Firewall Rulesets: NAT / DMZ / Portforwarding

Started by ruggerio, March 20, 2018, 07:32:15 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 20, 2018, 07:32:15 AM
Hi,

I have one single Server on the DMZ-Interface. I want to get Some Ports (eg. 80,443) forwarded to this.

So, i created a NAT-Portfforwading rule:

Interface: WAN
Target: Wan Adress
Target Ports : 80,443
Redirect Target IP: [IP of my Webserver]
Redirect Target Ports: 80,443

This created an automted rule on WAN:

Source: any
Source port: any
Target:  [IP of my Webserver]
Target Ports: 80,443


As this "Server" is in the DMZ, i created a rule on the DMZ-Network, to allow Access to my webserver.

Question: is the rule on the dmz-interface really needed? on the WAN-Interface, traffic for the ports for my webserver is allowed.

In iptables (yes, i know...) i would also have to set an allow-rule for that Interface.


Thx,
Roger
March 20, 2018, 12:33:58 PM #1
QuoteAs this "Server" is in the DMZ, i created a rule on the DMZ-Network, to allow Access to my webserver.

Or you can use NAT reflection if you need to access this webserver also from LAN.

QuoteQuestion: is the rule on the dmz-interface really needed? on the WAN-Interface, traffic for the ports for my webserver is allowed.

Only if you need http(s) access to the server from LAN too, and you don't use NAT reflection (see upon).
March 20, 2018, 12:43:05 PM #2
It might help you if you imagine yourself as a policeman standing in the middle of an intersection:

Policeman - the router making routing decisions
Junction/ Intersection - The router equipment, as a whole.
Roads - NICs (Network Interface Cards)/ Connections themselves.
Cars - Data Packets

Make each rule following the "from where - getting in by which road - getting out by which road - to where" way of thinking, and most of the time you would have no problems in setting up your router.
March 20, 2018, 12:59:25 PM #3
Hi Hitiucip,

Thanks for both eplanations, now thats quite clear! The policmen in my case is the dmz-interface, which stops or allows the traffic to that "Zone".

Roger
March 20, 2018, 03:24:22 PM #4
You are the policeman! ALWAYS!(!) :)

Named "dmz-interface" is a road, one of the many you have getting into your intersection (meaning, "router"). ;)
March 20, 2018, 04:10:04 PM #5
Thanks a lot :)
Print
Go Up Pages1
User actions