linux - Issues with DMZ and Firewall configuration on CentOS

07
2014-07
  • user330144

    I'm working on a project involving two Linux servers being virtualized on a Server 2008 R2 Enterprise computer.

    The two Linux servers are running Cent OS 6.4 32bit, and are named Server1 and Server2. Server1 is solely functioning as a Firewall, and Server2 is running as a HTTP and POP3 server. Server1 and Server2 are running on the same subnet.

    I need to setup Server2 in a DMZ, and protected by Server1, where Server1 will only allow HTTP, and POP3 traffic to the server and reject everything else.

    I have configured IP tables to only allow HTTP and POP3 traffic, but I'm unsure how to configure a DMZ for Server2.

    I did some research on the Internet, and all the information I could find where pertaining to situations like the one depicted here http://www.cyberciti.biz/faq/wp-content/uploads/2007/12/linux-dmz-network-diagram-firewall.png

    Whereas my situation is different, as there is only one actual machine.

    • Answers
    Know someone who can answer? Share a link to this question via email, Google+, Twitter, or Facebook.

    Related Question

    router - How can I make my livebox route to my external IP address for a computer in the DMZ?
  • Noli

    I have a sagem livebox 2 (Fiber optic model), and have placed my computer in a DMZ. People from outside of my network can access my comp fine via its external dyndns.org address, yet when I try to call the public dyndns.org address from inside my network, I get redirected to the internal admin site on the router. How can I make it so that I can see my comp from the public address like everyone else? What kinds of questions should I be asking or looking into?

    Thanks


    • Related Answers
  • Patches

    See if there's an option in your router configuration to change the HTTP port of your administration interface to something other than 80. If that's not possible, and you're only running a regular HTTP server and not a secure HTTPS server, change the router configuration to use HTTPS and not HTTP.

    Also, if you're only running a web server, consider using the port forwarding feature of your router to only forward port 80 to the target computer. You can do this for as many ports as you need. This reduces the attack profile of your system by allowing the router to act as a firewall, instead of relying on the target computer's firewall.