Google
 
 
Home arrow Linux Articles arrow Creating a DMZ with 2 interfaces

Main Menu
 Home
 Linux Articles
 FreeBSD Articles
 Apache Articles
 Perl Articles
 Other Articles
 Program Downloads
 Free Books
 News
 The Web Links
 Contact Us

Most Read
Automating SFTP using expect
FreeBSD PPTP VPN
Shorewall Router on Linux
Shorewall Stand Alone Firewall
SnortShorwall - Using Snort And Shorewall Together

Polls
Favorite Linux/BSD
Fedora
Mandrake
Debian
Slackware
Gentoo
Suse
FreeBSD
Other
  

Syndicate
Latest news direct to your desktop
RSS

Login Form
Username

Password

Remember me
Forgotten your password?
No account yet? Create one

Members Online
Linux-BSD-Central Has a Total of 139 Members   Members (139) # Online
We have 14 Guests Online. Guests 14
We have 0 Users Online. Users 0

Online Users
No Users Online

Statistics
OS: Linux b
PHP: 5.2.5
MySQL: 5.0.45-community-log
Time: 14:48
Members: 139
Hits: 731601
News: 269
WebLinks: 15




Creating a DMZ with 2 interfaces   PDF  Print  E-mail 
Contributed by Chad Brandt  
Saturday, 19 June 2004
In some cases you may want a DMZ but it is not possible to add a third interface. Using shorewall you can accomplish this by creating 2 networks on one interface.

In this example my computer has 2 interfaces; eth0 is the external interface and eth1 is my internal interface with network 192.168.1.0/24. I will add a DMZ with a network of 172.16.1.0/24

1. Create a virtual interface on eth1

vi /etc/sysconfig/network-scripts/ifcfg-eth1:1
BOOTPROTO=none
DEVICE=eth1:1
NETMASK=255.255.255.0
MTU=1500
BROADCAST=172.16.1.255
ONPARENT=yes
IPADDR=172.16.1.1
NETWORK=172.16.1.0
ONBOOT=yes

Bring the interface up

[root]# ifup eth1:1

Check to see if the interface came up correctly

[root]# ifconfig

eth1:1    Link encap:Ethernet  HWaddr 00:E0:98:81:7A:B2 
          inet addr:172.16.1.1  Bcast:172.16.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4231046 errors:11 dropped:4425 overruns:0 frame:2195
          TX packets:5238376 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:941341511 (897.7 Mb)  TX bytes:371467991 (354.2 Mb)
          Interrupt:3 Base address:0x300

2. Add the dmz to the shorewall zones file

vi /etc/shorewall/zones
net     Net             Internet
loc     Local           Local networks
dmz     DMZ             Demiliterized Zone

3. Add the new network to shorewalls interfaces file

vi /etc/shorewall/interfaces
-         eth1        192.168.0.255,172.16.1.255    dhcp,detectnets,nobogons

Notice we do not have a zone, instead we use a -

4. Configure the zones for eth1. This is done in shorewalls hosts file

vi /etc/shorewall/hosts
loc             eth1:192.168.0.0/24                   
dmz             eth1:172.16.1.0/24 

5. Create the default policy for dmz traffic
dmz             fw              DROP            info
dmz             loc             DROP            info
loc             dmz             DROP            info
fw              dmz             DROP            info

6. Now add rules to allow traffic to and from the DMZ network

Make sure that the DMZ is not allowed to access the local network. This is the purpose of creating the DMZ, to protect your local network.

7. Make sure shorewall is configured correctly to start

[root]# shorewall check

If you get no errors, go ahead and restart shorewall

[root]# /etc/init.d/shorewall restart

The best solution would be adding a 3rd NIC for your DMZ but sometimes this is not possible. I use an old laptop as my router which only has 2 pcmcia slots so using this approach was my way of creating a DMZ

Comments
Very good
Written by Guest on 2005-06-16 17:17:03
Very good explenation, short and clear as I like them. 
 
Thanks a lot. 
 
(It works fine on my computer)

Only registered users can write comments.
Please login or register.

Powered by AkoComment 1.0 beta 2!



 
Google Ads