Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
hello
i need to learn how to create a simple dmz with iptable.
my senario:
a company have a internal web server and wants to become available for internet users.for it they decide to create a dmz to service to internal and external users.
we use only these ports 80,8080
please help us
I suggest you grab an old PC from the cupboard and install IPCop on it. Use that to segregate your DMZ from your internal network. It's easy to install and very reliable.
"simple dmz with iptable" is a bit of an oxymoron.
Use IPCop or SmoothWall Express or one of the other specialty firewall distros. I know that both IPCop & SmoothWall Express have a DMZ built in. They both call it the "Orange" interface.
Distribution: Linux Redhat 9.0, Fedora Core 2,Debian 3.0, Win 2K, Win95, Win98, WinXp Pro
Posts: 344
Rep:
Having a DMZ is a good idea and one that isn't too hard to implement. It is my standard when I set up commercial networks. What it basically takes is two routers. One, the first one, will be your router to the world and will have your public IP address(s). On the other side of that router will exist your DMZ. This is where you would put your web servers, mail servers, file servers (if needed to access from the outside), etc. On the other side of this subnet, you would place another router. This router will provide the DMZ on one side and your private LAN on the other. This way your private LAN is two subnets deep and can be firewalled by two different firewalls.
These two routers can be linux boxes or what ever you desire. I would stay away from the Big Box store type of routers. If you want you can use full blown desktops, but that is such a waste of good hardware to do something really simple. I would take a look at http://www.routerboard.com
These routers are all built on a Linux kernel and use linux commands. They are inexpensive but provide a whole bunch of functionality. Anyway, hope this helps you in your endeavors.
hello
i need to learn how to create a simple dmz with iptable.
my senario:
a company have a internal web server and wants to become available for internet users.for it they decide to create a dmz to service to internal and external users.
we use only these ports 80,8080
please help us
thanks alot
Assumptions: You've got a GNU/Linux box with three network interfaces: LAN, DMZ, and WAN.
- Your LAN is: 192.168.1.0/24
- Your DMZ is: 192.168.2.0/24 (The IP of the server in your DMZ is: 192.168.2.101)
Simple example:
Code:
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -s 192.168.1.0/24 \
-m state --state NEW -j ACCEPT
iptables -A FORWARD -p TCP -i $WAN_IFACE -o $DMZ_IFACE -m multiport \
--dports 80,8080 -d 192.168.2.101 -m state --state NEW -j ACCEPT
iptables -t nat -A PREROUTING -p TCP -i $WAN_IFACE -m multiport \
--dports 80,8080 -j DNAT --to-destination 192.168.2.101
iptables -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
These routers are all built on a Linux kernel and use linux commands. They are inexpensive but provide a whole bunch of functionality. Anyway, hope this helps you in your endeavors.
Distribution: Linux Redhat 9.0, Fedora Core 2,Debian 3.0, Win 2K, Win95, Win98, WinXp Pro
Posts: 344
Rep:
Quote:
Do you have any idea how to prove this?
I would have to say that I guess I don't other than the fact that all of the commands that I use from the command line in my distro's work from their command line. While it isn't pure linux (they obviously have built their on OS), it is based on it and that is good enough for me. I'm not a lawyer, so I couldn't comment on whether or not it's a violation of the GPL.
All I can tell you is that their stuff works well, is inexpensive, and does what I need it to. It seems to be based on the Linux kernel and works great from the command line.
If you want you can use full blown desktops, but that is such a waste of good hardware to do something really simple.
If you use up to date machines for this then I would agree entirely, but one of the joys of using IPCop or Smoothwall is that you can use fairly low-spec equipment. Recycled desktops are fine as IPCop and Smoothwall Firewalls.
There are also lots of add-ons you can install to extend the firewall functionality - e.g. VPN connectivity, anti-virus, anti-spam, http and ftp filters, intrusion detection, URL filters - the list goes on.
Why lock in to a hardware vendor and spend money, when you can get all these features for free from IPCop/Smoothwall and run it all on recycle iron?
Cheers,
Ian
Last edited by blacky_5251; 02-06-2009 at 03:11 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.