[Techtalk] iptables, dmz, public addys

Carla Schroder carla at bratgrrl.com
Tue Mar 14 08:03:16 EST 2006


hey all,

My poor little tiny ISP can only give me a single static public IP, so I can't 
test this my own self. :(

Here's the scenario:

Suppose I have a nice tri-homed Linux iptables firewall/gateway. Default 
filter table policies are:

$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT

My three network segments are 

wan 1.2.3.4
lan 192.168.1.1
dmz 192.168.2.1

On the dmz are a few public servers, the usual web, mail, ftp, wotever. These 
have public routable IPs. To correctly route incoming traffic to them, do I 
need only FORWARD rules? Like this:

$ipt -A FORWARD -p tcp -i $WAN_IFACE -o $DMZ_IFACE -d 1.2.3.44 --dport 80 -j 
ACCEPT

I don't want any DNAT or SNAT on the server IPs, I want to use their real IPs. 
I want to forward only traffic that belongs to the servers, and drop all the 
other junk at the gateway.

thanks!

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Carla Schroder
 check out my "Linux Cookbook", the ultimate Linux user's
 and sysadmin's guide! http://www.oreilly.com/catalog/linuxckbk/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


More information about the Techtalk mailing list