today I will talk about how you can setup a virtual DMZ with a virt. Sophos UTM.
The logical network structure
For a better understanding, I have create a little grafic with the logical network structure.
I am using an Ubuntu server with KVM as hypervisor. My UTM, DMZ and LAN servers only run on the one server.
If you want to know how to set up a virtual UTM, just have a look at my blog entry about it.
Create the virtual switch
First we need a dummy interface.
You can create it with the following commands:
sudo ip link add name "what you want" type dummy sudo ifconfig "what you want" up
Second create the switch.
As the last step we have to isolate the server from the virtual DMZ.
For this we need an iptables rule to drop all incoming traffic to the dummy interface. And because it is so beautiful, we also ban outgoing traffic too.
sudo iptables -A INPUT -i Dummy-DMZ5 -j DROP sudo iptables -A OUTPUT -o virbr3 -j DROP sudo iptables-save
For what do we actually need this iptables rule? Quite simple. The DMZ server could access the hypervisor via this interface.
Connect the DMZ with the UTM and the test server
OK, we have create the virtual DMZ. Now we need a connection with a test server and our virtual UTM.
Needed configurations on the UTM
insert the new DMZ interface
You can find the correct interface using the MAC address. Compare it with the Virt Manager and the UTM.
Don’t do this! If you allow the DMZ devices to use the DNS service of the UTM, DNS queries can be made via all devices known to the UTM. Every hacker is happy about this.
The UTM has the special feature that ping is also handled under ICMP and can overwrite firewall rules if ping is prohibited. Therefore you should disable pinging via the gateway interface and enable firewall rules if required. Otherwise it would be possible that DMZ devices can map the IP network structures via IP scanner.
Have a nice day!