IPTables with DMZ
Let consider the interface to setup/understand the DMZ.
- eth0: external interface (192.168.1.0/24)
- eth1: Internal Interface (10.0.0.0/8)
- eth2: The DMZ zone (172.16.0.0/16)
Create DNAT for all the servers in the DMZ zone (eth2) for accessing the service externally
If any request comes to firewall with the destination IP as 192.168.1.2 and port as 80 will be DNATed to 172.16.0.2 in DMZone.
# iptables -t nat -A PREROUTING -d 192.168.1.2 -p tcp --dport 80 -j DNAT --to-destination 172.16.0.2
# iptables -t nat -A PREROUTING -d 192.168.1.2 -p tcp --dport 443 -j DNAT --to-destination 172.16.0.2
Now test accessing the service in DMZone from Internel as well externel network. From both the network we will be able to access the server in the DMZone using the IP 192.168.1.2.
Configure the split DNS or 2 DNS systems (Inside&Outside of the DMZone).
Setup rule for trusted network from the outside network(Internet) for the traffic which will allow system access (SSH).
This will deny all access to the DMZone from the internet hosts, only allows the Internal network. Because the default policy of FORWARD chain is set to drop, we need to create the "state match" for the hosts in the DMZone(This will deny sourcing a new connection from the DMZone, only established connection will be permitted).
# iptables -A FORWARD -s 10.0.0.0/8 -j ACCEPT
# iptables -A FORWARD -s 172.16.0.0/16 -m state --state ESTABLISHED -j ACCEPT
# iptables -P FORWARD DROP
Dual DMZ Configuration
This is the way of segmenting the servers to separate DMZones.
Let consider the interface to setup/understand the Dual DMZ.
- eth0: externel interface (192.168.1.0/24)
- eth1: Internel Interface (10.0.0.0/8)
- eth2: The DMZ1 zone (172.16.0.0/16) (Web servers)
- eth3: The DMZ2 zone (172.17.0.0/16) (DBMS, App servers like JBOSS, TOMCAT etc)
Here we have to permit only the DMZ1 to contact the DMZ2. all other traffic will be denied.So the servers in the DMZ2 zone will be more secured.
This will make only the DMZ1 to contact the DMZ2. And from DMZ2 only the established connection will be permitted. All other request will be dropped in the FORWARD chain.
# iptables -t nat -A FORWARD -s 172.16.0.0/16 -d 126.96.36.199/16 -j ACCEPT
# iptables -t nat -A FORWARD -m state --state ESTABLISED -s 172.17.0.0/16 -j ACCEPT
# iptables -t nat -P FORWARD DROP
These rules are the basic backbone for setting up the routing and Natting in DMZone. All other rules should be defined according to our network need.