Q. Can you tell me more about Linux Demilitarized Zone and Ethernet Interface Card Requirements for typical DMZ implementation? How can a rule be set to route traffic to certain machines on a DMZ for HTTP or SMTP?

Advertisement

A. Demilitarized zone, used to secure an internal network from external access. You can use Linux firewall to create DMZ easily. There are many different ways to design a network with a DMZ. The basic method is to use a single Linux firewall with 3 Ethernet cards. The following simple example discusses DMZ setup and forwarding public traffic to internal servers.

Sample Example DMZ Setup

Consider the following DMZ host with 3 NIC:
[a] eth0 with 192.168.1.1 private IP address – Internal LAN ~ Desktop system
[b] eth1 with 202.54.1.1 public IP address – WAN connected to ISP router
eth2 with 192.168.2.1 private IP address – DMZ connected to Mail / Web / DNS and other private servers

Linux Demilitarized Zone (DMZ) Ethernet Single Firewall Design
(Fig 01: A typical Linux based DMZ setup [ Image modified from Wikipedia article] )

Routing traffic between public and DMZ server

To set a rule for routing all incoming SMTP requests to a dedicated Mail server at IP address 192.168.2.2 and port 25, network address translation (NAT) calls a PREROUTING table to forward the packets to the proper destination.

This can be done with appropriate IPTABLES firewall rule to route traffic between LAN to DMZ and public interface to DMZ. For example, all incoming mail traffic from internet (202.54.1.1) can be send to DMZ mail server (192.168.2.2) with the following iptables prerouting rule (assuming default DROP all firewall policy):

### end init firewall .. Start DMZ stuff ####
# forward traffic between DMZ and LAN
iptables -A FORWARD -i eth0 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# forward traffic between DMZ and WAN servers SMTP, Mail etc
iptables -A FORWARD -i eth2 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Route incoming SMTP (port 25 ) traffic to DMZ server 192.168.2.2
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 25 -j DNAT --to-destination 192.168.2.2

# Route incoming HTTP (port 80 ) traffic to DMZ server load balancer IP 192.168.2.3
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 80 -j DNAT --to-destination 192.168.2.3

# Route incoming HTTPS (port 443 ) traffic to DMZ server reverse load balancer IP 192.168.2.4
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 443 -j DNAT --to-destination 192.168.2.4
### End DMZ .. Add other rules ###

Where,

  • -i eth1 : Wan network interface
  • -d 202.54.1.1 : Wan public IP address
  • –dport 25 : SMTP Traffic
  • -j DNAT : DNAT target used set the destination address of the packet with –to-destination
  • –to-destination 192.168.2.2: Mail server ip address (private IP)

Multi port redirection

You can also use multiport iptables module to matches a set of source or destination ports. Up to 15 ports can be specified. For example, route incoming HTTP (port 80 ) and HTTPS ( port 443) traffic to WAN server load balancer IP 192.168.2.3:

iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 -m multiport --dport 80,443 -j DNAT --to-destination 192.168.2.3

Pitfalls

Above design has few pitfalls:

  1. Single point of failure – The firewall becomes a single point of failure for the network.
  2. Hardware – The firewall Host must be able to handle all of the traffic going to the DMZ as well as the internal network.

Linux / BSD Firewall Distros

If you find above discussion little hard to digest, I suggest getting a Linux / BSD distribution which aims to provide a simple-to-manage firewall appliance based on PC hardware to setup DMZ and gateways:

Further readings:

Updated for accuracy.

🥺 Was this helpful? Please add a comment to show your appreciation or feedback.

nixCrat Tux Pixel Penguin
Hi! 🤠
I'm Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.

28 comments… add one
  • André Ricardo Mar 5, 2011 @ 15:54

    Great!

  • Akhim Mar 23, 2011 @ 1:43

    great article Vivek Gite!

  • LMS Apr 8, 2011 @ 18:08

    Hi there,

    My schematic is a little different

    I’ve got a ubuntu server 10.10, and

    router -> Firewall -> Lan
    router -> DMZ

    So What I’ve got it’s the wan interface conncetion to firewall then on the other interface of router connects to DMZ so at the end we have a different situation that you got

  • A.Jesin Apr 22, 2011 @ 8:02

    Someone please help me I’m struggling to get port forwarding working. I have 2 machines
    system 1. with 2 ethernet ports
    eth1 public (ip 192.168.56.2)
    eth0 connected to system 2 (192.168.0.240)
    system 2. with 1 ethernet port
    eth0 connected to system1 (192.168.0.201) running a web server at 80

    On system 1 I’ve set the following rule
    iptables -t nat -A PREROUTING -p tcp -i eth1 -d 192.168.56.2 –dport 80 -j DNAT –to-destination 192.168.0.201
    but it doesn’t work at all when I access http://192.168.56.2/
    But http://192.168.0.201/ works indicating that port 80 is open on system 2

  • origama Jun 19, 2012 @ 14:18

    Hi,
    nice article, like every reading from this blog.
    I just want to suggest another distro: Zeroshell.
    Ok I am a little bit patriot (it’s an italian dostro) but I am using zeroshell since a year ago now and I find it is really simple and effective.

  • jayadev Jul 2, 2013 @ 12:18

    I have single ethernet card with eth1:1 (LAN) and eth1:2 (DMZ) virtually configured. Another card (eth0) supports WAN. Is it possible to use port forwarding from eth0 to eth1:2 and eth1:1 to eth1:2. Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by the site admin.