Welcome to the forums!
1) I can't think of a reason why you would put your WLAN between the firewall and the WAN. But my bet is, if you move it inside your LAN, that the clients loose connection to the internet.
2) I assume the Debian box has two NICs. Has the Debian box got IP forwarding enabled? If you kept mostly default values, then probably not. This needs to be done in two places. First, the kernel should know:
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
And obviously the iptables rules should also reflect this. A little bit like this:
Code:
#########################################################
# VARIABLES AND DEFINITIONS (AND MODPROBES) #
#########################################################
# VARIABLES
ipt="/usr/sbin/iptables"
mod="/sbin/modprobe"
LAN_IFACE="eth0"
WAN_IFACE="eth1"
# BASIC KERNEL MODULES
$mod ip_tables
$mod ip_conntrack
$mod iptable_filter
$mod iptable_nat
$mod iptable_mangle
$mod ipt_LOG
$mod ipt_limit
$mod ipt_state
$mod ipt_MASQUERADE
# FOR IRC AND FTP
$mod ip_nat_ftp
$mod ip_nat_irc
$mod ip_conntrack_ftp
$mod ip_conntrack_irc
# FLUSH RULES AND DELETE CUSTOM CHAINS
$ipt -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -X
$ipt -t nat -X
$ipt -t mangle -X
#########################################################
# GENERAL CONFIGURATION AND DEFAULT POLICIES #
#########################################################
# DEFAULT POLICIES
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
$ipt -t nat -P OUTPUT ACCEPT
$ipt -t nat -P PREROUTING ACCEPT
$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t mangle -P PREROUTING ACCEPT
$ipt -t mangle -P POSTROUTING ACCEPT
# LOOPBACK AND INTERNAL SERVICES
$ipt -A INPUT -i lo -j ACCEPT
# IP MASQUERADING
$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
# OUTGOING TRAFFIC RULES
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Then the clients need to get the Debian box as gateway, this you can do in dnsmasq.conf
3) Yes. Probably. Creating a setup like you have is not impossible, and not even very difficult. But it seems it's your first attempt, so what you need to do goes a little beyond the scope of normal computer usage.
The main points are 1) that your Debian box has ipforwarding enabled, that it's iptables rules are setup to allow NAT and masquerading, and 3) that dnsmasq is setup to hand out valid leases to the clients.
Be sure to read up on iptables, and setup extensive logging until you are confident it's all working properly. Then you can turn many (but not all!) logging options off.
4) A word of advice. Don't treat wireless any more special than wired connections. It is basically the same, except that the signal goes through the air rather than through copper. If you set your wireless router to what I believe is called 'bridged mode', it wont hand out DHCP anymore and won't act as gateway either, but just transfer any signal to the Debian box. For this, it needs to be in LAN.
That is a lot safer, because wireless clients will get the same iptables policies as wired clients.