I am currently trying to have a firewall with a DMZ in place using Debian and Ipchains.
I found a lot of informations in various HOWTO's and sites about Firewalling, Ipchains, Security,...
But I did not find complete examples or description for a three-legged firewall. What I found was related to Ipchains or general description for a two-legged fw.
Mainly, my setup if fine for the internal network (I tested it via several scanner without having holes or openings). So, I am happy... but it is nearly impossible to allow Internet users to access an apache web server on the DMZ. Even reading a lot of info about ipmasqadm and portfw, I was unable to open access to the web server...
I am a little bit lost. Does anyone have some example about identical topology or some links providing such information?
Many thanks in advance.
PS : the information of the various firewall configuration on this site is really well described.
three-legged firewall ...
15 years 10 months ago #221
First starters, why would you want to use IPchains ? I was using IPchains around 2 years ago and made t he switch to IPtables.
There are considerate advantages using IPtables in contrast to IPChains.
Secondly, IPchains do not support statefull packet filters, whereas IPtables does. Statefull packet filtering means that each packet passed through the firewall is examined and the appropriate reponse packet is expected. This was the firewall keeps track of your outgoing/incoming packets.
Thirdly, IPtables is alot more flexible and easier to work with. The logical structure of the chain model is different from that which IPChains uses. You are able to port forward to an internal machine with a simple command. where as with ipchains, it was very messy.
Lastly, IPtables is the new "in" thing, which is working fine for everyone. I've used it for custom firewalls used with Internet banking machines and its worked just fine. Stick with the new stuff and dont get bogged down with the old stuff !
In cases you didn't notice on the homepage, there will be heaps of information which will cover IPtables and various configurations.