# Need to build a DMZ

## grooveman

Hello everyone.

I am about to embark upon a new project at the office.

I need to set up a DMZ.  I have a reasonably good understanding of IPtables, I don't really know anything about advanced routing tho.  We have a couple web servers, and a couple email servers that I will want inside this DMZ.

I see general references in topology to building DMZ's, but no real practical advice or howtos.  

Since I am a NAT guy (as of yet), I was thinking something along these lines (now if this is totally stupid, please correct my thinking).   Say we have the range of  X.X.X.200 trhough X.X.X.215 reserved for  us by our ISP.  I could make my outside firewall's outside nic X.X.X.215.  I could make my Web Server's nic 10.10.10.2.  I then could block all unrelated incoming traffic to X.X.X.215, alias that nic so that it also is X.X.X.214 and DNAT all port 80 requests to 10.100.100.2.  Meanwhile my inside firewall would have the DMZ nic addressed to 10.100.100.1 and the Local network nic addressed to 192.168.1.1 (my office network).  

Something like that.  I would likewise alias the outside nic of the outside firewall to the lists server and the email server -- and anything else we need in the dmz.

Is this totally deranged, or is this how it is done?  Do I need to use an entirely different toolset here?  I need to make this as secure as possible, so any advice that will help me to that end is most welcome.

I thank you for you input.

Chris

----------

## NeddySeagoon

grooveman,

Download Smoothwall http://smoothwall.org/ and play with it. 

Warning : It wants a PC to itself.

I run it on a Cyrix 200 for my home firewall with a DMZ for my web server. The beta uses iptables but I'm sticking to version 1.0. Mostly because my firewall box only has three network cards in it and a new software install will be a pain. 

Regards,

NeddySeagoon

----------

## grooveman

Thank you for your response.

I have seen, played a bit with and recommended smoothwall.

But I really want to do this by hand.  It is important to me to understand the syntax and theory behind what I am doing.

I already know how to set up firewalls reasonably well with iptables.  What I really want to know (for starters) is what is the appropriate toolset for doing this, and whether NAT has a place at all in this.  I am willing to learn more router related solutions if necessary. 

How do the linux gurus get this stuff done?

Any more input would be much appreciated.

Thank you.

Chris

----------

## sschlueter

 *grooveman wrote:*   

> 
> 
> I already know how to set up firewalls reasonably well with iptables.  What I really want to know (for starters) is what is the appropriate toolset for doing this, and whether NAT has a place at all in this.  I am willing to learn more router related solutions if necessary.
> 
> 

 

Of course you can use DNAT but you haven't talked about the neccessary access restrictions of the whole DMZ setup. Are you familiar with these?

----------

## grooveman

Hmm..

I guess not...  I confess I don't know what you are referring to here.

----------

## paranode

If you want the machines inside your DMZ to have public addresses instead of private ones, you need to have an invisible box sitting between your incoming net connection and the switch that services your DMZ.  I would do this with OpenBSD myself probably because I know the packet filter well, but it should be achievable easily with iptables also.  You need to set up the firewall box as a bridge (I don't know specifically how to do this with Linux, I think it just involves /proc changes).  You choose whether to give it an IP address or not, depending on whether you need remote administration (via ssh or whatever), but you don't have to give it one.  Essentially, this box will have iptables rules that block and allow traffic based on IP addresses and ports.  In a nutshell, you are letting the operating system act as a bridge between the DMZ and the net, so you don't need to write redirection rules, but rather only allow the traffic you want.  Building this up from a drop-all policy and punching holes where you need them would be the most secure way to set it up.

[edit] Some of the info here may help. [/edit]

----------

## grooveman

Yes, paranode,

that sounds lovely.  Thank you for the reference.  I will read, and give it a whirl.  I try to remember to post my results.

Thank very much for your help  :Smile: 

G

----------

## sschlueter

 *grooveman wrote:*   

> 
> 
> I guess not...  I confess I don't know what you are referring to here.

 

The general idea behind a DMZ setup is the following: There's the internet, it's not under your control and has to be considered as being hostile. There's the area where your public servers are, they're under your control but can't be completely protected because they're exposed to the internet. Then there's the private network, it's under your control and it's protection is of great concern.

The public servers are potentially vulnerable and may be compromised by an attacker. While a firewall can't protect a service that must be reachable and completely functional, a DMZ setup is there to limit the potential damage when a machine is already owned by an attacker. An attacker may try to attack the private network from the compromised machine and may try to attack other hosts on the internet. You server may be abused to break into other systems or may be abused as a ddos client. The source of the attack would be your IP address!

This means: Don't allow connections from the internet to the private network. You may allow connections from the private subnet to the internet. You must allow connections from the internet to the DMZ but you should configure this a tight as possible. Depending on the kind of services you're running, it may be possible to disallow all connections from the DMZ to the internet. Don't allow connections from the DMZ to the private subnet. You may want to allow connections from the private network to the DMZ (for administration of the servers). 

A DMZ usually consists of either 1 firewall machine with 3 NICs or 2 firewall machines with 2 NICs each. (You can use public or private IP addresses for the servers and can decide between port forwarding, normal routing with subnetting, normal routing without subnetting and proxy ARP and bridging. But that's not important for the general idea of a DMZ.)

----------

## grooveman

Thank you.

I understand the objective of a DMZ.  What I was really asking for were strategies of implementation and tool sets.

I did read the transparent firewall howto, but found it rather lacking. There was some good info there, but it wasn't much of a "howto" as a "heads-up".

One interesting thing it claimed was that it is not possible to build a transparent firewall on Linux with any kernels other than 2.4.12-2.4.19 (inclusive).  Is this still true?  It appears to have been written before the release of 2.4.21 and 2.4.22.

Anyway, I do appreciate the input.

Thank you

G

----------

## paranode

It should work fine on any newer kernel.  The key is to get ethernet bridging working.

----------

## sschlueter

 *grooveman wrote:*   

> 
> 
> I understand the objective of a DMZ.  What I was really asking for were strategies of implementation and tool sets.
> 
> 

 

Maybe an example will be useful. Though I took only a quick look at this, it seems quite ok.

http://www.faqs.org/docs/iptables/rcdmzfirewalltxt.html

http://iptables-tutorial.frozentux.net/scripts/rc.DMZ.firewall.txt

----------

## grooveman

Now this is more like what I had in mind!

Thank you.  This should help me get started.

You guys are great!

G

----------

