I am trying to set up a DMZ host - that is, one multifunctional PC between the WAN and the LAN. I've started with a basic router, and expanding upon that as the need arises.

I am currently trying to gain access (from the WAN) to a website hosted on one of the servers in the LAN, but I am having trouble accessing the host from the WAN; I think my iptables configuration may be too restrictive.

On the DMZ host, I'm using Debian (Etch). I have setup dhcp3-server, a script to configure iptables and pound (reverse-proxy). The (virtual) machine has 4 network cards: eth0, eth1, eth2, eth3; eth0 is the WAN, eth1 through eth3 serve 3 different virtual LANs.

All machines in the LAN (except one windows 2008 server - I might want to address that problem later) get their IP adresses correctly via dhcp from the DMZ host.

All machines on the LAN can access the internet (including the 2008 server if I configure it manually) as they should.

If I access http://localhost on the DMZ host, pound reports "The service is not available. Please try again later." - as it should.

I can ping the DMZ host from the WAN on 10.0.0.79

However, if I try to access the DMZ host from the WAN (http://10.0.0.79) I get "Unable to connect" from firefox. I'm sure this is not a pound problem, so I think it's in the iptables, or maybe I should be installing some extra software that I'm unaware of.

My configuration is based completely on an article from http://www.debian-administration.org/articles/23
and shown below:

this code is in /etc/network/if-up.d/00-gateway; here's another problem - the article stated that any code in that location should execute automatically when network interfaces are up, but it doesn't seem to be working. I can execute it manually with bash, but that doesn't solve the problem. So in short:

- why does the script not run automatically?
- what do I need to change to be able to access the DMZ host from the WAN?

You need to allow establish NEW connection through eth0 (which is WAN), because right now it is not allowed.

Just tried that (added iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT) but that didn't work, either. So next I tried just kicking everything open by starting with

Which is completely undesirable, but it should serve to find out whether my iptables rules are the only problem. But that didn't seem to work either.

Does anyone have any other suggestions? or questions I can clear up?

P.S. In the meantime I found out the script wasn't running as a result of permissions on the file; so that minor part, at least, is solved.

It is really reasonable, because:
Rule you have added allow packets get only in of your Linux router. They need to be forwarded to different interface (because server inthe LAN). Rule should be - "prerouting":this will tell router that packets which came in eth0 to port 80 need to be sent to different IP.
And if: iptables -A FORWARD -j ACCEPT and router has routing, it will send them to the appropriate interface.

"iptables -A FORWARD -j ACCEPT" - is temporary rule, because you will want to make it more precise for your needs.

1 members found this post helpful.