How do I make IP dmz AND not accessible to LAN.

aceO07

Diamond Member
Nov 6, 2000
4,491
0
76
I want to run a webserver on VMware on an old laptop. The VMware session will be bridged and have its own IP. The Laptop will have it's own IP. This webserver should be accessible through the internet AND not have access to my LAN. The laptop should have access to my LAN.

Basically, 1 IP that is DMZ and also restricted to rest of my LAN. Can I do that with just 1 router (running DD-WRT)? Is there any special networking that I could do without having to configure the OS to handle it?

I know I could set up networking with 2 routers that would isolate the laptop, but I really just want to have 1 IP that is DMZ and restricted to LAN.
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
The best way would be to run a software firewall on the web server and block any inbound/outbound packets to your internal network range and allow any other address to the specific ports you need open to the world. Then forward those ports on the router to the server, DMZ is a last resort.
 

aceO07

Diamond Member
Nov 6, 2000
4,491
0
76
Originally posted by: spidey07
The best way would be to run a software firewall on the web server and block any inbound/outbound packets to your internal network range and allow any other address to the specific ports you need open to the world. Then forward those ports on the router to the server, DMZ is a last resort.

Yup. Earlier this morning I was also thinking about just port forwarding instead of DMZ. The idea about restricting access to LAN is still important to me. I just like the idea of setting it on a network/router level so the server can't be compromised and reconfigured to regain access to the LAN.

Would it be possible to do a 2 router system to accomplish what I want?
For example:

WAN to
Router0 NAT (port forwarding to IP for server) to
Router1 NAT (actual LAN + server)

In that config, would the server be able to use an IP address from Router0 while connected to Router1? Would that work? Since Router1, which is the LAN, would be hidden from Router0 through NAT.

I admit this is a bit complicated. Main due to my need/want of having the laptop serve 2 roles (LAN access and VMware webserver). I don't want to spend the resources for a dedicated webserver machine now.

edit: Also this seems like an interesting idea, so that's why I'm pursuing it. :)
 

Crusty

Lifer
Sep 30, 2001
12,684
2
81
If you really want to keep the traffic separate, use VLAN's on the dd-wrt to segregate your server and then route between the two VLAN's on the DD-WRT and use the firewall to block access.
 

Engineer

Elite Member
Oct 9, 1999
39,230
701
126
Add something like this as an init script/startup (whatever it's called, lol) in DD-WRT...



iptables -I FORWARD -s 192.168.1.5 -d 192.168.1.0/24 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 192.168.1.1 -j ACCEPT


In the above example, the PC with IP 192.168.1.5 could not access the subnet 192.168.1.xxx . Substitute your IP range / subnet for the above. DMZ should still work if setup already.

The 2nd line in this example, the PC (IP 192.168.1.5) will now have access to the GUI of the router (192.168.1.1). Without this line, the first line would cause the PC to not have any access to the IP subnet 192.168.1.xxx including the router/AP.

If you don't want the server to have access to the router, remove the 2nd line.
 

aceO07

Diamond Member
Nov 6, 2000
4,491
0
76
Originally posted by: Engineer
Add something like this as an init script/startup (whatever it's called, lol) in DD-WRT...



iptables -I FORWARD -s 192.168.1.1 -d 192.168.1.0/24 -j DROP
iptables -I FORWARD -s 192.168.1.1 -d 192.168.1.0 -j ACCEPT


In the above example, the PC with IP 192.168.0.1 could not access the subnet 192.168.1.xxx . Substitute your IP range / subnet for the above. DMZ should still work if setup already.

The 2nd line in this example, the PC (IP 192.168.1.1) will now have access to the GUI of the router (192.168.1.0). Without this line, the first line would cause the PC to not have any access to the IP subnet 192.168.1.xxx including the router/AP.

If you don't want the server to have access to the router, remove the 2nd line.

192.168.0.1? Do you mean 192.168.1.1?

So.. If I want IP address 192.168.1.201 to be the server. I forward all the server ports(HTTP, SSH) to 192.168.1.201. Then in the DD-WRT script, I'd use "iptables -I FORWARD -s 192.168.1.1 -d 192.168.1.0/24 -j DROP". Resulting in 192.168.1.201 having no access to the LAN and only receive/send to outside requests?
 

