[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

ipchains rules for dmz??

Does anyone have a set of ipchains rules for a DMZ that doesn't have
routable IPs and an internal network that doesn't have routable IPs?
I looked on the IPCHAINS HOWTO page, but they don't have a script for
this. I haven't seen anything with google either.

I'm looking for something like this:

 Internet (bad)  <---> firewall  <---> dmz (192.168.9.*)
                          +----------> internal LAN (good) (10.177.9.*)

I would like:
bad  --> good = nothing but NATed established traffic
bad  --> dmz  = port 80 to web box, port 25 to mail, port 53 ([tu]dp) to
                DNS), ssh to web box
dmz  --> good = nothing but NATed traffic
dmz  --> bad  = NATed traffic (allow all for now)
good --> bad  = NATed traffic (allow all for now)
good --> dmz  = same as bad --> dmz.

All of the scripts I've seen  have DMZ as routeable. The biggest problem I
have is that good --> dmz because they're both private IP ranges. I
thought I could just pass them with something like:

ipchains -N good-dmz
ipchains -A forward -s $INTERNAL_NET -i $DMZ_INTERFACE -j good-dmz
ipchains -A good-dmz -j ACCECPT

(this terminology is from the IPCHAINS HOWTO)

Any suggestions? Any help?


Linux Users Group at UD mailing list
Subscription Management:
Archives :  http://www.lug.udel.edu/pipermail/linux/

To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: