HPE Community
Operating System - Linux
1826331 Members
3891 Online
109692 Solutions
New Discussion

Webserver under a firewall

 
SOLVED
Go to solution
Francis Ancheta
Frequent Advisor

‎06-15-2003 09:58 PM

‎06-15-2003 09:58 PM

Webserver under a firewall

Is there a way I can setup my Webserver (IIS) under a firewall controlled by Linux.

Scenario:

I have a windows 2000 IIS server (192.168.XXX.XXX) connected to my internal network. I setup a firewall using Linux, my web server can now access the internet using my Linux firewall as a gateway.

My problem: I want my internal web server to be accessed in the internet but has to pass through my firewall. How do I do this?
0 Kudos
Reply
27 REPLIES 27
Stuart Browne
Honored Contributor

‎06-15-2003 10:06 PM

‎06-15-2003 10:06 PM

Re: Webserver under a firewall

I'll assume your 'Firewall' box is a recent linux build and utilises 'iptables' for it's firewalling abilities.

To do what you are asking, you need to set up a DNAT rule on the NAT table.

Something similar to:

iptables -A PREROUTING -p tcp -d --dport 80 -j DNAT --to 192.168.xxx.xxx:80

This assumes two things:

- You want external clients to access the web server via port 80, and you are not currently running a webserver on the firewall.

- The internal webserver is listening on port 80, and can currently get out to the rest of the world invisibly.

The PREROUTING rules on the NAT table allow you to chagne the destination of a given packet. We say the destination is going to be the external IP of the firewall box (you could replace this '-d <>' with '-i ' instead) to say that external connections to port 80 will be redirected to the IP addrsess/port (invisibly) on the internal network.

If you aren't using iptables, let us know.

NOTE: You can restrict this further by using a '-s ' flag to say who is connecting to your web server..
One long-haired git at your service...
Reply
Steven E. Protter
Exalted Contributor

‎06-15-2003 10:36 PM

‎06-15-2003 10:36 PM

Re: Webserver under a firewall

You must configure the linux firewall to pass all traffic on the needed ports to the IIS server inside the firewall.

iptables -t nat -A PREROUTING -p tcp -d 15.15.15.15 -dport 80 -j DNAT --to-destination 10.0.0.25

This assumes you are using iptables, I don't think you can do it with ipchains. The second address 10.0.0.25 is the destination. You will need to repeat that command for every port you wish to pass through the firewall.

You'll also need to carefully test the overall iptables configuration.

Source: Page 545-555 of Red Hat Linux 7.3 Bible
Christopher Negus

I am doing this for my web hosting business.

Regards, and Sucess.

Sorry for the delay, itrc is doesn't want to post my answers. Go figure.

SEP

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Francis Ancheta
Frequent Advisor

‎06-15-2003 11:34 PM

‎06-15-2003 11:34 PM

Re: Webserver under a firewall

Thanks Stuart Steven, Yes I am using iptables. I am still learning how firewall works cause I used bastille to configure it for me.

Excuse me for my ignorance but I am new to this ... where shall I put this commands? Do I just enter it at the terminal screen or do I need to edit a script of somekind.

Another question ... will this work also if I put my e-mail server (POSTFIX for example) under my firewall?

I will try this and will let you know of my success ... thanks again guys. Your point to follow ... don't really know what to give at this moment ...
0 Kudos
Reply
Claudio Cilloni
Honored Contributor

‎06-15-2003 11:54 PM

‎06-15-2003 11:54 PM

Re: Webserver under a firewall

you can run that command from the root shell, and it will take effect immediately on the firewall configuration. then you can save the whole iptables config using this:

# iptables-save >/etc/iptables.config

this command writes in /etc/iptables.config (example, you can put this in any file you like) the whole configuration; you can reload it so:

# cat /etc/iptables.config | iptables-restore

then you can put this line in /etc/rc.d/rc.local,
so the firewall config will be reloaded any time
you reboot your firewall machine.

hth
Claudio
Reply
Francis Ancheta
Frequent Advisor

‎06-16-2003 12:27 AM

‎06-16-2003 12:27 AM

Re: Webserver under a firewall

Hi again,

I encountered the following error. I checked the syntax and its correct. I am using iptables version v1.2.7a.

