[Firewall] DMZ-IP

Arno van Amersfoort arnova at rocky.eld.leidenuniv.nl
Wed Jan 14 19:50:50 CET 2009

First of all: you can implement about *anything* with plugins. They are 
loaded before *almost* everything in the main script. I even implemented 
  these POST_xxx-chains for allow plugins to add stuff *after* the main 
script has loaded its rules. If there isn't something that can't be done 
with plugins, contact me and I'll take care of it in the main script.

About the DMZ-idea: it is indeed interesting. I see 2 possible options:
- Use the NAT_FORWARD_xxx variables, as already suggested, though quick 
'n dirty;
- Write a plugin which nicely implements this.


Lonnie Abelbeck wrote:
> On Jan 14, 2009, at 11:48 AM, Darrick Hartman wrote:
>> I'm trying to figure out a way to implement the following 'feature'.  
>> I don't think it's possible as a plugin because it would likely need 
>> to be applied before many of the rules in the main script.
>> The feature follows:
>> Many firewall 'appliances' allow a so-called DMZ where all unassigned 
>> inbound traffic is directed to a specific IP address on the lan.  I 
>> need to duplicate this behavior and hope we can find a way to do this 
>> cleanly with the Arno's script.
>> So as an example:
>> TCP 80 -> NAT
>> TCP 25 -> NAT
>> ALL other inbound traffic -> NAT
>> I suppose that NAT_TCP_FORWARD, NAT_UDP_FORWARD could be used with 
>> some very wide ranges with the specified ports listed before the wide 
>> range, but I was hoping for something cleaner that would ensure that 
>> DMZ-IP forwards would happen at the right time without having to 
>> ensure they were listed last in these other fields.
>> Darrick
> Interesting idea...
> This would allow multiple firewalls to be easily placed back-to-back, 
> the first firewall handles what it chooses and then forwards everything 
> else to another firewall downstream.
> Possibly Arno could add something like:
> before his DENY's, to forward traffic to a particular IP address 
> immediately before they would normally be blocked.
> Lonnie
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl

Arno van Amersfoort
E-mail    : arnova at rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
Arno's (Linux IPTABLES Firewall) Homepage:

More information about the Firewall mailing list