Set up the DMZ on a third NIC (to keep the DMZ packets separate from those on your regular network). Define the NIC (in this example eth2) with a different subnet than your regular network. If you are using the Buffalo wireless router on this subnet, it comes preconfigured with a 192.168.11.x address so that subnet is a good choice (assuming the regular network is 192.168.1.x).
/etc/sysconfig/network-scripts/ifcfg-ethx:
/etc/sysconfig/networking/devices/ifcfg-ethx:
/etc/sysconfig/networking/profiles/default/ifcfg-ethx:
To set up the NIC, you can look in /etc/sysconfig/network-scripts/ifcfg-ethx, /etc/sysconfig/networking/devices/ifcfg-ethx and /etc/sysconfig/networking/profiles/default/ifcfg-ethx (where "x" is your network adapter's number) for the NIC setup. Note that you must not use uppercase letters in the hexadecimal MAC address set by the HWADDR parameter. If you do, the brain dead code in /sbin/ifup and /sbin/ifdown will not work properly. Here's a sample for the DMZ NIC.
/etc/sysconfig/network-scripts/ifcfg-eth2:
USERCTL=no
PEERDNS=no
TYPE=Ethernet
DEVICE=eth2
HWADDR=00:40:33:d3:02:d0
BROADCAST=192.168.11.255
IPADDR="192.168.11.1"
NETMASK="255.255.255.0"
NETWORK=192.168.11.0
BOOTPROTO=none
ONBOOT=yes
If you want to serve IP addresses via DHCP on the DMZ subnet, add a subnet to the DHCP configuration file for the DMZ subnet.
/etc/dhcpd.conf:
This is the complete DHCP daemon config file with the DMZ subnet included. It should be set up something like:
authoritative;
default-lease-time 7200;
max-lease-time 86400;
option subnet-mask 255.255.255.0;
option domain-name-servers 151.203.0.84, 151.203.0.85;
option domain-name "mydomain.com";
ddns-update-style ad-hoc;
subnet 192.168.1.0 netmask 255.255.255.0 {
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
range 192.168.1.150 192.168.1.200;
}
subnet 192.168.11.0 netmask 255.255.255.0 {
option broadcast-address 192.168.11.255;
option routers 192.168.11.1;
range 192.168.11.150 192.168.11.200;
}
To prevent provide packet forwarding from the DMZ to the outside world, the NARC firewall should be set up to allow a DMZ.
/etc/narc/narc.conf:
This just shows the changes you'll have to make to the standard NARC configuration to enable the DMZ:
# PortForwarding section - Requires masquerading and forwarding.
PORT_FORWARD="no" # This will not have any effect
# unless MASQUERADE is enabled
DMZ_INTERFACE="eth2" # DMZ interface (technically, you can
# use your LAN interface as well -
# bad security practice)
PROTECT_FROM_DMZ="no" # "yes" or "no" - Protect firewall
# from DMZ network
FORWARD_LAN_TO_DMZ="no" # Forward traffic from LAN to DMZ
FORWARD_CONF="/etc/narc/narc-forward.conf"
# Edit this file for port forwarding
Using this setup, machines from within the DMZ will be able to access machines on the internal network. If you'd rather not allow this to happen, you need to configure a custom NARC rule that prevents bridging between the DMZ subnet and the internal subnet.
/etc/narc/narc-custom.conf:
Adding the following lines, to this file, will prevent any packets originated in the DMZ from being bridged to the internal network:
#
# Rule to prevent packets from traversing from the DMZ subnet to the internal
# subnet to keep viruses and other nasty stuff from getting at the good
# stuff. The other direction is OK, presumably.
#
# Note that all attempts to bridge from the DMZ to the internal subnet are
# logged with a prefix of BRIDGE.
#
$IPTABLES -N BRIDGE_REJECT
$IPTABLES -A BRIDGE_REJECT -j LOG --log-level $NORM_LOG_LEVEL \
--log-prefix \"BRIDGE \" --log-ip-options --log-tcp-options
$IPTABLES -A BRIDGE_REJECT -j REJECT
# Hook the rule in to the forward chain.
$IPTABLES -I FORWARD -i $DMZ_INTERFACE -o $LAN_INTERFACE -j BRIDGE_REJECT