[Techtalk] DMZ and iptables

John Clarke johnc+linuxchix at kirriwa.net
Thu Apr 5 01:41:21 UTC 2007

On Wed, Apr 04, 2007 at 01:20:02 -0700, Carla Schroder wrote:

Hi Carla,

> I want tight controls on traffic between the LAN and DMZ. So I need two 
> FORWARD rules, then INPUT rules for specific services, correct? Like this 
> example for a Web server in the DMZ:
> $ipt -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -m state --state 

This allows pretty much anything from the lan to the dmz, that's OK.

> $ipt -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -m state --state 

This allows traffic from the dmz to the lan, but only if part of an
existing connection, so in conjunction with your first rule, it only
allows stuff from the dmz to lan if the connection was originated from
the lan.  You need both of these rules to allow lan to dmz
communication.  So far, so good.

> $ipt -A INPUT -p tcp -i $DMZ_IFACE -s --dport 80 -j ACCEPT

This allows hosts on your dmz to get to the web server on your router
(it's in the INPUT chain, so it's controlling input to the router) , but
only if the packets come from a lan address.  This is unlikely to be
doing anything useful -- if you're seeing packets originating from the
dmz with a lan source address, I'd say you have something wrong with
your network.

If I understand your requirements correctly, you want to allow external
hosts to get to the web server on the dmz, so you need something like

    $ipt -A FORWARD -p tcp -i $WAN_IFACE -o $DMZ_IFACE --dport http \
        -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    $ipt -A FORWARD -p tcp -i $DMZ_IFACE -o $WAN_IFACE --sport http \
        -m state --state ESTABLISHED,RELATED -j ACCEPT

I usually simplify my rules by having these first:

    # accept anything associated with existing connections
    $iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    $iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    $iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

    # accept everything on the loopback interface
    $iptables -A INPUT -i lo -j ACCEPT
    $iptables -A OUTPUT -o lo -j ACCEPT

Then I add only need to add rules for connection establishment (i.e.
state NEW) which I find makes the rules easier to read and maintain. 
The disadvantage is that I can't account for each service individually,
but I don't care about that.  In your case, these two rules would be all
you need:

    $ipt -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -m state --state NEW \
        -j ACCEPT
    $ipt -A FORWARD -p tcp -i $WAN_IFACE -o $DMZ_IFACE --dport http \
        -m state --state NEW -j ACCEPT

BTW, I've written a program to generate iptables rules from a high-level
description.  It's not yet complete, and it needs some cleaning up, but
if you want to give it a go you can find it here:


Feel free to ask questions or suggest improvements.  I'm using it to
generate firewall rules for all of the hosts I maintain, including
firewalls at home and work.  The firewall at work has five network
interfaces (wan, data-lan, phone-lan, two dmzs) and the rules are too
complex to maintain as a shell script, but the input file to the
generator is relatively easy to understand.


The neat thing about having a swiss-cheese memory like mine is that I can
read what I wrote a few months ago, and giggle at my own jokes.
            -- Chris Klein

More information about the Techtalk mailing list