Rules for web server in DMZ

Patrick Dung patrick_dkt at yahoo.com.hk
Wed Sep 29 14:56:17 CEST 2004


Hi

I have a question about web server in dmz. I have
applied rules to do public IP <-> private IP mapping.

For the web in dmz, I would only allow tcp port 80 to
go to the web server in the dmz. I use default DROP
policy, so should permit tcp port 80 in the INPUT
chain or the FORWARD chain? Also should I use stateful
inspection (NEW, RELATED, ESTABLISHED) in both chain
or only in INPUT chain?

version 1:
iptables -P INPUT drop
iptables -P FORWARD drop
iptables -A INPUT -i $EXT -d $HTTP_INET_IP -p --dport
80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -i $EXT -d $HTTP_INET_IP
--j DNAT --to $DMZ_HTTP_IP
iptables -t nat -A POSTROUTING -o $EXT -s $DMZ_HTTP_IP
--j SNAT --to $HTTP_INET_IP
iptables -A FORWARD -i $EXT -o $DMZ_IF -d $DMZ_HTTP_IP
-p tcp --dport 80 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT

version 2:
iptables -P INPUT drop
iptables -P FORWARD drop
iptables -A INPUT -i $EXT -d $HTTP_INET_IP -p --dport
80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -i $EXT -d $HTTP_INET_IP
--j DNAT --to $DMZ_HTTP_IP
iptables -t nat -A POSTROUTING -o $EXT -s $DMZ_HTTP_IP
--j SNAT --to $HTTP_INET_IP
iptables -A FORWARD -i $EXT -o $DMZ_IF -d $DMZ_HTTP_IP
-p tcp --dport 80 -j ACCEPT



_________________________________________________________
¥²±þ§Þ¡B¶¼ºq¡B¤p¬P¬P...
®öº©¹aÁn  ±¡¤ß³sô
http://us.rd.yahoo.com/evt=22281/*http://ringtone.yahoo.com.hk/



More information about the netfilter mailing list