[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ipchains rules for dmz??



Did you look at shorewall ? (apt-cache show shorewall if not)
This script is fantastic, and when you know exactly what you want,
configuring it is a matter of minutes...
Install it, read the quick-start guide, which is basically :
1) define your zones in the "zones" files. you would define
dmz, lan, net, and shorewall will define a "fw" zone which is your firewall
itself
2) associate computers to your zones (hosts file), or interfaces (interfaces
file)
3) define the default INPUT, OUTPUT and FORWARD for the 3 zones in the
"policy" file
4) add exceptions to the policy in the "rules" file..

that's all ;)
shorewall really is fantastic ;)))

good luck
sam

----- Original Message -----
From: "Rishi L Khan" <rishi@UDel.Edu>
To: <debian-security@lists.debian.org>
Sent: Wednesday, May 29, 2002 4:49 PM
Subject: ipchains rules for dmz??


> Does anyone have a set of ipchains rules for a DMZ that doesn't have
> routable IPs and an internal network that doesn't have routable IPs?
> I looked on the IPCHAINS HOWTO page, but they don't have a script for
> this. I haven't seen anything with google either.
>
> I'm looking for something like this:
>
>  Internet (bad)  <---> firewall  <---> dmz (192.168.9.*)
>                           ^
>                           |
>                           +----------> internal LAN (good) (10.177.9.*)
>
> I would like:
> bad  --> good = nothing but NATed established traffic
> bad  --> dmz  = port 80 to web box, port 25 to mail, port 53 ([tu]dp) to
>                 DNS), ssh to web box
> dmz  --> good = nothing but NATed traffic
> dmz  --> bad  = NATed traffic (allow all for now)
> good --> bad  = NATed traffic (allow all for now)
> good --> dmz  = same as bad --> dmz.
>
> All of the scripts I've seen  have DMZ as routeable. The biggest problem I
> have is that good --> dmz because they're both private IP ranges. I
> thought I could just pass them with something like:
>
> ipchains -N good-dmz
> ipchains -A forward -s $INTERNAL_NET -i $DMZ_INTERFACE -j good-dmz
> ipchains -A good-dmz -j ACCECPT
>
> (this terminology is from the IPCHAINS HOWTO)
>
> Any suggestions? Any help?
>
> -rishi
>
> _______________________________________________
> Linux Users Group at UD mailing list
> Subscription Management:
> https://www.lug.udel.edu/cgi-bin/mailman/listinfo/linux
> Archives :  http://www.lug.udel.edu/pipermail/linux/
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org



Reply to: