Re: newbie question - what is the iptables equivalent of a Linksys "DMZ" ?

[Jason Opperisano <opie@817west.com>]

David Williamson wrote:
> I'm brand new at this but have managed to get my Ubuntu Debian box
> routing for my home LAN.  The point for me was to replace my little blue
> Linksys router, and it's working fine so far.  About all I had to do was
> apt-get install ipmasq and dnsmasq.  
> 
> There's a feature on the Linksys box, however, that I can't figure out
> how to implement, because I don't know how it worked on the Linksys box,
> and that is the DMZ function.  When a machine behind the router was
> going to serve as a, for example, game server (like Unreal Tournament
> 2004), the only way I could get it to work was to put that particular IP
> on the DMZ, which, I gather, meant that it looked like it was right on
> the net, unprotected, unrouted, unmasqed, et cetera.  
> 
> Since I'm trying to understand what the Linksys box did and give the new
> router box the same abilities, it would help if I knew what the heck
> that feature was really called, and/or how to implement that in
> iptables. 

NOTE:  what you are about to read is a terrible, awful, ridiculous, 
horrendous idea and i condone absolutely no part of it.

what your linksys "DMZ" function performs is something along the lines of:

   iptables -t nat -A PREROUTING -i $EXTERNAL_IF -d $EXTERNAL_IP \
     -j DNAT --to-destination $DMZ_PC_PRIV_IP

   iptables -A FORWARD -i $EXTERNAL_IF -d $DMZ_PC_PRIV_IP -j ACCEPT

<rant>
using the "DMZ" function of the linksys or doing the above with 
netfilter is the ultimate act of laziness that does nothing but 
contribute to the never-ending security problems on the Internet.  if 
you desire to "step up" to a real firewall system, i would plead with 
you to do a little bit of homework and try to figure out what ports 
actually need to opened for the application in question to work.

searching the web for "unreal tournament firewall ports" turns up tons 
of information on how to do this.  you'd get much better responses on 
this list to a question like, "i found this list of ports i need to open 
for unreal tournament, but i'm not really sure how to write the rules" 
than "how do i setup a firewall to do absolutely no firewalling?"
</rant>

the answer to the question i wish you had asked (ports list taken from: 
  http://www.portforward.com/cports.htm):

   iptables -t nat -A PREROUTING -p udp -i $EXTERNAL_IF -d $EXTERNAL_IP \
     --dport 7777:7778 -j DNAT --to-destination $DMZ_PC_PRIV_IP

   iptables -t nat -A PREROUTING -p udp -i $EXTERNAL_IF -d $EXTERNAL_IP \
     --dport 7787 -j DNAT --to-destination $DMZ_PC_PRIV_IP

   iptables -t nat -A PREROUTING -p tcp -i $EXTERNAL_IF -d $EXTERNAL_IP \
     --dport 28902 -j DNAT --to-destination $DMZ_PC_PRIV_IP

   iptables -A FORWARD -p udp -i $EXTERNAL_IF -d $DMZ_PC_PRIV_IP \
     --dport 7777:7778 -j ACCEPT

   iptables -A FORWARD -p udp -i $EXTERNAL_IF -d $DMZ_PC_PRIV_IP \
     --dport 7787 -j ACCEPT

   iptables -A FORWARD -p tcp -i $EXTERNAL_IF -d $DMZ_PC_PRIV_IP \
     --dport 28902 -j ACCEPT

-j

--
Jason Opperisano <opie@817west.com>