topic Re: Webserver under a firewall in Operating System - Linux

Webserver under a firewall

Francis Ancheta — Mon, 16 Jun 2003 04:58:48 GMT

Is there a way I can setup my Webserver (IIS) under a firewall controlled by Linux.

Scenario:

I have a windows 2000 IIS server (192.168.XXX.XXX) connected to my internal network. I setup a firewall using Linux, my web server can now access the internet using my Linux firewall as a gateway.

My problem: I want my internal web server to be accessed in the internet but has to pass through my firewall. How do I do this?

Re: Webserver under a firewall

Stuart Browne — Mon, 16 Jun 2003 05:06:54 GMT

I'll assume your 'Firewall' box is a recent linux build and utilises 'iptables' for it's firewalling abilities.

To do what you are asking, you need to set up a DNAT rule on the NAT table.

Something similar to:

iptables -A PREROUTING -p tcp -d --dport 80 -j DNAT --to 192.168.xxx.xxx:80

This assumes two things:

- You want external clients to access the web server via port 80, and you are not currently running a webserver on the firewall.

- The internal webserver is listening on port 80, and can currently get out to the rest of the world invisibly.

The PREROUTING rules on the NAT table allow you to chagne the destination of a given packet. We say the destination is going to be the external IP of the firewall box (you could replace this '-d <>' with '-i ' instead) to say that external connections to port 80 will be redirected to the IP addrsess/port (invisibly) on the internal network.

If you aren't using iptables, let us know.

NOTE: You can restrict this further by using a '-s ' flag to say who is connecting to your web server..

Re: Webserver under a firewall

Steven E. Protter — Mon, 16 Jun 2003 05:36:38 GMT

You must configure the linux firewall to pass all traffic on the needed ports to the IIS server inside the firewall.

iptables -t nat -A PREROUTING -p tcp -d 15.15.15.15 -dport 80 -j DNAT --to-destination 10.0.0.25

This assumes you are using iptables, I don't think you can do it with ipchains. The second address 10.0.0.25 is the destination. You will need to repeat that command for every port you wish to pass through the firewall.

You'll also need to carefully test the overall iptables configuration.

Source: Page 545-555 of Red Hat Linux 7.3 Bible
Christopher Negus

I am doing this for my web hosting business.

Regards, and Sucess.

Sorry for the delay, itrc is doesn't want to post my answers. Go figure.

SEP

SEP

Re: Webserver under a firewall

Francis Ancheta — Mon, 16 Jun 2003 06:34:16 GMT

Thanks Stuart Steven, Yes I am using iptables. I am still learning how firewall works cause I used bastille to configure it for me.

Excuse me for my ignorance but I am new to this ... where shall I put this commands? Do I just enter it at the terminal screen or do I need to edit a script of somekind.

Another question ... will this work also if I put my e-mail server (POSTFIX for example) under my firewall?

I will try this and will let you know of my success ... thanks again guys. Your point to follow ... don't really know what to give at this moment ...

Re: Webserver under a firewall

Claudio Cilloni — Mon, 16 Jun 2003 06:54:43 GMT

you can run that command from the root shell, and it will take effect immediately on the firewall configuration. then you can save the whole iptables config using this:

# iptables-save >/etc/iptables.config

this command writes in /etc/iptables.config (example, you can put this in any file you like) the whole configuration; you can reload it so:

# cat /etc/iptables.config | iptables-restore

then you can put this line in /etc/rc.d/rc.local,
so the firewall config will be reloaded any time
you reboot your firewall machine.

hth
Claudio

Re: Webserver under a firewall

Francis Ancheta — Mon, 16 Jun 2003 07:27:15 GMT

Hi again,

I encountered the following error. I checked the syntax and its correct. I am using iptables version v1.2.7a.

Error: iptables: No chain/target/match by that name

Pls. help.

Re: Webserver under a firewall

Francis Ancheta — Mon, 16 Jun 2003 07:52:24 GMT

Using the command as suggested by Steven I had the following errors.

iptables v1.2.7a: multiple -d flags not allowed

What can be wrong?

Re: Webserver under a firewall

Claudio Cilloni — Mon, 16 Jun 2003 07:59:28 GMT

it's missing a '-':
change '-dport' to '--dport'

regards
CLaudio

Re: Webserver under a firewall

Francis Ancheta — Mon, 16 Jun 2003 08:18:09 GMT

I tried using the syntax of Steven and I tried accessing my internal web but it won't work. What are the things I have to do to make it work. How do I know I am using iptables instead of ipchains?

Re: Webserver under a firewall

Francis Ancheta — Mon, 16 Jun 2003 08:30:23 GMT

It seems I have accidentally blocked port 80 on my firewall how do I undo this ?

Re: Webserver under a firewall

Francis Ancheta — Mon, 16 Jun 2003 08:38:26 GMT

I have this entry on my iptables:

-A INT_IN -p tcp -m tcp --dport 80 -j PAROLE

what does this mean?

Re: Webserver under a firewall

Francis Ancheta — Mon, 16 Jun 2003 08:54:23 GMT

I got port 80 to work again. using

iptables -A PUB_IN -p tcp -m tcp --dport 80 -j PAROLE

My problem now is that my firewall does not route my port 80 to my internal web server (say 192.168.0.5 port 80 enabled)

I tried to access my internal web using the internet by ex. http://203.169.95.85:80 but it does not work.

Re: Webserver under a firewall

Francis Ancheta — Mon, 16 Jun 2003 09:06:38 GMT

I finally got Stuarts script working. It needed the -t nat before the -A PREROUTING ....

Still my routing does not work.

Re: Webserver under a firewall

Francis Ancheta — Mon, 16 Jun 2003 09:55:57 GMT

Last question. How do can I test if my routing table is working?

Re: Webserver under a firewall

Claudio Cilloni — Mon, 16 Jun 2003 09:56:53 GMT

it could be useful for us if you show your firewall configuration, posting here the
output of the command iptables-save.
could you give also a brief description of you
network topology?

Re: Webserver under a firewall

Claudio Cilloni — Mon, 16 Jun 2003 09:59:14 GMT

AH! idea:

maybe the packet forwarding isn't enable in the firewall machine. run this (root):

# echo "1" >/proc/sys/net/ipv4/ip_forward

hth
Claudio

Re: Webserver under a firewall

Francis Ancheta — Mon, 16 Jun 2003 10:03:44 GMT

I am using star topology. Attached is my config.

Re: Webserver under a firewall

Claudio Cilloni — Mon, 16 Jun 2003 10:14:34 GMT

it seems that your external address is 203.131.104.188, not 203.169.95.85, according
to pre 'PREROUTING' rule.
if you point your browser to the first, it
should work.

later i'll give a deeper look to your configuration.

hi
Claudio

Re: Webserver under a firewall

Claudio Cilloni — Mon, 16 Jun 2003 11:25:55 GMT

I'm not so expert about iptables... I think that beginning from a clean firewall configuration could be a good idea to verify if NAT and packet routing to your inner web server works.

# iptables -F

flushes all your rules. you need also to set the default policy to 'ACCEPT' for all the chains:

#iptables -P INPUT ACCEPT
#iptables -P OUTPUT ACCEPT
#iptables -P FORWARD ACCEPT

then apply the rules suggested here. When (hope) it works, then you can add all the others rules (expecially security-related rules).

hi
Claudio

Re: Webserver under a firewall

Steven E. Protter — Mon, 16 Jun 2003 15:02:55 GMT

As a reference I am providing my iptables configuration minus the additiona command posted above.

iptables is very tricky and once you have it working, I recommend changing and adding very carefully, one thing at a time.

REgards,

Good Luck