[Sussex] DMZ zone routing
Matthew Macdonald-Wallace
matthew at truthisfreedom.org.uk
Thu Jun 2 06:16:52 UTC 2005
Andrew,
On Wed, 1 Jun 2005 18:43:04 +0100 (BST)
"Andrew Guard" <andrew at andrewguard.com> wrote:
> OK I can not work out this could be done but lets see if can think how
it
> would work. I need to put 2 computers on within a DMZ area. How
could
> this be done.
>
> Router (a1) (a2) (a3)
>
> a1 Computer
> a2 Computer
>
> a3 DMZ - Router (b1) (b2)
>
> b1 DMZ - Computer
> b2 DMZ - Computer
If you purchase a router the handles DMZ's out of the box (the linksys
ones seem pretty good at it!) then your setup should look like this:
BT/LOCAL-LOOP CLOUD
|
|
PUBLIC IFACE
|
|
DSL/ISDN/POTS[1] MODEM/ROUTER -- DMZ (ORANGE) IFACE-- SWITCH - DMZ COMP1
| |
| |
| DMZ COMP(x)
LOCAL (PRIVATE) NETWORK IFACE (GREEN)
|
|
|
LOCAL SWITCH
You would then restrict all access to the private (GREEN) interface and
probably allow outgoing only on certain ports (http,SMTP,POP3/IMAP and
FTP plus any bespoke services).
The Computers in the DMZ are usually wide open to access from anywhere,
so I recommend securing them with a local IPTABLES rule-set.
Hope this helps,
Matt
[1] Plain Old Telephone System (PSTN[1])
[2] Public Switched Telephone Network - the normal phone lines... :)
More information about the Sussex
mailing list