Current Config:
Internet -- SDSL Router (bridge mode) -- Netgear Prosafe Router --- switch -- NAT/LAN
Ports 25 & 443 open to windows 2003/exchange 2003 server (OWA)
I wish to add a web server. Rather than use the windows server, I will run Apache/PHP/MySQL on a Fedora Core 5 box.
The linux box will also used for remote document access over SSL (webdav or similar), running on port 10001 (443 being used by OWA).
I would also like to use the linux box to relay mail to the exchange server, running through postfix, amavis, spamassassin & clamav. This is to provide an extra layer of av scanning before mail hits the exchange av scanner.
So, ports 25, 80 & 10001 will be opened to the linux box.
The only access the linux box from the internal network will be ssh/ftp over ssh.
I wish to isolate the linux box from the rest of the network as much as possible. If the web server is hacked, I don't want it to be able to access the rest of the internal network.
I'm happy with the usual linux hardening steps.
Any suggestions on the best way to config this?
The Netgear router wont allow a separate DMZ and NAT/LAN, so I can't put the linux box in the DMZ (I think?). The customer wont upgrade the router.
I could add a seconds Netgear Prosafe router or a second NIC to the linux box if of any use?
My initial thought would be to harden linux, place it on the same LAN, open the firewall ports & config iptables. Any better ways of doing this or am I heading for a world of trouble?
Start Free Trial
