Re: ipchains rules for dmz??
Did you look at shorewall ? (apt-cache show shorewall if not)
This script is fantastic, and when you know exactly what you want,
configuring it is a matter of minutes...
Install it, read the quick-start guide, which is basically :
1) define your zones in the "zones" files. you would define
dmz, lan, net, and shorewall will define a "fw" zone which is your firewall
2) associate computers to your zones (hosts file), or interfaces (interfaces
3) define the default INPUT, OUTPUT and FORWARD for the 3 zones in the
4) add exceptions to the policy in the "rules" file..
that's all ;)
shorewall really is fantastic ;)))
----- Original Message -----
From: "Rishi L Khan" <rishi@UDel.Edu>
Sent: Wednesday, May 29, 2002 4:49 PM
Subject: ipchains rules for dmz??
> Does anyone have a set of ipchains rules for a DMZ that doesn't have
> routable IPs and an internal network that doesn't have routable IPs?
> I looked on the IPCHAINS HOWTO page, but they don't have a script for
> this. I haven't seen anything with google either.
> I'm looking for something like this:
> Internet (bad) <---> firewall <---> dmz (192.168.9.*)
> +----------> internal LAN (good) (10.177.9.*)
> I would like:
> bad --> good = nothing but NATed established traffic
> bad --> dmz = port 80 to web box, port 25 to mail, port 53 ([tu]dp) to
> DNS), ssh to web box
> dmz --> good = nothing but NATed traffic
> dmz --> bad = NATed traffic (allow all for now)
> good --> bad = NATed traffic (allow all for now)
> good --> dmz = same as bad --> dmz.
> All of the scripts I've seen have DMZ as routeable. The biggest problem I
> have is that good --> dmz because they're both private IP ranges. I
> thought I could just pass them with something like:
> ipchains -N good-dmz
> ipchains -A forward -s $INTERNAL_NET -i $DMZ_INTERFACE -j good-dmz
> ipchains -A good-dmz -j ACCECPT
> (this terminology is from the IPCHAINS HOWTO)
> Any suggestions? Any help?
> Linux Users Group at UD mailing list
> Subscription Management:
> Archives : http://www.lug.udel.edu/pipermail/linux/
> To UNSUBSCRIBE, email to email@example.com
> with a subject of "unsubscribe". Trouble? Contact
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact email@example.com