≡ Menu

Linux Demilitarized Zone (DMZ) Ethernet Interface Requirements and Configuration

Q. Can you tell me more about Linux Demilitarized Zone and Ethernet Interface Card Requirements for typical DMZ implementation? How can a rule be set to route traffic to certain machines on a DMZ for HTTP or SMTP?

A. Demilitarized zone, used to secure an internal network from external access. You can use Linux firewall to create DMZ easily. There are many different ways to design a network with a DMZ. The basic method is to use a single Linux firewall with 3 Ethernet cards. The following simple example discusses DMZ setup and forwarding public traffic to internal servers.

Sample Example DMZ Setup

Consider the following DMZ host with 3 NIC:
[a] eth0 with private IP address - Internal LAN ~ Desktop system
[b] eth1 with public IP address - WAN connected to ISP router
[c] eth2 with private IP address - DMZ connected to Mail / Web / DNS and other private servers

Linux Demilitarized Zone (DMZ) Ethernet Single Firewall Design
(Fig 01: A typical Linux based DMZ setup [ Image modified from Wikipedia article] )

Routing traffic between public and DMZ server

To set a rule for routing all incoming SMTP requests to a dedicated Mail server at IP address and port 25, network address translation (NAT) calls a PREROUTING table to forward the packets to the proper destination.

This can be done with appropriate IPTABLES firewall rule to route traffic between LAN to DMZ and public interface to DMZ. For example, all incoming mail traffic from internet ( can be send to DMZ mail server ( with the following iptables prerouting rule (assuming default DROP all firewall policy):

### end init firewall .. Start DMZ stuff ####
# forward traffic between DMZ and LAN
iptables -A FORWARD -i eth0 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# forward traffic between DMZ and WAN servers SMTP, Mail etc
iptables -A FORWARD -i eth2 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Route incoming SMTP (port 25 ) traffic to DMZ server
iptables -t nat -A PREROUTING -p tcp -i eth1 -d --dport 25 -j DNAT --to-destination
# Route incoming HTTP (port 80 ) traffic to DMZ server load balancer IP
iptables -t nat -A PREROUTING -p tcp -i eth1 -d --dport 80 -j DNAT --to-destination
# Route incoming HTTPS (port 443 ) traffic to DMZ server reverse load balancer IP
iptables -t nat -A PREROUTING -p tcp -i eth1 -d --dport 443 -j DNAT --to-destination
### End DMZ .. Add other rules ###


  • -i eth1 : Wan network interface
  • -d : Wan public IP address
  • --dport 25 : SMTP Traffic
  • -j DNAT : DNAT target used set the destination address of the packet with --to-destination
  • --to-destination Mail server ip address (private IP)

Multi port redirection

You can also use multiport iptables module to matches a set of source or destination ports. Up to 15 ports can be specified. For example, route incoming HTTP (port 80 ) and HTTPS ( port 443) traffic to WAN server load balancer IP

iptables -t nat -A PREROUTING -p tcp -i eth1 -d -m multiport --dport 80,443 -j DNAT --to-destination


Above design has few pitfalls:

  1. Single point of failure - The firewall becomes a single point of failure for the network.
  2. Hardware - The firewall Host must be able to handle all of the traffic going to the DMZ as well as the internal network.

Linux / BSD Firewall Distros

If you find above discussion little hard to digest, I suggest getting a Linux / BSD distribution which aims to provide a simple-to-manage firewall appliance based on PC hardware to setup DMZ and gateways:

Further readings:

Updated for accuracy.

Tweet itFacebook itGoogle+ itPDF itFound an error/typo on this page?

{ 27 comments… add one }

  • George January 2, 2008, 4:09 pm

    I want to add that there’s a mistake in the iptables rules: iptables -t nat -A PREROUTING -p tcp -i eth2 -d –dport 25 -j DNAT –to-destination The problem is coming from -i eth2, the correct way is -i eth1 because we want packets coming from internet to be redirect to the DMZ.

  • nixCraft January 2, 2008, 4:21 pm


    Thanks for the heads up.

  • Sathish August 1, 2008, 8:35 am


    I have configured the DMZ mentioned in the above article. Routing concept is working fine, where as if I click on my LAN/Other networks by accessing the web-page [ex :www.xyz.com or http://xyz.com, it showing Apache test page, where as domain related page not working, what may be the problem.

    Please help me out.


  • nixCraft August 1, 2008, 9:09 am

    You need to configure Apache properly.

  • mirza August 5, 2008, 2:38 am

    after George’s correction….
    is the script already updated ?

  • nixCraft August 5, 2008, 5:41 am


    Yes, it was updated after George’s correction..

  • umesh October 7, 2008, 6:09 pm

    I have 8 public Ips and want to configure FreeBSD as router and firewall and also want to use all 8 public IPs for my servers so pls can you suggest me how to do this. I am very confused….

    Pls help….

