Hello, these are my first steps setting up iptables, and i've done this script however it does not seem to work.

I have 1 firewall, 1 dmz and 1 lan.

Firewall:
Lan Iface (192.168.0.1)
Dmz Iface (172.16.0.1)
Internet Iface (i called it swan_iface) (192.168.1.134)

the ips of the computer interfaces are:
lan pc: 192.168.0.55
dmz pc: 172.16.0.11

I need the lan to have access to internet through the firewall.
The dmz should not be able to acess the lan unless it's a known connection
Internet must reach the DMZ
Internet must reach the lan in case of known connection.
Lan can access the DMZ
DMZ cannot access LAN


This is my iptable, comments on it are appreciated.

#declaring variables
swan_iface="eth1"
lan_iface="eth2"
dmz_iface="eth3"

dmz="172.16.0.11"
lan="192.168.1.0"

#resetting iptables

iptables -F
iptables -X
iptables -Z
iptables -t nat -F

#Default drop policy

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#Forwarding on

echo 1 > /proc/sys/net/ipv4/ip_forward


#Lan users can access internet, internet will only access lan if it is a known connection


iptables -A FORWARD -s $lan -p tcp --dport 80 -o $swan_iface -j ACCEPT
iptables -A FORWARD -i $swan_iface -d $lan -p tcp --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -s $lan -p udp --dport 53 -o $swan_iface -j ACCEPT
iptables -A FORWARD -i $swan_iface -d $lan -p udp --sport 53 -j ACCEPT

iptables -A FORWARD -s $lan -p tcp --dport 443 -o $swan_iface -j ACCEPT
iptables -A FORWARD -i $swan_iface -d $lan -p tcp --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT

#Lan can access DMZ

iptables -t nat -A PREROUTING -i $swan_iface -p udp --dport 53 -j DNAT --to $dmz
iptables -t nat -A PREROUTING -i $swan_iface -p tcp --dport 80 -j DNAT --to $dmz
iptables -t nat -A PREROUTING -i $swan_iface -p tcp --dport 443 -j DNAT --to $dmz


#DMZ cannot access the lan unless it is a known connection

iptables -A FORWARD -i $dmz_iface -d $lan -p udp --sport 53 -j ACCEPT
iptables -A FORWARD -i $dmz_iface -d $lan -p tcp --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $dmz_iface -d $lan -p tcp --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT

#internet can access the DMZ (http, ftp and dns)

iptables -t nat -A PREROUTING -i $swan_iface -p tcp --dport 80 -j DNAT --to $dmz
iptables -t nat -A PREROUTING -i $swan_iface -p udp --dport 53 -j DNAT --to $dmz
iptables -t nat -A PREROUTING -i $swan_iface -p tcp --dport 20:21 -j DNAT --to $dmz

#DMZ can access internet http, ftp, dns

iptables -A FORWARD -s $dmz -p tcp --sport 80 -o $swan_iface -j ACCEPT
iptables -A FORWARD -s $dmz -p udp --sport 53 -o $swan_iface -j ACCEPT
iptables -A FORWARD -s $dmz -p tcp --sport 20:21 -o $swan_iface -j ACCEPT


Any clues on what am i doing wrong???? Coz nothing works at all LOL

Read this

Also it doesnt look like you are not tagging any connections with NEW. So ESTABLISHED and RELATED rules wont be applied to anything.

You have defined

and

Your lan interface IP is 192.168.0.1

So when you define "-d $lan" So no rule match . And default policy is denied as a result firewall drops packet

So you can try to change lan=192.168.0.1 NOT lan=192.168.1.0

And also when you define

lan="192.168.0.1" define mask as well

lan="192.168.0.1/24"
dmz="172.16.0.11/24"

replace 24 with correct netmask

Hope it helps

The "dmz" variable contains a single IP address in the DMZ network, while the "lan" variable contains the network address of the LAN network.

Suggestion: Have both variables contain the network address and network size in CIDR format ("192.168.1.0/24" for the LAN network). Add separate variables for any specific hosts you will be referencing in your script, with descriptive names (like $dmz_ftp_server).
This may or may not work, depending on how the iptables command interprets "192.168.1.0". My guess is it will consider it a single IP, and as a result the rule will not work. Modifying the "lan" variable as outlined above should fix that.

Suggestion: How about moving the rule permitting ESTABLISHED and RELATED traffic to a separate section at the top? Is there any interface for which you don't want to allow such traffic?

The above rule is superfluous, as DNS replies are covered by the rule permitting established/related traffic. (If the rule was not intended to cover DNS replies, it won't work anyway since the LAN network is NATed.)

The heading doesn't match the rules at all; you're port forwarding traffic from the WAN interface to the DMZ network. Anyway, the last two won't work, as you're missing rules in the FORWARD chain for TCP ports 80 and 443.

Suggestion: Put all rules regarding port forwarding in a section by themselves, with the FORWARD rule in the filter chain immediately after the PREROUTING rule in the nat chain. That way it's very obvious that the two rules are related.

Apart from the misleading heading, all these rules could be replaced by a general rule covering ESTABLISHED and RELATED traffic.

You already did this. Besides, these are not access rules as the heading indicates, but NAT rules.

Also, you don't need to include port 20 for FTP traffic. The netfilter FTP ALG module handles that automatically.

This looks OK, but you seem to be missing a rule to perform source NAT (overloading) for traffic exiting $swan_iface