Error: iptables: No chain/target/match by that name

Pls. help.
0 Kudos
Reply
Francis Ancheta
Frequent Advisor

‎06-16-2003 12:52 AM

‎06-16-2003 12:52 AM

Re: Webserver under a firewall

Using the command as suggested by Steven I had the following errors.

iptables v1.2.7a: multiple -d flags not allowed

What can be wrong?
0 Kudos
Reply
Claudio Cilloni
Honored Contributor

‎06-16-2003 12:59 AM

‎06-16-2003 12:59 AM

Solution

Re: Webserver under a firewall

it's missing a '-':
change '-dport' to '--dport'

regards
CLaudio
Reply
Francis Ancheta
Frequent Advisor

‎06-16-2003 01:18 AM

‎06-16-2003 01:18 AM

Re: Webserver under a firewall

I tried using the syntax of Steven and I tried accessing my internal web but it won't work. What are the things I have to do to make it work. How do I know I am using iptables instead of ipchains?
0 Kudos
Reply
Francis Ancheta
Frequent Advisor

‎06-16-2003 01:30 AM

‎06-16-2003 01:30 AM

Re: Webserver under a firewall

It seems I have accidentally blocked port 80 on my firewall how do I undo this ?
0 Kudos
Reply
Francis Ancheta
Frequent Advisor

‎06-16-2003 01:38 AM

‎06-16-2003 01:38 AM

Re: Webserver under a firewall

I have this entry on my iptables:

-A INT_IN -p tcp -m tcp --dport 80 -j PAROLE

what does this mean?
0 Kudos
Reply
Francis Ancheta
Frequent Advisor

‎06-16-2003 01:54 AM

‎06-16-2003 01:54 AM

Re: Webserver under a firewall

I got port 80 to work again. using

iptables -A PUB_IN -p tcp -m tcp --dport 80 -j PAROLE

My problem now is that my firewall does not route my port 80 to my internal web server (say 192.168.0.5 port 80 enabled)

I tried to access my internal web using the internet by ex. http://203.169.95.85:80 but it does not work.

0 Kudos
Reply
Francis Ancheta
Frequent Advisor

‎06-16-2003 02:06 AM

‎06-16-2003 02:06 AM

Re: Webserver under a firewall

I finally got Stuarts script working. It needed the -t nat before the -A PREROUTING ....


Still my routing does not work.
0 Kudos
Reply
Francis Ancheta
Frequent Advisor

‎06-16-2003 02:55 AM

‎06-16-2003 02:55 AM

Re: Webserver under a firewall

Last question. How do can I test if my routing table is working?
0 Kudos
Reply
Claudio Cilloni
Honored Contributor

‎06-16-2003 02:56 AM

‎06-16-2003 02:56 AM

Re: Webserver under a firewall

it could be useful for us if you show your firewall configuration, posting here the
output of the command iptables-save.
could you give also a brief description of you
network topology?


0 Kudos
Reply
Claudio Cilloni
Honored Contributor

‎06-16-2003 02:59 AM

‎06-16-2003 02:59 AM

Re: Webserver under a firewall

AH! idea:

maybe the packet forwarding isn't enable in the firewall machine. run this (root):

# echo "1" >/proc/sys/net/ipv4/ip_forward

hth
Claudio
0 Kudos
Reply
Francis Ancheta
Frequent Advisor

‎06-16-2003 03:03 AM

‎06-16-2003 03:03 AM

Re: Webserver under a firewall

I am using star topology. Attached is my config.
0 Kudos
Reply
Claudio Cilloni
Honored Contributor

