security! linux DMZ setup

[wuboy]

folks,

ive got a question about a firewall config problem that i need clarified.

so im wondering how this whole DMZ firewall configuration works. specifically, i want to know which packets are allowed -- from what? and to where? moreover, if i am including NAT in my whole networking topology, will this affect anything?

in general, i want to put a DNS and a WWW server in the DMZ, while have several internally accessible workstations in my LAN. so i have 3 NICs in my firewall/router... 1 for the internet, 1 for the DMZ, and 1 for the internal LAN. there is documentation on how to configure the firewall to allow packets for the internal LAN, but i am most fuzzy about how the DNS and WWW servers will be accessed... both internally and publically?

now the engine that i am using to set this up is with a 2.4 linux kernel with iptables... as i am only a novice at that, it is tough for me to figure out how to make it work securely... does anyone have any hints or suggestions?

additionally, if anyone knows of any sites that contain more information, please let me know

thanks all

 

[Tiger]

Isn't the whole idea of a DMZ to keep internal LAN addy's and traffic seperate from the public side.
If so the LAN side should have no access to the DMZ.

 

[wuboy]

<< Isn't the whole idea of a DMZ to keep internal LAN addy's and traffic seperate from the public side.
If so the LAN side should have no access to the DMZ >>



you might be right, but i was under the impression that sometimes the internal LAN needs to access the servers in the DMZ. for example, they might need to use the DNS in the DMZ for WWW, ftp, ssh, etc.

or they may need to connect to the web server in the DMZ...

am i wrong in this assumption?

 

[Jackhamr60504]

I could be wrong, but why don't you install two nics in the linux box. One for lan and one for wan. The DNS and www server would sit on the lan. Then just forward the ports for the servers through the firewall. For example, all requests for port 80 are forwarded to 192.168.0.3, the ip of the www server. Then they are also accessable on the lan side. Does that make sense?

-Pete

 

[wuboy]

<< I could be wrong, but why don't you install two nics in the linux box. One for lan and one for wan. The DNS and www server would sit on the lan. Then just forward the ports for the servers through the firewall. For example, all requests for port 80 are forwarded to 192.168.0.3, the ip of the www server. Then they are also accessable on the lan side. Does that make sense? >>



Pete,

nope! you are perfectly correct in this type of setup!

however, what if there are multiple web servers that are required? in this case, you cant just forward port 80 to one box. in my case, i have two separate web servers with two separate domains. so if i point a certain domain to the IP of the router, it wont know which web server to point to...

your setup is perfect for a simple 2-legged network setup, but im interested in having a 3-legged one... aka a DMZ. in this type of network, as i pointed out before, there is a nic from the linux box that connects to the servers (the DMZ), another nic for the LAN, and one for the WAN.

SUPPOSEDLY, this is the most secure networking setup that i have heard, and apparently management would like to use this one...

thanks for ur suggestion tho!

 

[Nothinman]

however, what if there are multiple web servers that are required?

Unless you really need to physically seperate the boxes run all the web sites off of one box and use VirtualHosts. With this setup you could still do load balancing with a real load balancer or round robin DNS.

SUPPOSEDLY, this is the most secure networking setup that i have heard, and apparently management would like to use this one...

It's usually more secure because the boxes in the DMZ aren't able to access the private network or have really restricted access (i.e. if it's a mail server all it can do is forward mail to the internal mail server).