[Techtalk] iptables, dmz, public addys
Melissa Meyer
melissa at ginormus.com
Tue Mar 14 08:19:56 EST 2006
Sounds like what you want to do is have the firewall nat traffic for the
lan and set up a transparent bridge for traffic to the dmz.
When using the linux bridge, servers on your dmz are set up with the
public ips.
I believe you can set up something like below which I think is port
address translation but it may not be necessary to add the extra route
for your dmz.
On Mon, Mar 13, 2006 at 01:03:16PM -0800, Carla Schroder wrote:
> hey all,
>
> My poor little tiny ISP can only give me a single static public IP, so I can't
> test this my own self. :(
>
> Here's the scenario:
>
> Suppose I have a nice tri-homed Linux iptables firewall/gateway. Default
> filter table policies are:
>
> $ipt -P INPUT DROP
> $ipt -P FORWARD DROP
> $ipt -P OUTPUT ACCEPT
>
> My three network segments are
>
> wan 1.2.3.4
> lan 192.168.1.1
> dmz 192.168.2.1
>
> On the dmz are a few public servers, the usual web, mail, ftp, wotever. These
> have public routable IPs. To correctly route incoming traffic to them, do I
> need only FORWARD rules? Like this:
>
> $ipt -A FORWARD -p tcp -i $WAN_IFACE -o $DMZ_IFACE -d 1.2.3.44 --dport 80 -j
> ACCEPT
>
> I don't want any DNAT or SNAT on the server IPs, I want to use their real IPs.
> I want to forward only traffic that belongs to the servers, and drop all the
> other junk at the gateway.
>
> thanks!
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Carla Schroder
> check out my "Linux Cookbook", the ultimate Linux user's
> and sysadmin's guide! http://www.oreilly.com/catalog/linuxckbk/
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> _______________________________________________
> Techtalk mailing list
> Techtalk at linuxchix.org
> http://linuxchix.org/cgi-bin/mailman/listinfo/techtalk
>
> !DSPAM:1,4415dea238951385515324!
>
More information about the Techtalk
mailing list