[PLUG] iptables, dmz, public addys
Charles Sliger
chaz at bctonline.com
Wed Mar 15 04:40:53 UTC 2006
Carla,
Yes, you only need FORWARD rules to let traffic get to the DMZ servers.
For greater security you can create multiple rules that are server-specific
so that traffic is restricted to the server/ports that are legitimate.
Regards,
Chaz
Charles L. Sliger, Information Systems Engineer, chaz at bctonline.com
"No matter where you go, there you are..."
-----Original Message-----
From: plug-bounces at lists.pdxlinux.org
[mailto:plug-bounces at lists.pdxlinux.org] On Behalf Of Carla Schroder
Sent: Monday, March 13, 2006 2:03 PM
To: plug at lists.pdxlinux.org
Subject: [PLUG] iptables, dmz, public addys
hey all,
Here's the scenario:
Suppose I have a nice tri-homed Linux iptables firewall/gateway. Default
filter table policies are:
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
My three network segments are
wan 1.2.3.4
lan 192.168.1.1
dmz 192.168.2.1
On the dmz are a few public servers, the usual web, mail, ftp, wotever.
These
have public routable IPs. To correctly route incoming traffic to them, do I
need only FORWARD rules? Like this:
$ipt -A FORWARD -p tcp -i $WAN_IFACE -o $DMZ_IFACE -d 1.2.3.44 --dport 80 -j
ACCEPT
I don't want any DNAT or SNAT on the server IPs, I want to use their real
IPs.
The idea is to forward only traffic that belongs to the servers, and drop
all
the other junk at the gateway. (all them charming ssh attacks and ms sql
worms etc. ad nauseum, thank you very much microtwits)
I'll have a limited bit of time for testing later this week, so I want to
get
it right the first time.
thanks!
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Carla Schroder
check out my "Linux Cookbook", the ultimate Linux user's
and sysadmin's guide! http://www.oreilly.com/catalog/linuxckbk/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_______________________________________________
PLUG mailing list
PLUG at lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug
More information about the PLUG
mailing list