[PLUG] DMZ and iptables
Michael Rasmussen
mikeraz at patch.com
Thu Apr 5 01:39:01 UTC 2007
Carla Schroder wrote:
> WAN - 22.33.44.55
> LAN - 192.168.1.0/24
> DMZ - 192.168.2.0/24
>
> I want tight controls on traffic between the LAN and DMZ. So I need two
> FORWARD rules, then INPUT rules for specific services, correct? Like this
> example for a Web server in the DMZ. What I want to do is allow LAN clients to
> access the HTTP server in the DMZ, and nothing else:
>
> $ipt -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
This allows any type of traffic. You want to allow ssh, telnet, ftp, ... to
the Web server?
> $ipt -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -m state --state
> ESTABLISHED,RELATED -j ACCEPT
Yes, that fits your verbal description.
> $ipt -A INPUT -p tcp -i $DMZ_IFACE -s 192.168.1.0/24 --dport 80 -j ACCEPT
So you can get at the web server from the firewall?
--
Michael Rasmussen, Portland Oregon
Be appropriate && Follow your curiosity
http://www.patch.com/words/
The fortune cookie says:
Too much of a good thing is WONDERFUL.
-- Mae West
More information about the PLUG
mailing list