[Techtalk] DMZ and iptables

[Conor Daly]

On Wed, Apr 04, 2007 at 01:20:02PM -0700 or so it is rumoured hereabouts, 
Carla Schroder thought:
> I've gone all wacko and insecure over my iptables rules, which I do on a 
> regular basis. Here's the deal: a 3-port router with:
> 
> WAN
> LAN - 192.168.1.0/24
> DMZ
> 
> I want tight controls on traffic between the LAN and DMZ. So I need two 
> FORWARD rules, then INPUT rules for specific services, correct? Like this 
> example for a Web server in the DMZ:
> 
> $ipt -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -m state --state 
> NEW,ESTABLISHED,RELATED -j ACCEPT
 
> $ipt -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -m state --state 
> ESTABLISHED,RELATED -j ACCEPT
> 
> $ipt -A INPUT -p tcp -i $DMZ_IFACE -s 192.168.1.0/24 --dport 80 -j ACCEPT

Only comment I have ('cos I'm not sure enough about firewalls anyway) is
why have these last two rules at all?  In my setup (curiously using the
same internal network :-) I allow no traffic from DMZ to LAN.  Any data
flow inwards that I require is originated from the LAN and so requires no
inbound rules (IIRC).  Given that the webserver is in the DMZ, your rule
number 1 (state NEW) should cover access from the LAN so your rule number
3 is redundant.  I'm not sure if rule number 2 is required.   Have I got that right?

Conor
-- 
Conor Daly <conor.daly at cod.homelinux.org>
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS/G/S/O d+(-) s:+ a+ C++(+) UL++++ US++ P>++ L+++>++++ E--- W++ !N
PS+ PE Y+ PGP? tv(-) b+++(+) G e+++(*) h-- r+++ z++++ 
------END GEEK CODE BLOCK------
http://www.geekcode.com/ http://www.ebb.org/ungeek/