  • Gerald Sagoonick January 19, 2009, 8:54 pm

    Nice one

  • satya February 27, 2009, 7:32 am

    I tried with 2 network card to set as gateway server on Ubuntu 8.10 lts, its not working. Is thr any tips to troubleshoot

  • nixCraft February 27, 2009, 7:51 am

    DMZ needs 3 network card.

  • Nepguy February 27, 2009, 9:00 am

    Great Stuff !

    But i have a little different case with me and wondering if you could help me.
    I want to put a server ( Mail and proxy) in same machine and instead of assigning Private IP in the server in DMZ, I want to assign a public Ip.

    So can you please help me out with the iptables and routing in the linux server having 3 Nics.

    Thanks in advance.

    • nixCraft February 27, 2009, 11:09 am

      Rules remains same and replace private IP with public one.

  • Nepguy March 2, 2009, 9:48 am

    Doesn’t any NATing thing required here?

  • satya March 19, 2009, 6:32 am

    I am having 3 network card with
    1..public Ip
    I tried setting as router to allow internet access on lan , it din’t work, can u help me out

  • V.Balaviswanathan April 29, 2009, 2:32 pm

    How to use iptables on a Debian or Ubuntu systems? You the ufw utility as a firewall and so how can one use that to forward or deny the ip packets?

    Please help me

  • yshri June 4, 2009, 8:34 am

    hey, great article. Very informative and helped me a lot. But in my case, i found it risky and don’t want to use 3 interfaces on the same machine. Instead, I want to configure two firewall machines — one sits in front of DMZ and other sits in front of Local LAN. Could you please explore in little in depth the configuration and setup required in this ? If you could give a diagram of it would be of great help to me. Thanks a lot.

  • PG June 16, 2009, 10:32 am

    Does this iptables rules share internet to the local LAN users?

    I want to implement like this:

    INTERNET—————–(pub ip)LINUX ROUTER(pvt ip) ————PROXY/MAIL SVR
    how will be the iptable rules change if i want to direct the LAN internet access through the proxy server?

    Thanks in advance.


    What will be the rules if i need to direct

  • PG June 16, 2009, 10:41 am


    in the earlier post, the LAN actually connects to one other NIC of LINUX Router.

  • Sachin March 13, 2010, 7:29 pm

    My Network setup :-

    I have 3 network card in CentOS firewall machine connected to ADSL router
    1)Public ip –> 59.181.x.x which is nat on router to
    2) eth0 (External interface) which had IP ADDR and Gateway
    In ifcfg-eth0 I have entry GATEWAY=
    3) eth1 (Lan network) which has IP ADDR and connected to switch1
    In ifcfg-eth1 I have not mentioned any GAETWAY
    4) eth2 (DMZ) which has IP ADDR and connected to switch2
    In ifcfg-eth2 I have not mentioned any GATEWAY
    5) Webserver is connected in DMZ network and has IP ADDR (other Centos machine)

    My Problem :-

    I am able to ssh from firewall machine to and vice versa.ALso I am able to ping from, BUT I am not able to ping which is GATEWAY to 192.1681.5
    I want my machine to access outside network (internet) i.e it should ping 59.181.x.x
    Can someone suggest solution for this problem?

  • sparc86 May 8, 2010, 9:07 pm

    @Sachin, could you show us your firewall script and your routing table ?

  • Mike December 1, 2010, 4:34 pm

    Why would you want to include these rules:
    iptables -A FORWARD -i eth0 -o eth2 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i eth2 -o eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT
    Since eth2 is on DMZ wouldnt you want to completely separate it from the lan ?

  • André Ricardo March 5, 2011, 3:54 pm


  • Akhim March 23, 2011, 1:43 am

    great article Vivek Gite!

  • LMS April 8, 2011, 6:08 pm

    Hi there,

    My schematic is a little different

    I’ve got a ubuntu server 10.10, and

    router -> Firewall -> Lan
    router -> DMZ

    So What I’ve got it’s the wan interface conncetion to firewall then on the other interface of router connects to DMZ so at the end we have a different situation that you got

  • A.Jesin April 22, 2011, 8:02 am

    Someone please help me I’m struggling to get port forwarding working. I have 2 machines
    system 1. with 2 ethernet ports
    eth1 public (ip
    eth0 connected to system 2 (
    system 2. with 1 ethernet port
    eth0 connected to system1 ( running a web server at 80

    On system 1 I’ve set the following rule
    iptables -t nat -A PREROUTING -p tcp -i eth1 -d –dport 80 -j DNAT –to-destination
    but it doesn’t work at all when I access
    But works indicating that port 80 is open on system 2

  • origama June 19, 2012, 2:18 pm

    nice article, like every reading from this blog.
    I just want to suggest another distro: Zeroshell.
    Ok I am a little bit patriot (it’s an italian dostro) but I am using zeroshell since a year ago now and I find it is really simple and effective.

  • jayadev July 2, 2013, 12:18 pm

    I have single ethernet card with eth1:1 (LAN) and eth1:2 (DMZ) virtually configured. Another card (eth0) supports WAN. Is it possible to use port forwarding from eth0 to eth1:2 and eth1:1 to eth1:2. Thanks

Leave a Comment