Wednesday, January 09, 2008

Setting DMZ with iptables


DMZ (Demilitarised Zone)
What is DMZ : we are segmenting our network in such a way that all the users coming through public network (internet) should be able to access our Web, Mail, DNS servers without a danger of compromising our internal network i.e we have divided our resources into two zones, one highly secured (internal) and one semi-secured (DMZ). Also we want that if any how our DMZ gets compromised, no should be able to access our internal network from DMZ zone, but at the same time we want that internal network should be able to access DMZ servers)

Lab set up :
Take a system with 3 lan cards & configure it as a router
eth0 (192.168.10.1/24) connected to internal network
eth1 (200.0.0.1/24 (assume)) connected to internet (public network)
eth2 (192.168.20.1/24) connected to DMZ network (web server 192.168.20.2/24, mail server 192.168.20.3/24, dns server at 192.168.20.4)

# set the default policy to DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# to configure the system as a router, enable ip forwarding by
sysctl -w net.ipv4.ip_forward=1

# allow traffic from internal (eth0) to DMZ (eth2)
iptables -t filter -A FORWARD -i eth0 -o eth2 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -i eth2 -o eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT

# allow traffic from internet (eth1) to DMZ (eth2)
iptables -t filter -A FORWARD -i eth1 -o eth2 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -i eth2 -o eth1 -m state –state ESTABLISHED,RELATED -j ACCEPT

#redirect incoming web requests at eth1 (200.0.0.1) of FIREWALL to web server at 192.168.20.2
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 200.0.0.1 –dport 80 -j DNAT –to-dest 192.168.20.2
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 200.0.0.1 –dport 443 -j DNAT –to-dest 192.168.20.2

#redirect incoming mail (SMTP) requests at eth1 (200.0.0.1) of FIREWALL to Mail server at 192.168.20.3
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 200.0.0.1 –dport 25 -j DNAT –to-dest 192.168.20.3

#redirect incoming DNS requests at eth1 (200.0.0.1) of FIREWALL to DNS server at 192.168.20.4
iptables -t nat -A PREROUTING -p udp -i eth1 -d 200.0.0.1 –dport 53 -j DNAT –to-dest 192.168.20.4
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 200.0.0.1 –dport 53 -j DNAT –to-dest 192.168.20.4

5 comments:

Max said...

Hallo, very nice blog and article.
I have a question. With those rules is it possible to go to internet from the internal lan? And how can the clients from the internal lan go to the dmz? It is not required a nat rule? Thank you very much

amdpo poj o said...

Hallo, very nice blog and article.
I have a question. With those rules is it possible to go to internet from the internal lan? And how can the clients from the internal lan go to the dmz? It is not required a nat rule? Thank you very much

Zdenek said...

It is possible to visit the DMZ computers by default, the routing tunable is enough because there is no additional gateway except the "firewall" computer and because said computer has the relevant addresses from the two networks assigned. (In weird setups, like when the routers have non-public ranges and public addresses are routed, great care must be taken when specifying gateways.)
The rules shown do not facilitate any internet access. Look into the SNAT target;
iptables -A POSTROUTING -s 192.168.10.0/24 -o eth1 -j SNAT --to-source 200.100.200.100
Replace with your internal range, outgoing networking interface and its public IP respectively.

Unknown said...

i have one router and firewall with 3 switches and dmz connects to the webserver will the following code work

magifill said...

CASINO - JTM Hub
JT-BET Casino 고양 출장안마 Hotel, Las Vegas, Nevada. JT-BET is a Reservation & 대전광역 출장마사지 Casinos. 남원 출장마사지 The casino is a 세종특별자치 출장샵 resort located on the Gold Coast in Las Vegas, Nevada, United States 서울특별 출장샵 of America.

Mastering Iptables Firewall Course

Security of the network is the most important thing. We want security mechanisms which are easy to implement, open source, robust, flexible...