this is a two part question =)

we have a secure ftp server that we're trying to protect by putting an extra layer between it and the 'net. the idea is to keep the SFTP server on the LAN and have a machine in the DMZ port forward the necessary ports (990 and 28000-28030) to it. eth0 connects to the internet and eth1 connects to the LAN.

first question: is this a good idea or is there a better way? (we don't want to put the SFTP server itself in the DMZ since local users here need to put files on it frequently)

second question: why in the world doesn't this script work? (note that i'm using port 80 to test since http should be fairly simple to get going)

/proc/sys/net/ipv4/ip_forward is set to 1 already

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i eth0 -m --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.0.109
iptables -A FORWARD -s 10.0.0.109 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

I don't really see the point of what you're suggesting. The point of a DMZ is to hold a system in an intermediate security level between the internal LAN and external internet bedlam. What you're doing would totally invalidate the DMZ, as you would have a single TCP connection right from the net into your secure network. If you were going to have an intermediate system then you would generally convert the protocol at that point, or at the absolute least genuinely proxy the data to stop many attacks getting through.

A DMZ is also not necessarily inaccessible from the internal network, the only standard logic is that you can only pass form the internal network to the DMZ one, not the other way round, due to firewall constraints.

chris, what you're saying makes sense. we're using apache to proxy 443 and 80 to our internal web server but we couldn't find a tool to do the same with SFTP's ports. is it your consensus that the safest thing would be to keep the SFTP server in the DMZ and not allow it to touch the internal LAN at all?

what product are you actually using? sftp is just ssh with a secondary subsystem in it... just port 22 and nothing else. google says you're actually trying to play blockland...

well *THE* safest thing is to have a literal airgap in the architecture, sharing power supplies and nothing else, but in reality there's little wrong in allowing some access through a firewall from lan to dmz, just not in the other direction.

EDIT: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.109 this is better.. otherwise it will send all of tcp 80 requests to 10.0.0.109

Chris, we're using GlobalSCAPE Secure FTP for our SFTP needs.

Maxut, is your code snippet with the forward intended to replace my line with the forward?

Would it help security in any way if we had a linux box port forwarding 990 and 28000-28030 to the SFTP server even with the SFTP server in the DMZ also? We just want it to be as solid and safe as possible.

ok, well looking at that product, if you're using sftp, then those port ranges are irrelevant... are you really sure what actual protocol you are using? if you do want to use sftp, then that'd just be single port 22, nice and simple (and recommended by them on their KB it seems)