server in DMZ

Payal Rathod payal-netfilter at
Thu Sep 2 05:17:55 CEST 2004

On Wed, Sep 01, 2004 at 11:04:56PM -0400, Jason Opperisano wrote:
> i assume the squid proxy can already fetch content from the web server
> in the DMZ for your LAN--if this is not the case; please post your
> current rules:

Yes, it can access the DMZ using public IP right now. Now I want something
very simple, I want to allow only the client to access the machine.

> iptables -A FORWARD -i $extIf -o $dmzIf -p tcp --syn \
>   -s --sport 1024:65535 -d --dport 80 \
>   -j ACCEPT

Can you make this a bit simpler? I am not too worried about security of 
designs (no need for VPN). I just want only the client's IP to access it.
Right now I have,
-A PREROUTING -d -p tcp -m tcp --dport 80 -j DNAT --to-destination is my external IP of the DMZ machine.

I am afraid if I give it as,
-A PREROUTING -s -d -p tcp -m tcp --dport 80 -j DNAT --to-destination

it will block access from my local LAN also via. the squid proxy and yes 
the gateway (squid proxy) machine does have 3 cards.

With warm regards,

More information about the netfilter mailing list