[Techtalk] iptables, dmz, public addys
Carla Schroder
carla at bratgrrl.com
Tue Mar 14 08:03:16 EST 2006
hey all,
My poor little tiny ISP can only give me a single static public IP, so I can't
test this my own self. :(
Here's the scenario:
Suppose I have a nice tri-homed Linux iptables firewall/gateway. Default
filter table policies are:
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
My three network segments are
wan 1.2.3.4
lan 192.168.1.1
dmz 192.168.2.1
On the dmz are a few public servers, the usual web, mail, ftp, wotever. These
have public routable IPs. To correctly route incoming traffic to them, do I
need only FORWARD rules? Like this:
$ipt -A FORWARD -p tcp -i $WAN_IFACE -o $DMZ_IFACE -d 1.2.3.44 --dport 80 -j
ACCEPT
I don't want any DNAT or SNAT on the server IPs, I want to use their real IPs.
I want to forward only traffic that belongs to the servers, and drop all the
other junk at the gateway.
thanks!
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Carla Schroder
check out my "Linux Cookbook", the ultimate Linux user's
and sysadmin's guide! http://www.oreilly.com/catalog/linuxckbk/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
More information about the Techtalk
mailing list