx.xxx.100.90"
INET_IFACE="eth0"


LAN_IP="192.168.1.251"
LAN_BCAST_ADRESS="192.168.1.255"
LAN_IFACE="eth1"


NAT_HTTP_IP="xxx.xxx.31.1"
NAT_DNS_IP="xxx.xxx.31.2"
NAT_SMTP_IP="xxx.xxx.31.3"
NAT_IP="xxx.xxx.31.251"
DMZ_HTTP_IP="192.168.31.1"
DMZ_DNS_IP="192.168.31.2"
DMZ_SMTP_IP="192.168.31.3"
DMZ_IP="192.168.31.251"
DMZ_IFACE="eth2"

LO_IP="127.0.0.1"
LO_IFACE="lo"

# "General SNAT" Example
MAP_FROM=192.168.31.0/255.255.255.0
MAP_TO= xxx.xxx.31.0-xxx.xxx.31.255

IPTABLES="/usr/local/sbin/iptables"

###########################################
#
# Load all required IPTables modules
#

#
# Needed to initially load modules
#

/sbin/depmod -a

#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#

/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_MASQUERADE

#
# Support for connection tracking of FTP and IRC.
#
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc


#CRITICAL: Enable IP forwarding since it is disabled by default.
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# Dynamic IP users:
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################
#
# Chain Policies gets set up before any bad packets gets through
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# the allowed chain for TCP connections, utilized in the FORWARD chain
#

$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# ICMP rules, utilized in the FORWARD chain
#


$IPTABLES -N icmp_packets

# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# bad_tcp_packets chain
#
# Take care of bad TCP packets that we don't want.
#

$IPTABLES -N bad_tcp_packets
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# Do some checks for obviously spoofed IP's
#

$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 172.16.0.0/12 -j DROP
###########################################
# POSTROUTING chain in the nat table
#
# Enable IP SNAT for all internal networks trying to get out on the Internet
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

$iptables -t nat -A POSTROUTING -s $DMZ_HTTP_IP -j SNAT --to-destination $NAT_HTTP_IP
$iptables -t nat -A POSTROUTING -s $DMZ_DNS_IP -j SNAT --to-destination $NAT_DNS_IP
$iptables -t nat -A POSTROUTING -s $DMZ_SMTP_IP -j SNAT --to-destination $NAT_SMTP_IP
$iptables -t nat -A POSTROUTING -s $DMZ_IP -j SNAT --to-destination $NAT_IP

###########################################
# PREROUTING chain in the nat table
#
# Enable IP Destination NAT for DMZ zone
#

$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $NAT_HTTP_IP --dport 80 \
-j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $NAT_DNS_IP --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP
$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $NAT_DNS_IP --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $NAT_SMTP_IP --dport 25 \
-j DNAT --to-destination $DMZ_SMTP_IP

###########################################
#
# FORWARD chain
#
#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets


#
# DMZ section
#
# General rules
#

$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -j ACCEPT

#
# HTTP server
#

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \
--dport 80 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \
-j icmp_packets

#
# DNS server
#

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
--dport 53 -j allowed
$IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
--dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
-j icmp_packets

#
# LAN section
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# LOG all packets reaching here
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "


###########################################################
#
# Firewall rules
# Rules applying to the firewall box
#
#
# INPUT chain
#
# Bad TCP packets we don't want
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Packets from the Internet to this box
#

$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# Packets from LAN, DMZ or LOCALHOST
#

# From DMZ Interface to DMZ firewall IP
$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT

# From LAN Interface to LAN firewall IP
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT

# From Localhost interface to Localhost IP
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

# All established and related packets incoming from the internet to the
# firewall
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT

# Logging rule
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 \
-j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "

###########################################################
#
# OUTPUT chain
#
#
# Bad TCP packets we don't want
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Allow ourself to send packets not spoofed everywhere
#

$IPTABLES -A OUTPUT -p ALL -o $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $LAN_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -s $INET_IP -j ACCEPT

#
# Logging rule
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

sorry all the $iptables should be $IPTABLES