Demilitarized zone using iptables?

870 pts.
Tags:
Administration
Architecture/Design
Features/Functionality
Firewalls
Forensics
Incident response
Installation
Intrusion management
Management
Network security
Product/service procurement
Security
Security management
Security products
Signature updating/Management
VPN
Wireless
Hi, I'm the Assistant Editor for SearchEnterpriseLinux.com. One of our users, "ruhi," posted the following question. Can you help? "I have to plan and design a demilitarized zone using iptables. How can I do this?" You can post your answer here on ITKE, or reply to mailto:editor@searchenterpriselinux.com?subject=iptables Thanks! Amy Kucharik Assistant Editor, SearchEnterpriseLinux.com TechTarget 117 Kendrick Street, Suite 800 Needham, MA 02494 Office: 781-657-1451

Answer Wiki

Thanks. We'll let you know when a new response is added.

You can certainly use iptables to build a basic “firewall” architecture. part of that structure would be DMZ area. another approach you could take is to use the iptables as server firewall, and block selected services.

You would need a routing functionality also , for which you could use any LINUX based routing daemon or a more mature router (cisco) ?

Dharminder Dargan

Discuss This Question: 3  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Sonyfreek
    You can design your DMZ any way that you want it, but there are two generally practiced methods. The first is to have a firewall with three interfaces in it: Outside, Inside, and DMZ. The DMZ interface is not trusted by the internal network and all of your "expendable" servers and services should go there: ie the external DNS, Web Server, Mail Relay, IDS, etc. The internal network would be configured to allow port the email relay server through, but generally should not trust any connections from the DMZ into the internal network with that exception. Obviously, the external network shouldn't be trusted at all and only necessary services should be allowed to access the Internet/outside from your internal hosts and DMZ services. The second most popular DMZ setup is called "Barrier Reef." With it, you configure two different firewalls (with different operating systems and firewall software) and install the DMZ between the two firewalls. Let's call the one firewall the outside firewall and the other the inside firewall. The outside firewall has connections to the Internet and the DMZ. The Inside firewall has connections to the DMZ and the Internal network. In this case, the same rules are established as with a three interface firewall but you are "more protected" because if someone is capable of owning the one firewall, they may not have the expertise to crack the second one. Also, the ruleset on the second firewall should be more strict and selective of what it lets through. Now, for the configuration of iptables... I suggest you use one of the front-ends to iptables to get you used to configuring rules. Later on, you may decide to take on the iptables ruleset directly if you are into that type of thing. I've used Shorewall before with a lot of success, but watch out with using a GUI on a production firewall. The easier it is for you to use, the easier it is for someone to hack it. For setting up a three interface firewall, see http://www.shorewall.net/three-interface.htm. SF
    0 pointsBadges:
    report
  • Zottmann
    Hi !! Sonny gave an excelent explanation about how to set up a DMZ !! As for a GUI frontend for iptables, I suggest you try Firewall Builder. It is really ease to use, and even has some wizards that helps you on building your initial set of rules. Regards, Carlos.
    0 pointsBadges:
    report
  • Astronomer
    Shortly after iptables came out, new riders published a book called: linux firewalls second edition. This book covers iptables in some depth and shows how to set up the standard architectures. I have used this as a reference for three years now. It should have everything you need to know to set up the firewall section of your network. If you have a specific question, let me know. rt
    15 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following