I am trying to set up a DMZ host - that is, one multifunctional PC between the WAN and the LAN. I've started with a basic router, and expanding upon that as the need arises.
I am currently trying to gain access (from the WAN) to a website hosted on one of the servers in the LAN, but I am having trouble accessing the host from the WAN; I think my iptables configuration may be too restrictive.
On the DMZ host, I'm using Debian (Etch). I have setup dhcp3-server, a script to configure iptables and pound (reverse-proxy). The (virtual) machine has 4 network cards: eth0, eth1, eth2, eth3; eth0 is the WAN, eth1 through eth3 serve 3 different virtual LANs.
All machines in the LAN (except one windows 2008 server - I might want to address that problem later) get their IP adresses correctly via dhcp from the DMZ host.
All machines on the LAN can access the internet (including the 2008 server if I configure it manually) as they should.
If I access
http://localhost on the DMZ host, pound reports "The service is not available. Please try again later." - as it should.
I can ping the DMZ host from the WAN on 10.0.0.79
However, if I try to access the DMZ host from the WAN (
http://10.0.0.79) I get "Unable to connect" from firefox. I'm sure this is not a pound problem, so I think it's in the iptables, or maybe I should be installing some extra software that I'm unaware of.
My configuration is based completely on an article from
http://www.debian-administration.org/articles/23
and shown below:
Code:
#!/bin/sh
PATH=/usr/sbin:/sbin:/bin:/usr/bin
#
# delete all existing rules.
#
iptables –F
iptables -t nat –F
iptables -t mangle –F
iptables –X
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth3 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth3 -o eth0 -j ACCEPT
# Masquerade.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth0 -j REJECT
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
this code is in /etc/network/if-up.d/00-gateway; here's another problem - the article stated that any code in that location should execute automatically when network interfaces are up, but it doesn't seem to be working. I can execute it manually with bash, but that doesn't solve the problem. So in short:
- why does the script not run automatically?
- what do I need to change to be able to access the DMZ host from the WAN?