Engineer

Elite Member
Oct 9, 1999
39,230
701
126
Originally posted by: aceO07
Originally posted by: Engineer
Add something like this as an init script/startup (whatever it's called, lol) in DD-WRT...



iptables -I FORWARD -s 192.168.1.5 -d 192.168.1.0/24 -j DROP
iptables -I FORWARD -s 192.168.1.5 -d 192.168.1.1 -j ACCEPT


In the above example, the PC with IP 192.168.1.5 could not access the subnet 192.168.1.xxx . Substitute your IP range / subnet for the above. DMZ should still work if setup already.

The 2nd line in this example, the PC (IP 192.168.1.5) will now have access to the GUI of the router (192.168.1.1). Without this line, the first line would cause the PC to not have any access to the IP subnet 192.168.1.xxx including the router/AP.

If you don't want the server to have access to the router, remove the 2nd line.

192.168.0.5? Do you mean 192.168.1.5?

So.. If I want IP address 192.168.1.201 to be the server. I forward all the server ports(HTTP, SSH) to 192.168.1.201. Then in the DD-WRT script, I'd use "iptables -I FORWARD -s 192.168.1.1 -d 192.168.1.0/24 -j DROP". Resulting in 192.168.1.201 having no access to the LAN and only receive/send to outside requests?


Yes, I meant 192.168.1.5, sorry! :eek: (I edited the responses to have a better example)

You would use

iptables -I FORWARD -s 192.168.1.201 -d -192.168.1.0/24 -j DROP

to do what you need. Again, you would need to add the 2nd line

iptables -I FORWARD -s 192.168.1.201 -d 192.168.1.1 -j ACCEPT

if you want the server to have access to the GUI of the router (assuming router is 192.168.1.1)

Oh, and for the record, I'm not home so I can't test this out so currently, YMMV! It was written for Tomato so I'm assuming that DD-WRT uses the same iptables command structure. :)
 

aceO07

Diamond Member
Nov 6, 2000
4,491
0
76
Engineer, I just tried it. In DD-WRT there is a way to say 'firewall' settings. I put in the first line and saved it. It did not restrict that IP's access to other LAN ips. Maybe it needs to be restarted. I'll restart the router tomorrow and check again.
 

aceO07

Diamond Member
Nov 6, 2000
4,491
0
76
Originally posted by: JackMDS
Written for something else in mind but same principle.

Put the server on the first Router.

Network Segregation - http://www.ezlan.net/shield.html

Originally posted by: aceO07
Would it be possible to do a 2 router system to accomplish what I want?
For example:

WAN to
Router0 NAT (port forwarding to IP for server) to
Router1 NAT (actual LAN + server)

That's what I was thinking of and tried to describe in an earlier post. I just wasn't sure if from Router1 I would be able to access and assign an IP from Router0. I want to avoid having a physical connection to Router0 due to my usage requirements. The laptop would have IP of 192.168.1.100, while the virtual machine server running on the laptop would have another IP that would restrict access to the rest of the LAN.
 

Engineer

Elite Member
Oct 9, 1999
39,230
701
126
Originally posted by: aceO07
Engineer, I just tried it. In DD-WRT there is a way to say 'firewall' settings. I put in the first line and saved it. It did not restrict that IP's access to other LAN ips. Maybe it needs to be restarted. I'll restart the router tomorrow and check again.

Yes, I don't think that the scripts will execute until you reboot the router. The firewall script section typically executes after the WAN comes up and since the WAN was already up, it most likely didn't execute.

You can also telnet into the router (login: root password: normal password) and script line there and it should also execute.

Edit: I must have screwed up as it doesn't work on my tomato router either. Will look at it after I get home.

Edit #2: Seems this will only work when using with two routers linked from the WAN of one to the LAN of another. Sorry to give incorrect information. Will research (as I'm curious now)! :)
 

JackMDS

Elite Member
Super Moderator
Oct 25, 1999
29,545
422
126
Originally posted by: aceO07The laptop would have IP of 192.168.1.100, while the virtual machine server running on the laptop would have another IP that would restrict access to the rest of the LAN.

What ever is on the first Router can be accesses by what ever is on the second Router.

