Jump to Navigation

278 - DMZs and iptables

iptables rules can be set to route traffic to certain machines, such as a dedicated HTTP or FTP server, in a demilitarized zone (DMZ) - a special local
subnetwork dedicated to providing services on a public carrier such as the Internet.

For example, to set a rule for routing incoming HTTP requests to a dedicated HTTP server at 10.1.9.2 (outside of the 192.168.1.0/24 range of the LAN),
NAT calls a PREROUTING table to forward the packets to their proper destination :

# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.1.9.2:80

With this command, all HTTP connections to port 80 from the outside of the LAN are routed to the HTTP server on a separate network
from the rest of the internal network. This form of network segmentation can prove safer than allowing HTTP connections to a machine on the network.
If the HTTP server is configured to accept secure connections, then port 443 must be forwarded as well.

1. Enable ip_forward

# sysctl -w net.ipv4.ip_forward=1

2. Create a nat table, edit /etc/sysconfig/iptables

You need to specify nat section in iptables.

# Vi /etc/sysconfig/iptables

==========================================================

*nat
:PREROUTING ACCEPT [13:1035]
:POSTROUTING ACCEPT [5:516]
:OUTPUT ACCEPT [12:966]
-A PREROUTING -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.0.10:22
-A POSTROUTING -j MASQUERADE
COMMIT

==========================================================

If you do this, you won't be able to get into your box via ssh anymore though, you should add an exception for yourself so you can still
get into the box via ssh. In the example, the ipaddress of this host is 192.168.0.1 and my client (me) is 192.168.0.2

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -s 192.168.0.2 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.0.1:22
-A PREROUTING -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.0.10:22
-A POSTROUTING -j MASQUERADE
COMMIT

3. To Clear the counter

:<chain-name> <chain-policy> [<packet-counter>:<byte-counter>]

 # iptablse -Z

Zero the packet and byte counters in chain. If no chain is specified, all chains will be reset.
When used without specifying a chain and combined with the -L command, list the current counter values before are reset.

 

 



Main menu 2

Story | by Dr. Radut