Iptables with DMZ...not working...help!!

[Trekkie]

Hi,

I'm trying to create a DMZ using iptables on RH 7.3. The firewall is working great and I can access the web server from LAN (to dmz)...not from the external IP. I'm using cable modem with dynamic ip address.

Where do I look to check my logs, I tried looking into /var/log/message with no luck

Internet: dynamic
dmz: 10.0.0.0 (webserver 10.0.0.200)
lan: 172.17.0.0

Here's my script

---------------------------------------------------



#!/bin/sh
# Firewall script by Master B

iptables=/sbin/iptables

intif="eth0"
lan="eth2"
dmz="eth1"
dmz_ip="10.0.0.0/32"

/sbin/depmod -a

/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp

$iptables -P INPUT DROP
$iptables -F INPUT
$iptables -P OUTPUT ACCEPT
$iptables -P OUTPUT DROP
$iptables -F OUTPUT
$iptables -P FORWARD DROP
$iptables -F FORWARD
$iptables -t nat -F

$iptables -t nat -A POSTROUTING -o $intif -j MASQUERADE

# Drops anything new from outside (Internet)
#$iptables -A FORWARD -i $intif -m state ! --state NEW -j DROP

#
# IP Spoofing
#
$iptables -t nat -A PREROUTING -i $intif -s 192.168.0.0/16 -j DROP
$iptables -t nat -A PREROUTING -i $intif -s 10.0.0.0/8 -j DROP
$iptables -t nat -A PREROUTING -i $intif -s 172.16.0.0/24 -j DROP

#
# DMZ zone
#
$iptables -t nat -A PREROUTING -p TCP -m multiport -i $intif --dport 22,25,113,80,8080 -j DNAT --to 10.0.0.200:80
$iptables -t nat -A PREROUTING -p UDP -i $intif --dport 25 -j DNAT --to-destination 10.0.0.200

#
$iptables -A FORWARD -p TCP -i $intif -o $dmz -d $dmz_ip --dport 80 -j ACCEPT


$iptables -A FORWARD -i $dmz -o $intif -j ACCEPT
$iptables -A FORWARD -p tcp -i $intif --dport 80 -o $dmz -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $lan -o $dmz -j ACCEPT
$iptables -A FORWARD -i $dmz -o $lan -j ACCEPT


#
# LAN Section
#
$iptables -A FORWARD -i $lan -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Logging information
#
$iptables -A FORWARD -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died:"
$iptables -A INPUT -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died:"


$iptables -A INPUT -p ALL -i $lan -d 172.17.1.0/16 -j ACCEPT

# All established and related packets incoming from the internet to the firewall
$iptables -A INPUT -p ALL -i $intif -m state --state ESTABLISHED,RELATED -j ACCEPT

$iptables -A OUTPUT -p ALL -s 172.17.1.0/16 -j ACCEPT
$iptables -A OUTPUT -p ALL -s 127.0.0.1/32 -j ACCEPT
$iptables -A OUTPUT -p ALL -s 24.22.16.103/32 -j ACCEPT

-----------------------------------------------------------

I appreciate for any advice

T.K.

 

[sleipnir214]

How are you testing access of the site from an external IP?

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!!

 

[Trekkie]

I have tested from the external IP and also using port scan (grc.com Shield up). I don't know where I can check on the logs.

Thanks,
T.K.