Designing a DMZ and using iptables

Want to join in on a similar conversation? Register for ITKnowledge Exchange and fill out your profile so you can ask specific sets of people your IT questions and help out your fellow geeks. Anyone can read answers already provided to questions, but only registered ITKnowledge Exchange members can ask questions or add to threads.

TechTarget member "Ruhi" asked: I have to plan and design a demilitarized zone using iptables. How can I do this?

A few basics
You can certainly use iptables to build a basic firewall architecture. Part of that structure would be the DMZ area. Another approach you could take is to use the iptables as server firewall, and block selected services.

You would need a routing functionality also, for which you could use any Linux-based routing daemon or a more mature router such as one from Cisco.

-- Dargandk

The first is to have a firewall with three interfaces in it: Outside, inside and DMZ. The DMZ interface is not trusted by the internal network and all of your "expendable" servers and services should go there -- i.e. the external DNS, Web server, mail relay, IDS, etc. The internal network would be configured to allow porting the e-mail relay server through, but generally should not trust any connections from the DMZ into the internal network with that exception. Obviously, the external network shouldn't be trusted at all and only necessary services should be allowed to access the Internet/outside from your internal hosts and DMZ services.

The second, most popular DMZ setup is called "Barrier Reef." With it, you configure two different firewalls (with different operating systems and firewall software) and install the DMZ between the two firewalls. Let's call the one firewall the outside firewall and the other the inside firewall. The outside firewall has connections to the Internet and the DMZ. The Inside firewall has connections to the DMZ and the Internal network. In this case, the same rules are established as with a three-interface firewall but you are "more protected" because if someone is capable of owning the one firewall, they may not have the expertise to crack the second one. Also, the ruleset on the second firewall should be more strict and selective of what it lets through.

Now, for the configuration of iptables... I suggest you use one of the front-ends to iptables to get you used to configuring rules. Later on, you may decide to take on the iptables ruleset directly if you are into that type of thing. I've used Shorewall before with a lot of success, but watch out with using a GUI on a production firewall. The easier it is for you to use, the easier it is for someone to hack it.

For setting up a three interface firewall, see http://www.shorewall.net/three-interface.htm.

-- Sonyfreek

As for a GUI front end for iptables, I suggest you try Firewall Builder. It is really ease to use, and even has some wizards that helps you on building your initial set of rules.

-- Zottman

I have used this as a reference for three years now. It should have everything you need to know to set up the firewall section of your network. If you have a specific question, let me know.

-- Astronomer

(Linux Firewalls author Robert Ziegler has since published a third edition of the book through Novell Press. -- Editor)

Not on ITKnowledge Exchange yet? Register today.

Rate this Tip To rate tips, you must be a member of SearchNetworking.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Application-specific network intrusion detection systems emerge Anomaly-based intrusion protection configuration and installation Preventing hacker attacks with network behavior analysis IPS Rogue access points: Preventing, detecting and handling best practices The TPM chip: An unexploited resource for network security Shifting defenses and dynamic perimeters challenge network security Compliance in a virtualized world: Server virtualization and NAC security Securing the new network architecture: Security for distributed, dynamic networks How to configure Windows Server 2008 advanced firewall MMC snap-in USB storage devices: Two ways to stop the threat to network security Network Design Testing LAN switch power consumption: A best practices guide Desktop virtualization network challenges: A primer No data cable? Wireless mesh networking the answer for Wi-Fi backhaul 802.11n upgrade: College ditches legacy network for new vendor Dynamic policy ensures faster, safer network for school district Network device management overload: Engineers managing too many boxes Distributed network management means no more hard NOCs Enterprise passive optical networks: a spanning-tree LAN alternative How important are network infrastructure maps for engineers or admins? New skills emerge for network engineering and administration careers Network Design Research Network Security Best Practices and Products 3Com acquisition confirms HP-Cisco battle for China Enterprises demand next-generation firewalls with IPS, app visibility Preventing hacker attacks with network behavior analysis IPS Is there a way to trace my stolen laptop computer? Integrating NAC with network security tools Should organizations separate technical from administrative security? What network equipment is needed to secure a small business LAN? Ethical hacking and countermeasures: Network penetration testing intro Are you on a domain name system (DNS) blacklist database? Rogue access points: Preventing, detecting and handling best practices RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Broadband over Power Line  (SearchNetworking.com) bus network  (SearchNetworking.com) daisy chain  (SearchNetworking.com) forest-and-tree model  (SearchNetworking.com) loose coupling  (SearchNetworking.com) master  (SearchNetworking.com) master/slave  (SearchNetworking.com) mesh network  (SearchNetworking.com) star network  (SearchNetworking.com) tree network  (SearchNetworking.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.