4

I want to learn more about network technology. Therefore I want to run a raspberry pi in the DMZ as a web server.

What is working: Appache Server on the pi is working. When I use it in the LAN and allow the Linksys to forward the ports it local 192.168.1.xxx (static IP), I can access it from the outside.

My Problem: I coudn't find the right configuration, when it is pluged on the DMZ port.

Configuration of LRT214: (Got from ISP, working) 

Interface 1: WAN1
WAN Connection type: Static IP
WAN IP Adress: 12.34.56.01   (Number here modified for security reason)
Subnet: 255.255.255.240
Default Gateway:  12.34.56.02  (Number here modified for security reason)
DNS 1: 8.8.8.8
DNS 2: 8.8.4.4

Setting I don't understand (on LRT214):

DMZ Private IP Addres:   xxx.xxx.xxx.xx

What is meant by this. Is this the IP, which I shall use as static IP in the raspberry?

*Settings where I need help: Raspberry /etc/network/interfaces"

I assume that I have to write here something meaningful in the form of:

iface eth0 inet static
    address xxx.xxx.xxx.xxx
    netmask xxx.xxx.xxx.xxx 
    gateway xxx.xxx.xxx.xxx

Anyhow my tries with 192.168.1.xxx and 12.34.56.xx failed.

I'm aware that my next step is set-up the iptables on the raspberry correctly. My plan is to block everything except http: and ssh: here.

iptables -P INPUT ACCEPT    # only required, so that I don't lock myself out during SSH session
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -P INPUT DROP   # now drop the rest

Thanks for your help on correct setup.

Edit While writting this i am wondering if the raspberry at the DMZ would need a seperate static WAN IP. Other than 12.34.56.01. Because how should the router know which traffic skould be routed to the raspberry and which should be routed to the LAN? Any important setting which i have missed.

BerndGit
  • 279
  • 1
  • 3
  • 15

1 Answers1

1

Three comments:

  1. Your current configuration makes your PI identical to any other pc within your LAN, i.e. it is not in a DMZ. Being in a DMZ means both that ports from the Internet are correctly configured, and that it is isolated from the rest of your LAN so that if an intruder gains access to your Pi server, then he still cannot access the rest of your pcs. This requires a special construct called a VLAN which separates it from the rest of your LAN: the good news is that your LRT214 does this automatically for you if you specify the Pi's IP address within the DMZ mask, as specified at page 16 of the LRT214's User Manual.

  2. The stanza in the /etc/network/interfaces should be:

    auto eth0
iface eth0 inet static
    address 192.168.73.94
    netmask 255.255.255.0
    gateway 192.168.73.1
    dns-nameservers 192.168.73.1 
    dns-nameservers 8.8.8.8

    Please remember to adapt this to your case.

  3. You are missing the following, all-important iptables rule:

    iptables -A INPUT   -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

    It instructs the netfilter firewall to allow packets (on ports also different than 80 and 22) which pertain to connections which are already under way. The connections under way are both begun by someone connecting to your ports 80 and 22, but also the connections you initiated: if you miss this rule, there will be no follow-up to your own queries, including updates, loading web pages, connecting to local and remote machines, and so on.

MariusMatutiae
  • 48,517
  • 12
  • 86
  • 136