ipchains rules for dmz??
Does anyone have a set of ipchains rules for a DMZ that doesn't have
routable IPs and an internal network that doesn't have routable IPs?
I looked on the IPCHAINS HOWTO page, but they don't have a script for
this. I haven't seen anything with google either.
I'm looking for something like this:
Internet (bad) <---> firewall <---> dmz (192.168.9.*)
^
|
+----------> internal LAN (good) (10.177.9.*)
I would like:
bad --> good = nothing but NATed established traffic
bad --> dmz = port 80 to web box, port 25 to mail, port 53 ([tu]dp) to
DNS), ssh to web box
dmz --> good = nothing but NATed traffic
dmz --> bad = NATed traffic (allow all for now)
good --> bad = NATed traffic (allow all for now)
good --> dmz = same as bad --> dmz.
All of the scripts I've seen have DMZ as routeable. The biggest problem I
have is that good --> dmz because they're both private IP ranges. I
thought I could just pass them with something like:
ipchains -N good-dmz
ipchains -A forward -s $INTERNAL_NET -i $DMZ_INTERFACE -j good-dmz
ipchains -A good-dmz -j ACCECPT
(this terminology is from the IPCHAINS HOWTO)
Any suggestions? Any help?
-rishi
_______________________________________________
Linux Users Group at UD mailing list
Subscription Management:
https://www.lug.udel.edu/cgi-bin/mailman/listinfo/linux
Archives : http://www.lug.udel.edu/pipermail/linux/
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: