Setting up the DMZ - firewall rules

Edit online

The firewall rules we used for our webApp.secure environment are detailed here.

The firewall rules were structured in the following three areas:
  • Incoming traffic
  • Forwarding
  • Outgoing traffic
The strategy was to deny most everything at first and then allow some dedicated connections. We setup the iptables rules to allow ping and SSH. In a production environment, ping (ICMP) and SSH (TCP port 22) would probably be denied. The detailed iptables commands used to implement the setup are shown in Firewall iptables rules.

Firewall 2

The rules we used for firewall 2 were:
  1. Incoming traffic
    1. Stop all incoming traffic
  2. Allow SSH session to firewall 2
  3. Allow ICMP traffic to firewall 2
  4. Allow all related and established traffic for firewall 2
  5. Forwarding traffic
    1. Stop all forwarding traffic
  6. Allow forwarding of TCP traffic on IP interface 10.10.60.0 (client) port 80 (HTTP) and port 443 (HTTPS) to go to 192.168.40.95 (webApp.secure)
  7. Allow forwarding of ICMP traffic
  8. Allow forwarding of all related and established traffic
  9. Outgoing traffic
    1. Allow output traffic for ICMP
Note: Rules 2, 3, 7, and 9a are for maintenance only and would probably not be implemented in a production environment.

Firewall 1

The rules we used for firewall 1 were:
  1. Incoming traffic
    1. Stop all incoming traffic
  2. Allow SSH session to firewall 1
  3. Allow ICMP traffic to firewall 1
  4. Allow all related and established traffic for firewall 1
  5. Forwarding traffic
    1. Stop all forwarding traffic
  6. Allow forwarding of TCP traffic on interface 192.168.40.0 (guest LAN) to go to 10.10.50.110 (HiperSockets™ to z/OS®)
  7. Allow forwarding of ICMP traffic
  8. Allow forwarding of all related and established traffic
  9. Outgoing traffic
    1. Allow output traffic for ICMP
Note: Rules 2, 3, 7, and 9a are for maintenance only and would probably not be implemented in a production environment.