server in DMZ

Jason Opperisano opie at 817west.com
Thu Sep 2 05:04:56 CEST 2004


On Wed, 2004-09-01 at 22:50, Payal Rathod wrote:
> Hi,
> I have a small webserver in DMZ at 10.10.10.3 where we load our designs.
> I want to allow access to its port 80 only from local LAN (via. a squid 
> proxy on the gateway machine) and my client's office at 1.2.3.4. 

i assume the squid proxy can already fetch content from the web server
in the DMZ for your LAN--if this is not the case; please post your
current rules:

  iptables -vnL && iptables -t nat -vnL && iptables -t mangle -vnL

allowing access from the outside:

iptables -A FORWARD -i $extIf -o $dmzIf -p tcp --syn \
  -s 1.2.3.4 --sport 1024:65535 -d 10.10.10.3 --dport 80 \
  -j ACCEPT

> Right now I can see it from all over the world, but I do want to restrict 
> the access. Remember that as now I want to continue accessing the DMZ machine 
> using its public IP and not just 10.10.10.3 IP even from inside the LAN.
> What do I do in such case?

looks like the topic of the week is split-dns...

-j

-- 
Jason Opperisano <opie at 817west.com>




More information about the netfilter mailing list