Thursday, May 1, 2008

Demilitarized Zone Ethernet Interface Requirements and Configuration

Demilitarized zone, or DMZ, is used to secure an internal network from external access. You can use Linux firewall to create one easily. There are many different ways to design a network with a DMZ. The basic method is to use a single Linux firewall with 3 Ethernet cards. The following simple example discusses DMZ setup and forwarding public traffic to internal servers.

Consider the following DMZ host with 3 NIC:
[a] eth0 with private IP address - Internal LAN ~ Desktop system
[b] eth1 with public IP address - WAN connected to ISP router
[c] eth2 with private IP address - DMZ connected to Mail / Web / DNS and other private servers

Routing traffic between public and DMZ server, to set a rule for routing all incoming SMTP requests to a dedicated Mail server at, NAT calls a PREROUTING table to forward the packets to the proper destination.

This can be done with appropriate IPTABLES firewall rule to route traffic between LAN to DMZ and public interface to DMZ.

### end init firewall .. Start DMZ stuff ####
# forward traffic between DMZ and LAN
iptables -A FORWARD -i eth0 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# forward traffic between DMZ and WAN servers SMTP, Mail etc
iptables -A FORWARD -i eth2 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Route incoming SMTP (port 25 ) traffic to DMZ server
iptables -t nat -A PREROUTING -p tcp -i eth1 -d --dport 25 -j DNAT --to-destination
# Route incoming HTTP (port 80 ) traffic to DMZ server load balancer IP
iptables -t nat -A PREROUTING -p tcp -i eth1 -d --dport 80 -j DNAT --to-destination
# Route incoming HTTPS (port 443 ) traffic to DMZ server reverse load balancer IP
iptables -t nat -A PREROUTING -p tcp -i eth1 -d --dport 443 -j DNAT --to-destination
### End DMZ .. Add other rules ###

Multi port redirection, use multiport iptables module to matches a set of source or destination ports. Up to 15 ports can be specified. For example, route incoming HTTP (port 80 ) and HTTPS ( port 443) traffic to WAN server load balancer IP
iptables -t nat -A PREROUTING -p tcp -i eth1 -d -m multiport --dport 80,443 -j DNAT --to-destination

Above design has few pitfalls:
1. Single point of failure - The firewall becomes a single point of failure for the network.
2. Hardware - The firewall Host must be able to handle all of the traffic going to the DMZ as well as the internal network.

No comments: