Since you are running a webserver, I will assume you have a static IP from your ISP.
Firstly, the DNAT rule you have is good, in this situation, you need to SNAT traffic from the local networks (LAN/DMZ) for ALL ports, to the routers Internet IP address.
Code:
iptables -t nat -A POSTROUTING -o $wan_if -j SNAT --to $public_ip
The reason for this is, when a packet originating from a LAN client, 192.168.1.1 for example initiates a http connection with google.com, the request packets source ip (and thus where the reply packets will get sent) will be 192.168.1.1. When this packet gets to google.com, the return packets would be sent to the local IP 192.168.1.1 which may or may not exist. The moral of the story is, the reply packets will never get back to the host that made the request.
So what happens is, the original request packet comes into the router/firewall gets filtered by the firewall, then gets routed out the $wan_if interface, and is then SNAT'ed, to the routers $public_ip. The ip_conntrack module keeps track of these connections, and reverses the process on the returned packets, which come to the router/firewall's $wan_if, get filtered by the firewall, SNAT'ed to the ip by ip_conntrack, routed, and returned to the client.
This does not need to take place for local routed traffic between two subnets. So the SNAT rules you are using are invalid.
You could check that routing is working by making sure the:
LAN can ping the DMZ, internet and gateway
DMZ can ping the LAN, internet and gateway (we can discuss filtering this later)
Router/firewall can ping everything
Quote:
I would like to use some rule like:
|
Since you still haven't said what interface relates to what subnet, you are making this somewhat difficult.
Quote:
iptables -A OUTPUT -i eth2 -s 192.168.2.0/24 -d 0.0.0.0 --dport 80 -j ACCEPT #this for LAN can access to external
|
This rule wont work. The OUTPUT chain is for packets generated BY the firewall itself.
Quote:
iptables -A INPUT -i eth0 -d 192.168.2.0/24 --dport 80 -j ACCEPT #this for responses from external to LAN
|
Once again, the INPUT chain is for packets destined TO the router..
Incidentally (not that you asked), the FORWARD chain, is for packets being routed THROUGH the firewall.