Allow access from outside network with dmz and iptables

I'm having a problem with my home network. So my setup is like this:

enter image description here

In my Router (using Ubuntu desktop v11.04), I installed squid proxy as my transparent proxy.

So I would like to use dyndns to my home network so I could be access my server from the internet, and also I installed CCTV camera and I would like to enable watching it from internet.

The problem is I cannot access it from outside the net.
I already set DMZ in my modem to my router ip.

My first guess is because i'm using iptables to redirect all inside network to use squid.
And not allow from outside traffic to my inside network.
Here is my iptables script:

#!/bin/sh

# squid server IP
SQUID_SERVER="192.168.5.1"

# Interface connected to Internet
INTERNET="eth0"

# Interface connected to LAN
LAN_IN="eth1"

# Squid port
SQUID_PORT="3128"

# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka     transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to     $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port     $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

If you know where did I miss, please advice me.
Thanks for all your help and I really appreciate it.

Ivan

Posted 2012-03-30T12:53:44.237

Reputation: 169

1What did you use to diagram your network like that? – Gman Smith – 2015-09-13T19:37:01.660

Answers

-1

Just an opinion, but it seems to me that you're only forwarding port 80 connection to SQUID:
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

Shouldn't all packets be forwarded over to SQUID (especially DNS , and the port used by the camera)?

Alex H

Posted 2012-03-30T12:53:44.237

Reputation: 99

Hi Alex, The camera use port 8899. Beside the cctv camera, i also cannot access the apache webserver installed in the router as well. – None – 2012-03-30T13:27:22.333

Can you try to add the rule "iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 8899 -j DNAT --to $SQUID_SERVER:$SQUID_PORT" , then save / restart iptables , and see if you can access it from outside ? For safety you could also use UDP (video data usually goes to UDP traffic), so another rulel might be "iptables -t nat -A PREROUTING -i $LAN_IN -p udp --dport 8889 -j DNAT --to $SQUID_SERVER:$SQUID_PORT" – None – 2012-03-30T13:31:11.337

If you can't access the apache on the router that would mean that the router itself isn't in DMZ , and the issue must be checked in the adsl modem , or in the firewall of the router . I hope this helps . – None – 2012-03-30T13:36:18.007

hmm... yes i cannot ping nor access apache from the outside. i will check the modem and update here. but do you think if the dmz is working fine, i still need to bypass the port 8899 to the squid as well? – Ivan – 2012-03-30T13:53:13.813

Hello Ivan , I think that you should also update the rule for squid , because you're not trying to connect over to the router (which will be in DMZ ) but to a host behind it (which will use the rules from firewall / SQUID ) . – Alex H – 2012-03-30T14:12:55.137

I tried not to use my Ubuntu server, but instead directly connect modem to my laptop, and when i tried to access it from outsite, it working perfect, i can ping and access my xampp apache. So i guess my modem dmz function is working properly. So i think there is something wrong in iptables config, which not allowed me to access it from the outside. but i don't know where it is. Thanks. Ivan. – Ivan – 2012-04-01T11:10:49.400