Wednesday, November 4, 2009

Linux Securirty Notes 15: IPTables 8: DMZ

IPTables with DMZ
Let consider the interface to setup/understand the DMZ.
  • eth0: external interface (
  • eth1: Internal Interface (
  • eth2: The DMZ zone (

Step 1:
Create DNAT for all the servers in the DMZ zone (eth2) for accessing the service externally
# iptables -t nat -A PREROUTING -d -p tcp --dport 80 -j DNAT --to-destination
# iptables -t nat -A PREROUTING -d -p tcp --dport 443 -j DNAT --to-destination
If any request comes to firewall with the destination IP as and port as 80 will be DNATed to in DMZone.
Now test accessing the service in DMZone from Internel as well externel network. From both the network we will be able to access the server in the DMZone using the IP

Configure the split DNS or 2 DNS systems (Inside&Outside of the DMZone).
Setup rule for trusted network from the outside network(Internet) for the traffic which will allow system access (SSH).
# iptables -A FORWARD -s -j ACCEPT
# iptables -A FORWARD -s -m state --state ESTABLISHED -j ACCEPT
# iptables -P FORWARD DROP
This will deny all access to the DMZone from the internet hosts, only allows the Internal network. Because the default policy of FORWARD chain is set to drop, we need to create the "state match" for the hosts in the DMZone(This will deny sourcing a new connection from the DMZone, only established connection will be permitted).

Dual DMZ Configuration
This is the way of segmenting the servers to separate DMZones.
Let consider the interface to setup/understand the Dual DMZ.
  • eth0: externel interface (
  • eth1: Internel Interface (
  • eth2: The DMZ1 zone ( (Web servers)
  • eth3: The DMZ2 zone ( (DBMS, App servers like JBOSS, TOMCAT etc)
Using this method we will be able to control the traffic from one DMZone to another. This is used for the scenarios of Application servers which need to contact the DB Servers located on separate server.

Here we have to permit only the DMZ1 to contact the DMZ2. all other traffic will be denied.So the servers in the DMZ2 zone will be more secured.
# iptables -t nat -A FORWARD -s -d -j ACCEPT
# iptables -t nat -A FORWARD -m state --state ESTABLISED -s -j ACCEPT
# iptables -t nat -P FORWARD DROP
This will make only the DMZ1 to contact the DMZ2. And from DMZ2 only the established connection will be permitted. All other request will be dropped in the FORWARD chain.
These rules are the basic backbone for setting up the routing and Natting in DMZone. All other rules should be defined according to our network need.

No comments:

Post a Comment

tag ur valuable ideas below