I'm trying to implement a Three legged firewall but my iptables rules for the DMZ are not working as expected.
The Three legged firewall is a Firewall with 3 NIC's. One for the Router, One for the DMZ and one for the LAN.
My DMZ network is on another network separately from the LAN. There is a route rule between the Firewall and the DMZ.
Firewall LAN NIC: 192.168.0.1
Firewall DMZ NIC: 192.168.100.1
DMZ Server IP: 192.168.100.12
The DMZ Server gateway is 192.168.100.1
So as a DMZ I will allow all connections from the Internet thought the Firewall to the DMZ and forbid only the outgoing connections from the DMZ to the LAN (to keep it safe) but allow the incoming ones. But I wasn't be able to block all incoming/outgoing connections to test if iptables rules are applying properly.
So I tried (always in the Firewall):
iptables -A FORWARD -s 192.168.100.12 -d 0.0.0.0 -j DROP
iptables -A FORWARD -d 192.168.100.12 -s 0.0.0.0 -j DROP
But I still can RDP to the server, navigate, and all.
Okay maybe an INPUT/OUTPUT:
iptables -A INPUT -s 192.168.100.12 -j DROP
iptables -A OUTPUT -d 192.168.100.12 -j DROP
But it was the same.
As a result I wasn't able to block all the connections to my DMZ Server proving that my rules weren't working at all.
I'm not a network guy but a programmer guy, so I'm completely sure that my poor networking skills are failling here so hard. Sorry for that.
Thank you for the help!
Okay. I think I solved it
iptables -A FORWARD -s 192.168.100.0/24 -d 192.168.0.0/24 -j DROP
iptables -A FORWARD -d 192.168.100.0/24 -s 192.168.0.0/24 -j DROP
iptables -A INPUT -s 192.168.100.0/24 -i $dmz_i -j DROP
That was the correct rules to block the access to the Firewall (the INPUT rule) and to the LAN (the FORWARD rules)
Thanks!