Did you look at shorewall ? (apt-cache show shorewall if not) This script is fantastic, and when you know exactly what you want, configuring it is a matter of minutes... Install it, read the quick-start guide, which is basically : 1) define your zones in the "zones" files. you would define dmz, lan, net, and shorewall will define a "fw" zone which is your firewall itself 2) associate computers to your zones (hosts file), or interfaces (interfaces file) 3) define the default INPUT, OUTPUT and FORWARD for the 3 zones in the "policy" file 4) add exceptions to the policy in the "rules" file..
that's all ;) shorewall really is fantastic ;))) good luck sam ----- Original Message ----- From: "Rishi L Khan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, May 29, 2002 4:49 PM Subject: ipchains rules for dmz?? > Does anyone have a set of ipchains rules for a DMZ that doesn't have > routable IPs and an internal network that doesn't have routable IPs? > I looked on the IPCHAINS HOWTO page, but they don't have a script for > this. I haven't seen anything with google either. > > I'm looking for something like this: > > Internet (bad) <---> firewall <---> dmz (192.168.9.*) > ^ > | > +----------> internal LAN (good) (10.177.9.*) > > I would like: > bad --> good = nothing but NATed established traffic > bad --> dmz = port 80 to web box, port 25 to mail, port 53 ([tu]dp) to > DNS), ssh to web box > dmz --> good = nothing but NATed traffic > dmz --> bad = NATed traffic (allow all for now) > good --> bad = NATed traffic (allow all for now) > good --> dmz = same as bad --> dmz. > > All of the scripts I've seen have DMZ as routeable. The biggest problem I > have is that good --> dmz because they're both private IP ranges. I > thought I could just pass them with something like: > > ipchains -N good-dmz > ipchains -A forward -s $INTERNAL_NET -i $DMZ_INTERFACE -j good-dmz > ipchains -A good-dmz -j ACCECPT > > (this terminology is from the IPCHAINS HOWTO) > > Any suggestions? Any help? > > -rishi > > _______________________________________________ > Linux Users Group at UD mailing list > Subscription Management: > https://www.lug.udel.edu/cgi-bin/mailman/listinfo/linux > Archives : http://www.lug.udel.edu/pipermail/linux/ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
