Linux Demilitarized Zone (DMZ) Ethernet Interface Requirements and Configuration
Q. Can you tell me more about Linux Demilitarized Zone and Ethernet Interface Card Requirements for typical DMZ implementation? How can a rule be set to route traffic to certain machines on a DMZ for HTTP or SMTP?
A. Demilitarized zone, used to secure an internal network from external access. You can use Linux firewall to create DMZ easily. There are many different ways to design a network with a DMZ. The basic method is to use a single Linux firewall with 3 Ethernet cards. The following simple example discusses DMZ setup and forwarding public traffic to internal servers.
Sample Example DMZ Setup
Consider the following DMZ host with 3 NIC:
[a] eth0 with 192.168.1.1 private IP address - Internal LAN ~ Desktop system
[b] eth1 with 202.54.1.1 public IP address - WAN connected to ISP router
[c] eth2 with 192.168.2.1 private IP address - DMZ connected to Mail / Web / DNS and other private servers
(Fig 01: A typical Linux based DMZ setup [ Image modified from Wikipedia article] )
Routing traffic between public and DMZ server
To set a rule for routing all incoming SMTP requests to a dedicated Mail server at IP address 192.168.2.2 and port 25, network address translation (NAT) calls a PREROUTING table to forward the packets to the proper destination.
This can be done with appropriate IPTABLES firewall rule to route traffic between LAN to DMZ and public interface to DMZ. For example, all incoming mail traffic from internet (202.54.1.1) can be send to DMZ mail server (192.168.2.2) with the following iptables prerouting rule (assuming default DROP all firewall policy):
### end init firewall .. Start DMZ stuff #### # forward traffic between DMZ and LAN iptables -A FORWARD -i eth0 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # forward traffic between DMZ and WAN servers SMTP, Mail etc iptables -A FORWARD -i eth2 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Route incoming SMTP (port 25 ) traffic to DMZ server 192.168.2.2 iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 25 -j DNAT --to-destination 192.168.2.2 # Route incoming HTTP (port 80 ) traffic to DMZ server load balancer IP 192.168.2.3 iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 80 -j DNAT --to-destination 192.168.2.3 # Route incoming HTTPS (port 443 ) traffic to DMZ server reverse load balancer IP 192.168.2.4 iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 443 -j DNAT --to-destination 192.168.2.4 ### End DMZ .. Add other rules ###
Where,
- -i eth1 : Wan network interface
- -d 202.54.1.1 : Wan public IP address
- --dport 25 : SMTP Traffic
- -j DNAT : DNAT target used set the destination address of the packet with --to-destination
- --to-destination 192.168.2.2: Mail server ip address (private IP)
Multi port redirection
You can also use multiport iptables module to matches a set of source or destination ports. Up to 15 ports can be specified. For example, route incoming HTTP (port 80 ) and HTTPS ( port 443) traffic to WAN server load balancer IP 192.168.2.3:
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 -m multiport --dport 80,443 -j DNAT --to-destination 192.168.2.3
Pitfalls
Above design has few pitfalls:
- Single point of failure - The firewall becomes a single point of failure for the network.
- Hardware - The firewall Host must be able to handle all of the traffic going to the DMZ as well as the internal network.
Linux / BSD Firewall Distros
If you find above discussion little hard to digest, I suggest getting a Linux / BSD distribution which aims to provide a simple-to-manage firewall appliance based on PC hardware to setup DMZ and gateways:
Further readings:
- Wes Sonnenreich. Building Linux And Openbsd Firewalls. - A step-by-step guide to bulding a commercial-grade firewall with open source software.
- Eric Maiwald. Network Security: A Beginner's Guide. Second Edition. - It gives a brief overview of most of the security related topics, perhaps one of the best books to start with.
- Michael Rash. Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort [ILLUSTRATED] - Linux Firewalls discusses the technical details of the iptables firewall and the Netfilter framework that are built into the Linux kernel, and it explains how they provide strong filtering, Network Address Translation (NAT), state tracking, and application layer inspection capabilities that rival many commercial tools. You'll learn how to deploy iptables as an IDS with psad and fwsnort and how to build a strong, passive authentication layer around iptables with fwknop.
Updated for accuracy.
Subscribe to our free e-mail newsletter or RSS feed to get all updates.
You can Email this page to a friend.
Related Other Helpful FAQs:
- Troubleshoot Linux / UNIX bind dns server zone problems with named-checkzone tool
- Linux, UNIX set the time zone on a per user basis
- OpenBSD Set / Configure Time Zone
- How To Run Linux Web Server / Service on Private IP Network
- How do I setup round robin DNS?
Discussion on This FAQ
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!
Tags: apache dmz, demilitarized zone, dmz configuration, dmz firewall, dmz host, dmz router, dnat, forward traffic, internal servers, iptables dmz, linux dmz, linux firewall dmz, load balancer, private ip address, private servers, public interface, public traffic, route traffic, sendmail dmz, shorewall dmz, smoothwall dmz
January 2nd, 2008 at 4:09 pm
I want to add that there’s a mistake in the iptables rules: iptables -t nat -A PREROUTING -p tcp -i eth2 -d 202.54.1.1 –dport 25 -j DNAT –to-destination 192.168.2.2. The problem is coming from -i eth2, the correct way is -i eth1 because we want packets coming from internet to be redirect to the DMZ.
January 2nd, 2008 at 4:21 pm
George,
Thanks for the heads up.