Comments on: Linux Demilitarized Zone (DMZ) Ethernet Interface Requirements and Configuration

By: A.Jesin

A.Jesin — Fri, 22 Apr 2011 08:02:38 +0000

Someone please help me I’m struggling to get port forwarding working. I have 2 machines
system 1. with 2 ethernet ports
eth1 public (ip 192.168.56.2)
eth0 connected to system 2 (192.168.0.240)
system 2. with 1 ethernet port
eth0 connected to system1 (192.168.0.201) running a web server at 80

On system 1 I’ve set the following rule
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 192.168.56.2 –dport 80 -j DNAT –to-destination 192.168.0.201
but it doesn’t work at all when I access http://192.168.56.2/
But http://192.168.0.201/ works indicating that port 80 is open on system 2

By: Akhim

Akhim — Wed, 23 Mar 2011 01:43:57 +0000

great article Vivek Gite!

By: André Ricardo

André Ricardo — Sat, 05 Mar 2011 15:54:33 +0000

Great!

By: Mike

Mike — Wed, 01 Dec 2010 16:34:21 +0000

Why would you want to include these rules:
iptables -A FORWARD -i eth0 -o eth2 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT
Since eth2 is on DMZ wouldnt you want to completely separate it from the lan ?

By: sparc86

sparc86 — Sat, 08 May 2010 21:07:47 +0000

@Sachin, could you show us your firewall script and your routing table ?

By: Sachin

Sachin — Sat, 13 Mar 2010 19:29:38 +0000

My Network setup :-

I have 3 network card in CentOS firewall machine connected to ADSL router
1)Public ip –> 59.181.x.x which is nat on router to 192.168.1.1
2) eth0 (External interface) which had IP ADDR 192.168.1.5 and Gateway 192.168.1.1
In ifcfg-eth0 I have entry GATEWAY=192.168.1.1
3) eth1 (Lan network) which has IP ADDR 192.168.2.1 and connected to switch1
In ifcfg-eth1 I have not mentioned any GAETWAY
4) eth2 (DMZ) which has IP ADDR 192.168.0.50 and connected to switch2
In ifcfg-eth2 I have not mentioned any GATEWAY
5) Webserver is connected in DMZ network and has IP ADDR 192.16.0.51 (other Centos machine)

My Problem :-

I am able to ssh from firewall machine to 192.168.0.51 and vice versa.ALso I am able to ping 192.168.1.5 from 192.168.0.51, BUT I am not able to ping 192.168.1.1 which is GATEWAY to 192.1681.5
I want my machine 192.168.0.51 to access outside network (internet) i.e it should ping 59.181.x.x
Can someone suggest solution for this problem?

By: PG

PG — Tue, 16 Jun 2009 10:41:05 +0000

hey,

in the earlier post, the LAN actually connects to one other NIC of LINUX Router.

By: PG

PG — Tue, 16 Jun 2009 10:32:50 +0000

Does this iptables rules share internet to the local LAN users?

I want to implement like this:

INTERNET—————–(pub ip)LINUX ROUTER(pvt ip) ————PROXY/MAIL SVR
|
LAN
how will be the iptable rules change if i want to direct the LAN internet access through the proxy server?

Thanks in advance.

Prakash

What will be the rules if i need to direct

By: yshri

yshri — Thu, 04 Jun 2009 08:34:26 +0000

hey, great article. Very informative and helped me a lot. But in my case, i found it risky and don’t want to use 3 interfaces on the same machine. Instead, I want to configure two firewall machines — one sits in front of DMZ and other sits in front of Local LAN. Could you please explore in little in depth the configuration and setup required in this ? If you could give a diagram of it would be of great help to me. Thanks a lot.

By: V.Balaviswanathan

V.Balaviswanathan — Wed, 29 Apr 2009 14:32:35 +0000

How to use iptables on a Debian or Ubuntu systems? You the ufw utility as a firewall and so how can one use that to forward or deny the ip packets?

Please help me

By: satya

satya — Thu, 19 Mar 2009 06:32:50 +0000

I am having 3 network card with
1..public Ip
2. 192.168.0.0—-servers
3. 192.168.1.0—-Lan
I tried setting as router to allow internet access on lan , it din’t work, can u help me out

By: Nepguy

Nepguy — Mon, 02 Mar 2009 09:48:36 +0000

Doesn’t any NATing thing required here?

By: Vivek Gite

Vivek Gite — Fri, 27 Feb 2009 11:09:57 +0000

Rules remains same and replace private IP with public one.

By: Nepguy

Nepguy — Fri, 27 Feb 2009 09:00:24 +0000

Hey,
Great Stuff !

But i have a little different case with me and wondering if you could help me.
I want to put a server ( Mail and proxy) in same machine and instead of assigning Private IP in the server in DMZ, I want to assign a public Ip.

So can you please help me out with the iptables and routing in the linux server having 3 Nics.

Thanks in advance.

By: Vivek Gite

Vivek Gite — Fri, 27 Feb 2009 07:51:28 +0000

DMZ needs 3 network card.

By: satya

satya — Fri, 27 Feb 2009 07:32:57 +0000

I tried with 2 network card to set as gateway server on Ubuntu 8.10 lts, its not working. Is thr any tips to troubleshoot

By: Gerald Sagoonick

Gerald Sagoonick — Mon, 19 Jan 2009 20:54:15 +0000

Nice one

By: umesh

umesh — Tue, 07 Oct 2008 18:09:59 +0000

Hi,
I have 8 public Ips and want to configure FreeBSD as router and firewall and also want to use all 8 public IPs for my servers so pls can you suggest me how to do this. I am very confused….

Pls help….

By: vivek

vivek — Tue, 05 Aug 2008 05:41:08 +0000

mirza,

Yes, it was updated after George’s correction..

By: mirza

mirza — Tue, 05 Aug 2008 02:38:05 +0000

after George’s correction….
is the script already updated ?