‎06-16-2003 03:14 AM

‎06-16-2003 03:14 AM

Re: Webserver under a firewall

it seems that your external address is 203.131.104.188, not 203.169.95.85, according
to pre 'PREROUTING' rule.
if you point your browser to the first, it
should work.

later i'll give a deeper look to your configuration.

hi
Claudio
Reply
Claudio Cilloni
Honored Contributor

‎06-16-2003 04:25 AM

‎06-16-2003 04:25 AM

Re: Webserver under a firewall

I'm not so expert about iptables... I think that beginning from a clean firewall configuration could be a good idea to verify if NAT and packet routing to your inner web server works.

# iptables -F

flushes all your rules. you need also to set the default policy to 'ACCEPT' for all the chains:

#iptables -P INPUT ACCEPT
#iptables -P OUTPUT ACCEPT
#iptables -P FORWARD ACCEPT

then apply the rules suggested here. When (hope) it works, then you can add all the others rules (expecially security-related rules).

hi
Claudio
Reply
Steven E. Protter
Exalted Contributor

‎06-16-2003 08:02 AM

‎06-16-2003 08:02 AM

Re: Webserver under a firewall

As a reference I am providing my iptables configuration minus the additiona command posted above.

iptables is very tricky and once you have it working, I recommend changing and adding very carefully, one thing at a time.


REgards,

Good Luck
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Steven E. Protter
Exalted Contributor

‎06-16-2003 09:25 AM

‎06-16-2003 09:25 AM

Re: Webserver under a firewall

This is your thread.

Ask as many questions as you need.

I'd like to see your current /etc/sysconfig/iptables configuration

That would be useful in sniffing out conflicts that are affecting our routing.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Francis Ancheta
Frequent Advisor

‎06-16-2003 10:11 PM

‎06-16-2003 10:11 PM

Re: Webserver under a firewall

Hi Steven,

Attached is my iptables config. I will try your suggestions today and will let you know how it works.

Does this table get executed at startup? Sorry for the ignorance.
0 Kudos
Reply
Jerome Henry
Honored Contributor

‎06-16-2003 10:21 PM

‎06-16-2003 10:21 PM

Re: Webserver under a firewall

No-one knows everything.

type 'chkconfig --list | grep lokkit'
you'll see if your lokkit service is started and at which levels.

If you start on graphical mode, it should be started at level 5, if you start in console mode, at 3.

I see that your iptables is generated by lokkit, that's why I am suggestiong this.

If it's not started, do a 'chkconfig lokkit on', it'll be started at next reboot.

If you do not want so use lokkit and manage Iptables by yourself, then you have to make sure it's started at boot time, doing the same procedure, replacinf 'lokkit' by 'iptables'.

Never hesitate to ask.

J
You can lean only on what resists you...
Reply
Francis Ancheta
Frequent Advisor

‎06-17-2003 01:13 AM

‎06-17-2003 01:13 AM

Re: Webserver under a firewall

Hi,

Where does chkconfig append my startup file. I really want to know where where it goes so that I can edit the script manually just incase I don't need the services that are placed in my startup. I also noticed that I have 2 firewall services running "bastille-firewall" and just plainly "firewall" does this two conflict. I don't see iptables as a running service nor do I see lokkit.

I did the "iptables -F" and it removed everything including my routing to the internet.

Does anyone know where I can get a good background info on routing so that I would not be asking foolish questions.

Thanks in advance.
0 Kudos
Reply
Claudio Cilloni
Honored Contributor

‎06-17-2003 01:24 AM

‎06-17-2003 01:24 AM

Re: Webserver under a firewall

Linux HOW-TOs could give great answers. You
can find then at http://www.tldp.org, and
there howtos could be interesting for you:

Masquerading-Simple-HOWTO
IP-Masquerade-HOWTO
Firewall-HOWTO
Networking-Overview-HOWTO

I suggest to download the whole HOWTO documentation so it is always ready to browse.

We're here for any question, anyway :-)

Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.