# Route incoming SMTP (port 25 ) traffic to DMZ server 192.168.2.2
iptables -A FORWARD -i eth1 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth2 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
# forward traffic between DMZ and WAN servers SMTP, Mail etc
iptables -A FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Main menuBASH ShellLinuxCentOSDebian / UbuntuUbuntu LinuxSuseRedHat and FriendsSlackware LinuxUNIXAIXMac os xFreeBSDFreeBSD Jails (VPS)OpenbsdSolarisTroubleshootingNginxNetworkingMySQLSee all tutorial topicsBlogAboutContact usForumRSS/FEED Linux FAQ / HowtosLinux Demilitarized Zone (DMZ) Ethernet Interface Requirements and Configurationby nixCraft on December 15, 2007 · 25 comments· last updated at January 2, 2008Q. Can you tell me more about Linux Demilitarized Zone and Ethernet Interface Card Requirements for typical DMZ implementation? How can a rule be set to route traffic to certain machines on a DMZ for HTTP or SMTP?A. Demilitarized zone, used to secure an internal network from external access. You can use Linux firewall to create DMZ easily. There are many different ways to design a network with a DMZ. The basic method is to use a single Linux firewall with 3 Ethernet cards. The following simple example discusses DMZ setup and forwarding public traffic to internal servers. Sample Example DMZ SetupConsider the following DMZ host with 3 NIC: [a] eth0 with 192.168.1.1 private IP address - Internal LAN ~ Desktop system [b] eth1 with 202.54.1.1 public IP address - WAN connected to ISP router [c] eth2 with 192.168.2.1 private IP address - DMZ connected to Mail / Web / DNS and other private servers (Fig 01: A typical Linux based DMZ setup [ Image modified from Wikipedia article] )Routing traffic between public and DMZ serverTo set a rule for routing all incoming SMTP requests to a dedicated Mail server at IP address 192.168.2.2 and port 25, network address translation (NAT) calls a PREROUTING table to forward the packets to the proper destination.This can be done with appropriate IPTABLES firewall rule to route traffic between LAN to DMZ and public interface to DMZ. For example, all incoming mail traffic from internet (202.54.1.1) can be send to DMZ mail server (192.168.2.2) with the following iptables prerouting rule (assuming default DROP all firewall policy):### end init firewall .. Start DMZ stuff ####
Linux Demilitarized Zone (DMZ) Ethernet Interface Requirements and Configuration
Комментариев нет:
Отправить комментарий