[Techtalk] iptables, dmz, public addys

Melissa Meyer melissa at ginormus.com
Tue Mar 14 08:19:56 EST 2006

Sounds like what you want to do is have the firewall nat traffic for the
lan and set up a transparent bridge for traffic to the dmz.

When using the linux bridge, servers on your dmz are set up with the 
public ips.

I believe you can set up something like below which I think is port 
address translation but it may not be necessary to add the extra route
for your dmz.

On Mon, Mar 13, 2006 at 01:03:16PM -0800, Carla Schroder wrote:
> hey all,
> My poor little tiny ISP can only give me a single static public IP, so I can't 
> test this my own self. :(
> Here's the scenario:
> Suppose I have a nice tri-homed Linux iptables firewall/gateway. Default 
> filter table policies are:
> $ipt -P INPUT DROP
> My three network segments are 
> wan
> lan
> dmz
> On the dmz are a few public servers, the usual web, mail, ftp, wotever. These 
> have public routable IPs. To correctly route incoming traffic to them, do I 
> need only FORWARD rules? Like this:
> $ipt -A FORWARD -p tcp -i $WAN_IFACE -o $DMZ_IFACE -d --dport 80 -j 
> I don't want any DNAT or SNAT on the server IPs, I want to use their real IPs. 
> I want to forward only traffic that belongs to the servers, and drop all the 
> other junk at the gateway.
> thanks!
> -- 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>  Carla Schroder
>  check out my "Linux Cookbook", the ultimate Linux user's
>  and sysadmin's guide! http://www.oreilly.com/catalog/linuxckbk/
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> _______________________________________________
> Techtalk mailing list
> Techtalk at linuxchix.org
> http://linuxchix.org/cgi-bin/mailman/listinfo/techtalk
> !DSPAM:1,4415dea238951385515324!

More information about the Techtalk mailing list