What we are essentially going to do here is to punch a hole through our proxy using iptables

The basic syntax for letting an entire DMZ network use a particular port on LAN is as follows..

iptables -I FORWARD -s DMZNetwork/24 -d LANNetwork/24 -p tcp --dport 80 -j ACCEPT

This will let the DMZ network communicate to the LAN network but only via port 80 (in the case where you have an internal server or multiple internal servers you wish everyone to access).

To let only one ip through (for instance if you want your mail server to authenticate with an active directory or ldap/ldaps server

iptables -I FORWARD -s 192.168.1.1 -d 10.0.10.1 -p tcp --dport 636 -j ACCEPT

Where 192.168.1.1 is the machine on the hotlan/dmz and 10.0.10.1 is our Active Directory/Ldaps server..

Note: the above example is set for ldaps, if you prefer use ldap (unencrypted, not recommended) change to port 389

Leave a Reply

Close Menu
%d bloggers like this: