server in DMZ

Payal Rathod payal-netfilter at
Thu Sep 2 21:04:05 CEST 2004

On Thu, Sep 02, 2004 at 09:13:25AM -0400, Jason Opperisano wrote:
> i think there's some confusion here...there are three rules involved in
> this scenario:

Yes, I already have the 3 rules. The only thing I am worrying about 
is how do I let my internal LAN users access the DMZ machine using
its public IP if I use the 3 rules given by you below. The below rules
will effectively block all traffic except from and my LAN users
are on 192.168.x.x series and using squid as their proxy.
(squid machine is the gateway/firewall machine itself)

> (1) NAT rule that maps port 80 on the outside to port 80 on your DMZ
> server:
>   -A PREROUTING -d -p tcp -m tcp --dport 80 \
>     -j DNAT --to-destination
> (2) FILTER rule that allows external access to server in DMZ from client
> IP:
>   -A FORWARD -p tcp -s -d --dport 80 -j ACCEPT
> (3) FILTER rule that allows squid proxy running directly on your
> firewall to fetch content from server in DMZ:
>   -A OUTPUT -p tcp -d --dport 80 -j ACCEPT
> remember:  packets passing through the firewall are filtered by FORWARD,
> packets coming from the firewall are filtered by OUTPUT.
> -j
> -- 
> Jason Opperisano <opie at>

More information about the netfilter mailing list