Designing a DMZ using iptables

ITKE member Ruhi posed this question:
I have to plan and design a demilitarized zone using iptables. How can I do this?

ITKE member Dargandk advised:
You can certainly use iptables to build a basic firewall architecture. Part of that structure would be the DMZ area. Another approach you could take is to use the iptables as server firewall, and block selected services.

You would need a routing functionality also, for which you could use any Linux-based routing daemon, or a more mature router such as one from Cisco.

ITKE member Sonyfreek advised:
You can design your DMZ any way you want it, but there are two generally practiced methods.

The first is to have a firewall with three interfaces in it: outside, inside and DMZ. The DMZ interface is not trusted by the internal network and all of your "expendable" servers and services should go there -- i.e. the external DNS, Web server, mail relay, IDS, etc. The internal network would be configured to allow porting the e-mail relay server through, but generally should not trust any connections from the DMZ into the internal network with that exception. Obviously, the external network shouldn't be trusted at all and only necessary services should be allowed to access the Internet outside from your internal hosts and DMZ services.

The second, most popular DMZ setup is called "Barrier Reef." With it, you configure two different firewalls (with different operating systems and firewall software) and install the DMZ between the two firewalls. Let's call the one firewall the outside firewall and the other the inside firewall. The outside firewall has connections to the Internet and the DMZ. The Inside firewall has connections to the DMZ and the Internal network. In this case, the same rules are established as with a three-interface firewall but you are "more protected" because if someone is capable of owning the one firewall, they may not have the expertise to crack the second one. Also, the ruleset on the second firewall should be more strict and selective of what it lets through.

More Information Visit our resource center for news, tips and expert advice design and configure a DMZ.

Now, for the configuration of iptables... I suggest you use one of the front-ends to iptables to get you used to configuring rules. Later on, you may decide to take on the iptables ruleset directly if you are into that type of thing. I've used Shorewall before with a lot of success, but watch out with using a GUI on a production firewall. The easier it is for you to use, the easier it is for someone to hack it.

ITKE member Zottman advised:
Sonyfreek gave an excellent explanation about how to set up a DMZ!

As for a GUI front end for iptables, I suggest you try Firewall Builder. It is really ease to use, and even has some wizards that help you on building your initial set of rules.

ITKE member Astronomer advised:
Shortly after iptables came out, New Riders published a book called Linux Firewalls, Second Edition. This book covers iptables in some depth and shows how to set up the standard architectures.

I have used this as a reference for three years now. It should have everything you need to know to set up the firewall section of your network. If you have a specific question, let me know.

This tip originally appeared on SearchNetworking.com

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Using Nessus Attack Scripting Language (NASL) to find application vulnerabilities Screencast: Recovering lost data with WinHex How to build security into a virtualized server environment How to install and configure Nessus How to run a Nessus system scan Nessus: Vulnerability scanning in the enterprise Screencast: An introduction to the Open Source Security Testing Methodology Manual (OSSTMM) Understanding multifactor authentication features in IAM suites Network intrusion prevention systems: Should enterprises deploy now? Webmail security: Best practices for data protection DMZ A security checklist: How to build a solid DMZ What server considerations should be made when setting up an internal network's private applications? How is internal mail channeled through an enterprise firewall? Microsoft NAP-TNC compatibility won't speed adoption, users say How do a DMZ and VPN work together? What are the risks of placing enterprise users in a DMZ? Infrastructure security: Remote access DMZ How to configure and implement a DMZ Network Access Control Learning Guide RSA Conference 2006 Network Firewalls Is it possible to allow select access to IP addresses using Windows Server 2003? Sophos finds patching issues through endpoint NAC tool Fortinet acquires database vulnerability scanner from IPLocks Is an IPsec VPN necessary when connecting remote servers that process financial transactions? Embedding security has drawbacks says TippingPoint chief architect Is security improved when the number of Internet gateways is reduced? Nipper audits routers, reveals insecure settings Product review: Netgear's Netgear FVS336G ProSafe Dual WAN Gigabit Firewall Product review: Tufin's Tufin SecureTrack 4.1 Product review: SonicWALL's SonicWALL NSA E5500 RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DMZ  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.