What we are essentially going to do here is to punch a hole through our proxy using iptables…
The basic syntax for letting an entire DMZ network use a particular port on LAN is as follows..
iptables -I FORWARD -s DMZNetwork/24 -d LANNetwork/24 -p tcp --dport 80 -j ACCEPT
This will let the DMZ network communicate to the LAN network but only via port 80 (in the case where you have an internal server or multiple internal servers you wish everyone to access).
To let only one ip through (for instance if you want your mail server to authenticate with an active directory or ldap/ldaps server
iptables -I FORWARD -s 192.168.1.1 -d 10.0.10.1 -p tcp --dport 636 -j ACCEPT
Where 192.168.1.1 is the machine on the hotlan/dmz and 10.0.10.1 is our Active Directory/Ldaps server..
Note: the above example is set for ldaps, if you prefer use ldap (unencrypted, not recommended) change to port 389