Linux-BSD-Central - Creating a DMZ with 2 interfaces

Home

Linux Articles

Creating a DMZ with 2 interfaces

Main Menu

Home

Most Read

	Automating SFTP using expect
	FreeBSD PPTP VPN
	Shorewall Router on Linux
	SnortShorwall - Using Snort And Shorewall Together
	Shorewall Stand Alone Firewall

Polls

Syndicate
Latest news direct to your desktop

No account yet? Create one

Members Online

	Members (701)	# Online
	Guests	5
	Users	0

Online Users
No Users Online

Statistics
OS: Linux w PHP: 5.2.9 MySQL: 5.0.91-community Time: 14:53 Members: 701 Hits: 1324417 News: 277 WebLinks: 15

-->

Creating a DMZ with 2 interfaces

Contributed by Chad Brandt

Saturday, 19 June 2004
In some cases you may want a DMZ but it is not possible to add a third interface. Using shorewall you can accomplish this by creating 2 networks on one interface.

In this example my computer has 2 interfaces; eth0 is the external interface and eth1 is my internal interface with network 192.168.1.0/24. I will add a DMZ with a network of 172.16.1.0/24

1. Create a virtual interface on eth1

vi /etc/sysconfig/network-scripts/ifcfg-eth1:1
BOOTPROTO=none
DEVICE=eth1:1
NETMASK=255.255.255.0
MTU=1500
BROADCAST=172.16.1.255
ONPARENT=yes
IPADDR=172.16.1.1
NETWORK=172.16.1.0
ONBOOT=yes

Bring the interface up

[root]# ifup eth1:1

Check to see if the interface came up correctly

[root]# ifconfig

eth1:1    Link encap:Ethernet HWaddr 00:E0:98:81:7A:B2
          inet addr:172.16.1.1 Bcast:172.16.1.255 Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:4231046 errors:11 dropped:4425 overruns:0 frame:2195
          TX packets:5238376 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:941341511 (897.7 Mb) TX bytes:371467991 (354.2 Mb)
          Interrupt:3 Base address:0x300

2. Add the dmz to the shorewall zones file

vi /etc/shorewall/zones
net     Net             Internet
loc     Local           Local networks
dmz     DMZ             Demiliterized Zone

3. Add the new network to shorewalls interfaces file

vi /etc/shorewall/interfaces
- eth1 192.168.0.255,172.16.1.255 dhcp,detectnets,nobogons

Notice we do not have a zone, instead we use a -

4. Configure the zones for eth1. This is done in shorewalls hosts file

vi /etc/shorewall/hosts
loc eth1:192.168.0.0/24
dmz eth1:172.16.1.0/24

5. Create the default policy for dmz traffic
dmz             fw              DROP            info
dmz             loc             DROP            info
loc             dmz             DROP            info
fw              dmz             DROP            info

6. Now add rules to allow traffic to and from the DMZ network

Make sure that the DMZ is not allowed to access the local network. This is the purpose of creating the DMZ, to protect your local network.

7. Make sure shorewall is configured correctly to start

[root]# shorewall check

If you get no errors, go ahead and restart shorewall

[root]# /etc/init.d/shorewall restart

The best solution would be adding a 3rd NIC for your DMZ but sometimes this is not possible. I use an old laptop as my router which only has 2 pcmcia slots so using this approach was my way of creating a DMZ

Comments

Very good
Written by Guest on 2005-06-16 17:17:03

Very good explenation, short and clear as I like them.

Thanks a lot.

(It works fine on my computer)