From: Thomas Simmons <twsnnva@cox.net>
To: netfilter@lists.netfilter.org
Subject: Advice setting up DMZ
Date: Tue, 04 Jan 2005 20:28:46 -0500 [thread overview]
Message-ID: <41DB42CE.1000401@cox.net> (raw)
I will soon be setting up a Linux firewall at work and I would like to
get some advice on the best way to implement it. Currently the question
regards routing to the DMZ. We currently have ~30 websites being hosted
on an IIS server thats directly connected to the internet. The server
has multiple ip address assigned to the public interface, one for each
site, and a default ip. This server also hosts an FTP site for each
website, that uses the same ip as its website counterpart. Let's just
say the public IP's assigned to this server are
111.111.111.1-111.111.111.32. My first thought was to add 30+ aliases to
the firewalls public interface and use DNAT rules to forward traffic on
needed ports to the webserver which would have a private ip. I would add
something like this to my script.
IFCCMD="/sbin/ifconfig"
IPTCMD="/sbin/iptables/"
PUBIF="eth2"
DMZIF="eth1"
PUBMSK="255.255.255.128"
$IFCCMD $PUBIF:1 111.111.111.1 netmask $PUBMSK
$IPTCMD -A PREROUTING -t nat -p tcp -d 111.111.111.1 --dport 80 -j DNAT
--to-destination 192.168.11.1:80
$IPTCMD -A FORWARD -i $PUBIF -o $DMZIF -p tcp --dport 80 -d 192.168.11.1
-j ACCEPT
$IPTCMD -A FORWARD -i $DMZIF -o $PUBIF -p tcp --sport 80 -s 192.168.11.1
-j ACCEPT
$IFCCMD $PUBIF:1 111.111.111.1 netmask $PUBMSK
$IPTCMD -A PREROUTING -t nat -p tcp -d 111.111.111.1 --dport 443 -j DNAT
--to-destination 192.168.11.1:443
$IPTCMD -A FORWARD -i $PUBIF -o $DMZIF -p tcp --dport 443 -d
192.168.11.1 -j ACCEPT
$IPTCMD -A FORWARD -i $DMZIF -o $PUBIF -p tcp --sport 443 -s
192.168.11.1 -j ACCEPT
$IFCCMD $PUBIF:1 111.111.111.1 netmask $PUBMSK
$IPTCMD -A PREROUTING -t nat -p tcp -d 111.111.111.1 --dport 21 -j DNAT
--to-destination 192.168.11.1:21
$IPTCMD -A FORWARD -i $PUBIF -o $DMZIF -p tcp --dport 21 -d 192.168.11.1
-j ACCEPT
$IPTCMD -A FORWARD -i $DMZIF -o $PUBIF -p tcp --sport 21 -s 192.168.11.1
-j ACCEPT
$IPTCMD -t nat -A POSTROUTING -s 192.168.11.1 -o $PUBIF -j SNAT --to
111.111.111.1
I would have to do this for each website, so basically I would be doing
that 30 more times in the script, with only ip changes. I have tested it
(not with 30 ip's, only 3) but it seems to work great. Is there a better
way to do what I need? Is this what is called 1-to-1 nat? The system
that we are using as the firewall is a 1GHz Celeron w/ 256MB RAM. The OS
is basically a Debian base install w/ 2.4.27-custom kernel. The public
and DMZ interfaces have GBE cards installed, so this system shouldn't
have any speed problems with this configuration. Is that a fair
assumption? Thanks in advance for any suggestions.
Regards,
Thomas
next reply other threads:[~2005-01-05 1:28 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-05 1:28 Thomas Simmons [this message]
2005-01-05 2:51 ` Advice setting up DMZ John A. Sullivan III
2005-01-05 6:19 ` newbie question on ports faisal gillani
2005-01-06 2:07 ` Advice setting up DMZ Thomas Simmons
2005-01-06 11:49 ` John A. Sullivan III
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41DB42CE.1000401@cox.net \
--to=twsnnva@cox.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.