[PLUG] DMZ and iptables

Michael Rasmussen mikeraz at patch.com
Thu Apr 5 01:39:01 UTC 2007


Carla Schroder wrote:
> WAN - 22.33.44.55
> LAN - 192.168.1.0/24
> DMZ - 192.168.2.0/24
> 
> I want tight controls on traffic between the LAN and DMZ. So I need two 
> FORWARD rules, then INPUT rules for specific services, correct? Like this 
> example for a Web server in the DMZ. What I want to do is allow LAN clients to 
> access the HTTP server in the DMZ, and nothing else:
> 
> $ipt -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -m state --state 
> NEW,ESTABLISHED,RELATED -j ACCEPT

This allows any type of traffic. You want to allow ssh, telnet, ftp, ... to
the Web server?

> $ipt -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -m state --state 
> ESTABLISHED,RELATED -j ACCEPT

Yes, that fits your verbal description.

> $ipt -A INPUT -p tcp -i $DMZ_IFACE -s 192.168.1.0/24 --dport 80 -j ACCEPT

So you can get at the web server from the firewall?


-- 
      Michael Rasmussen, Portland Oregon  
    Be appropriate && Follow your curiosity
          http://www.patch.com/words/ 
  The fortune cookie says:
Too much of a good thing is WONDERFUL.
		-- Mae West




More information about the PLUG mailing list