4

I want to learn more about network technology. Therefore I want to run a raspberry pi in the DMZ as a web server.

What is working: Appache Server on the pi is working. When I use it in the LAN and allow the Linksys to forward the ports it local 192.168.1.xxx (static IP), I can access it from the outside.

My Problem: I coudn't find the right configuration, when it is pluged on the DMZ port.

Configuration of LRT214: (Got from ISP, working) 

Interface 1: WAN1
WAN Connection type: Static IP
WAN IP Adress: 12.34.56.01   (Number here modified for security reason)
Subnet: 255.255.255.240
Default Gateway:  12.34.56.02  (Number here modified for security reason)
DNS 1: 8.8.8.8
DNS 2: 8.8.4.4

Setting I don't understand (on LRT214):

DMZ Private IP Addres:   xxx.xxx.xxx.xx

What is meant by this. Is this the IP, which I shall use as static IP in the raspberry?

*Settings where I need help: Raspberry /etc/network/interfaces"

I assume that I have to write here something meaningful in the form of:

iface eth0 inet static
    address xxx.xxx.xxx.xxx
    netmask xxx.xxx.xxx.xxx 
    gateway xxx.xxx.xxx.xxx

Anyhow my tries with 192.168.1.xxx and 12.34.56.xx failed.

I'm aware that my next step is set-up the iptables on the raspberry correctly. My plan is to block everything except http: and ssh: here.

iptables -P INPUT ACCEPT    # only required, so that I don't lock myself out during SSH session
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -P INPUT DROP   # now drop the rest

Thanks for your help on correct setup.

Edit While writting this i am wondering if the raspberry at the DMZ would need a seperate static WAN IP. Other than 12.34.56.01. Because how should the router know which traffic skould be routed to the raspberry and which should be routed to the LAN? Any important setting which i have missed.

BerndGit
  • 229
  • 1
  • 2
  • 15
  • 1
    You should give your RPi a static IP just outside your DHCP scope on your router (e.g. if your router gives out 192.168.1.2-100 then give your RPi 192.168.1.101). You then put the 192.168.0.101 in your DMZ page... – Kinnectus Apr 25 '16 at 11:34
  • And how does the router know which traffic should belong to the DMZ? Or is any traffic to ports which are not forwarded to the lan automatcally send to the raspberry? – BerndGit Apr 25 '16 at 12:18
  • There are quite a few articles about how to create a public web server on Raspberry Pi. For example : [example1](http://alexdberg.blogspot.fr/2012/11/creating-public-web-server-on-raspberry.html) or [example2](http://simonthepiman.com/how_to_setup_your_pi_for_the_internet.php). – harrymc Apr 25 '16 at 14:10
  • Yes, I followed some examples. And I was able to set up a webserver using prot forwarding. Anyhow when I wanted to move the pi in the DMZ i failed. Most likely I had a bug in `/etc/network/interfaces`. Especially at `netmask` I'm not sure what to take. (255.255.255.255? since no other devices are connected to the DMZ?) – BerndGit Apr 25 '16 at 14:22

1 Answers1

1

Three comments:

  1. Your current configuration makes your PI identical to any other pc within your LAN, i.e. it is not in a DMZ. Being in a DMZ means both that ports from the Internet are correctly configured, and that it is isolated from the rest of your LAN so that if an intruder gains access to your Pi server, then he still cannot access the rest of your pcs. This requires a special construct called a VLAN which separates it from the rest of your LAN: the good news is that your LRT214 does this automatically for you if you specify the Pi's IP address within the DMZ mask, as specified at page 16 of the LRT214's User Manual.

  2. The stanza in the /etc/network/interfaces should be:

    auto eth0
iface eth0 inet static
    address 192.168.73.94
    netmask 255.255.255.0
    gateway 192.168.73.1
    dns-nameservers 192.168.73.1 
    dns-nameservers 8.8.8.8

    Please remember to adapt this to your case.

  3. You are missing the following, all-important iptables rule:

    iptables -A INPUT   -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

    It instructs the netfilter firewall to allow packets (on ports also different than 80 and 22) which pertain to connections which are already under way. The connections under way are both begun by someone connecting to your ports 80 and 22, but also the connections you initiated: if you miss this rule, there will be no follow-up to your own queries, including updates, loading web pages, connecting to local and remote machines, and so on.

MariusMatutiae
  • 46,990
  • 12
  • 80
  • 129
  • Thank you for that long answer MariusMatutiae. ad (1) Understood. Placing the PI in the LAN was just a first test to check if the pi can generally be accessed. (2) I assume that in the LRT214, i have to specify DMZ Host as 192.168.73.94, Correct? ad (3) Thank you for that. I'll check the settings in the next days, and come back if some questions left. You have won the bounty, for your answer, with adreses my questions. – BerndGit May 02 '16 at 09:05
  • @BerndGit **(2)** That's correct! – MariusMatutiae May 02 '16 at 09:15