I.e form second to first it is Not a problem and the first can be easily accessed.

On the other hand he computers on the first Router would be blocked by the second Router's NAT Firewall from direct Access to the Network on the second Router (that is the whole point of segregation),

Think about it as the Network on the first Router is the Internet to the second.

I.e. you can configure the Networks to interact the same way that people interact form their Work to their home Network.

As an example you can use RDT or Ultra VNC to connect from the First Network to the second.

 

aceO07

Diamond Member
Nov 6, 2000
4,491
0
76
Originally posted by: Engineer
Originally posted by: aceO07
Engineer, I just tried it. In DD-WRT there is a way to say 'firewall' settings. I put in the first line and saved it. It did not restrict that IP's access to other LAN ips. Maybe it needs to be restarted. I'll restart the router tomorrow and check again.

Yes, I don't think that the scripts will execute until you reboot the router. The firewall script section typically executes after the WAN comes up and since the WAN was already up, it most likely didn't execute.

You can also telnet into the router (login: root password: normal password) and script line there and it should also execute.

Edit: I must have screwed up as it doesn't work on my tomato router either. Will look at it after I get home.

Edit #2: Seems this will only work when using with two routers linked from the WAN of one to the LAN of another. Sorry to give incorrect information. Will research (as I'm curious now)! :)

Thanks for your efforts. I rebooted the router and the iptable command didn't work. If you find something, let me know.
 

aceO07

Diamond Member
Nov 6, 2000
4,491
0
76
Originally posted by: JackMDS
Originally posted by: aceO07The laptop would have IP of 192.168.1.100, while the virtual machine server running on the laptop would have another IP that would restrict access to the rest of the LAN.

What ever is on the first Router can be accesses by what ever is on the second Router.

I.e form second to first it is Not a problem and the first can be easily accessed.

On the other hand he computers on the first Router would be blocked by the second Router's NAT Firewall from direct Access to the Network on the second Router (that is the whole point of segregation),

Think about it as the Network on the first Router is the Internet to the second.

I.e. you can configure the Networks to interact the same way that people interact form their Work to their home Network.

As an example you can use RDT or Ultra VNC to connect from the First Network to the second.

Thanks for confirming. I'll give it a try. I have an old Netgear router that I can try it with. Not very stable, but should be good enough to do a trial with.
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
This seems like a bad idea to me. Virtualization is scary. For instance the VM Host shouldn't have any functions other than hosting the guests. And this also seems to break the practice of not putting differing security level guests on the same host.

Anyhow, I've wondered if it would be possible to split traffic out based on which bridged NIC they used. For instance, use one NIC for the laptop host, and a second interface in bridged mode for the guest. That should let you keep the networks physically seperate(-ish).

usb NICs are cheap. ;)
Just a quick ramble. Ran out of coffee half way through.
 

aceO07

Diamond Member
Nov 6, 2000
4,491
0
76
Originally posted by: n0cmonkey
This seems like a bad idea to me. Virtualization is scary. For instance the VM Host shouldn't have any functions other than hosting the guests. And this also seems to break the practice of not putting differing security level guests on the same host.

Anyhow, I've wondered if it would be possible to split traffic out based on which bridged NIC they used. For instance, use one NIC for the laptop host, and a second interface in bridged mode for the guest. That should let you keep the networks physically seperate(-ish).

usb NICs are cheap. ;)
Just a quick ramble. Ran out of coffee half way through.

Thanks for your ramble. I'm not a networking guy, though I've taken a grad level networking class years ago. It's all very fascinating stuff. Got to play with some really cool wireless motes. I'd love to buy the equipment and play with them again, but they're too expensive to justify in this economy.

I'm waiting for some cheap Atom based servers to come out so I can plop my fileserver, svn server, printer server onto it. Then that'll free up my old laptop to be a webserver.

Actually, the laptop does have wireless and ethernet connections. I suppose the vm guest could use wireless and ethernet to be for the host. I don't know how the host deals with 2 connections and what happens if only 1 connection is present. Not really as transparent as I would like, probably due to my lack of knowledge in this area.

I'll also look into the vlan in dd-wrt idea that Crusty brought up earlier. Maybe that'll provide the easy solution I'm hoping for. :)