I don't see any problems in your iptables script that would prevent you from seeing the web server. I do see some redundant lines that could be removed to clean things up.
The following lines are not needed as they are repetitive (Already defined by default policy "-P OUTPUT ACCEPT" and "-P FORWARD ACCEPT"):
Quote:
${IPTABLES} -A OUTPUT -o lo -j ACCEPT
${IPTABLES} -A OUTPUT -o ${IFACE_INT} -j ACCEPT
${IPTABLES} -A OUTPUT -o ${IFACE_DMZ} -j ACCEPT
${IPTABLES} -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPTABLES} -A OUTPUT -p icmp -j ACCEPT
${IPTABLES} -A OUTPUT -o ${IFACE_DMZ} -p tcp --sport 80 -d 0.0.0.0 --dport 1024:65535 -j ACCEPT
${IPTABLES} -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
This line is not needed:
Quote:
|
${IPTABLES} -A INPUT -i ${IFACE_DMZ} -p tcp -s 0.0.0.0 --sport 1024:65535 --dport 80 -j ACCEPT
|
because it is already defined by this rule:
Quote:
|
${IPTABLES} -A INPUT -i ${IFACE_DMZ} -j ACCEPT
|
You will need a DNAT rule if you want public internet traffic to hit the DMZ IP address:
Code:
${IPTABLES} -t nat -A PREROUTING -i ${IFACE_EXT} -m state --state NEW -j DNAT --to 192.168.50.2
In the end your script should look like this:
Code:
#!/bin/bash
#
#
############# IPTABLES firewall #############
############# By David Pack #############
############# Information Technology SCJVS #############
echo "IPTABLES Firewall"
echo "----------------"
############# Variables
echo " Creating Variables"
###Path to executables
IPTABLES=/usr/sbin/iptables
MODPROBE=/sbin/modprobe
###Network Interfaces
IFACE_EXT=eth0 # Internet
IFACE_INT=eth1 # Internal Network
IFACE_DMZ=eth2 # DMZ
###IP Addresses
IPADDR_EXT=192.168.138.1
IPADDR_INT=192.168.20.1
IPADDR_DMZ=192.168.50.1
IPADDR_GATEWAY=192.168.128.1
IPADDR_SAMBA=192.168.20.2
IPADDR_INT_DNS=192.168.20.1
IPADDR_EXT_DNS=10.0.0.101
IPADDR_WEBSERVER=192.168.50.2
###Subnet Masks
SUBNET_EXT=255.255.240.0
SUBNET_INT=255.255.255.0
SUBNET_DMZ=255.255.255.0
########### End Variables
########### Firewall
###Stop forwarding while setting up
echo " Disabling IP Forwarding"
echo "0" > /proc/sys/net/ipv4/ip_forward
###Modules
echo " Loading Modules"
${MODPROBE} ip_conntrack_ftp
${MODPROBE} ip_conntrack_irc
###Flush tables
echo " Flushing Tables"
${IPTABLES} -F #flush chains
${IPTABLES} -X #delete user chains
${IPTABLES} -Z #set counters to zero
for t in `cat /proc/net/ip_tables_names`
do
${IPTABLES} -F -t $t
${IPTABLES} -X -t $t
${IPTABLES} -Z -t $t
done
###Setup policy
echo " Setting up policy"
${IPTABLES} -P INPUT DROP # Drop all packets that
${IPTABLES} -P OUTPUT ACCEPT # aren't specified to be
${IPTABLES} -P FORWARD ACCEPT # accepted in the script.
###Accept local interface
echo " Accept local interface"
${IPTABLES} -A INPUT -i lo -j ACCEPT
###Accept anything from the inside network.
echo " Accept anything from the inside network."
${IPTABLES} -A INPUT -i ${IFACE_INT} -j ACCEPT
${IPTABLES} -A INPUT -i ${IFACE_DMZ} -j ACCEPT
###Allow our firewall to connect.
echo " Enable stateful firewall."
${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
###Allow ping
echo " Allow ping"
${IPTABLES} -A INPUT -p icmp -j ACCEPT
###Share internet connection w/ internal network.
echo " Share internet connection with internal network."
${IPTABLES} -t nat -A POSTROUTING -o ${IFACE_EXT} -j MASQUERADE
###Forward new connections destined for the external interface to the DMZ server
echo " Enable DMZ."
${IPTABLES} -t nat -A PREROUTING -i ${IFACE_EXT} -m state --state NEW -j DNAT --to 192.168.50.2
###Enable dynamic IP address following
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
# Syncookies
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
###Enabling IP forwarding.
echo " Enabling IP forwarding"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "----------------"
echo "Complete!"
########### End Firewall
Unfortunately this does not solve your problem. Make sure that you are connecting to the web server using its private IP (192.168.50.2) rather than its public IP (192.168.138.1) when you connect from computers on the internal network (eth1). If you still can’t get in it could be a routing issue, in that case look over the routing table and make sure the proper routes are configured.
Let us know if this works for you.
