Solved

How to use iptables to make a Win2K Web server behind the firewall visible to the outside world?

Posted on 2002-07-03
9
358 Views
Last Modified: 2010-03-18
Hi all,

I've search the existing question on setting up such config.  But my Linux box cannot use ipchains as the answers suggested.  How can I do this using the iptables?

Can I use the real IP to access the Web server inside and outside the firewall?

Thanks in advance.
0
Comment
Question by:carrado94
9 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7127996
does the Web server have a real IP, or a RFC IP which is NATted?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 7128625
Answering the questions in reverse order, no you won't be able to access a webserver inside of the firewall by it's outside IP from other nodes on the inside. That's not as much of a problem as it might seem. One solution is to create a hosts record on each of the systems inside the firewall that equates the web server's host name with its inside IP. For a small number of systems that is a manageable solution. If you have lots of interior nodes the best solution is to set up a DNS server for your private network. Since only inside nodes access the DNS it can have the private IP's for your network.

A simple, yet fairly secure, ruleset for IPtables is below. To make it easy to see what to do I've assumed that the interior network is using 10.1.0.0/24, that the web server is at 10.1.0.1 and that the inside IP of the firewall is 10.1.0.254. The rule set is heavy with comments so you should be able to figure out what it is doing and how to modify it. Pay attention to the block of comments at the beginning, especially if you are using RedHat or similar.

#!/bin/sh
#
# For a system to function as a firewall the kernel has to be told to forward
# packets between interfaces, i.e., it needs to be a router. Since
# you'll save the running config with 'iptables-save' for RedHat to reinstate
# at the next boot IP fordarding must be enabled by other than this script for
# production use. That's best done by editing /etc/sysctl.comf and setting
# 'net.ipv4.ip_forward = 1'.
#
# Once the rule sets are to your liking you can easily arrainge to have them
# installed at boot on a Redhat box (7.1 or later). Save the rules with:
#
# iptables-save >/etc/sysconfig/iptables
#
# When /etc/init.d/iptables executes it will see the file and restore the
# saved rules.
#
# Since /etc/sysctl.conf will only be read at boot, you can uncomment the
# following line to enable forwarding on the fly. Just remember that the
# saved iptables data won't include the command.
#
#echo 1 > /proc/sys/net/ipv4/ip_forward
#
# Set an absolute path to IPTABLES and define the interfaces
# OUTSIDE is the outside or untrusted interface that connects to the Internet
# and INSIDE is, well that ought to be obvious.
#
IPTABLES="/sbin/iptables"
OUTSIDE=eth0
INSIDE=eth1
#
# Clear out any existing firewall rules, and any chains that might have
# been created. Then set the default policies.
#
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
#
# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packetsthat we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.
#
# silent   - Just drop it on the floor, used for internal traffic
# badflags - Log packets with bad flags, most likely an attack
# dropit   - Log packets that that we refuse, possibly from an attack
#
$IPTABLES -N silent
$IPTABLES -A silent -j DROP

$IPTABLES -N tcpflags
$IPTABLES -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
$IPTABLES -A tcpflags -j DROP

$IPTABLES -N firewalled
$IPTABLES -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$IPTABLES -A firewalled -j DROP
#
# Use up NPAT if you have a dynamic IP. Otherwise comment out the following
# line and use the Source NAT below.
#
$IPTABLES -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE
#
# Use Source NAT if to do the NPAT you have a static IP or netblock.
# Remember to change the IP to be that of your OUTSIDE NIC.
#
#$IPTABLES -t nat -A POSTROUTING -o $OUTSIDE -j SNAT --to 111.222.333.444
#
# Examples of Port forwarding.
#
# The first forwards HTTP traffic to 10.1.0.1
# The second forwards SSH to 10.1.0.1
# The third forwards a block of tcp and udp ports (2300-2400) to 10.1.0.1
#
# Remember that if you intend to forward something that you'll also
# have to add a rule to permit the inbound traffic.
#
$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j DNAT --to 10.1.0.1
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 22 -j DNAT --to 10.1.0.1
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 2300:2400 -j DNAT --to 10.1.0.1
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 2300:2400 -j DNAT --to 10.1.0.1
#
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
#
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j firewalled
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things on the firewall will break. Uncomment the line following
# if the inside machines are trustworthy and there are services on the firewall,
# like DNS, web, DHCP etc., that they need to access.
#
$IPTABLES -A INPUT -i lo -j ACCEPT
#$IPTABLES -A INPUT -i $INSIDE -d 10.1.0.254 -j ACCEPT
#
# Uncomment the following two lines if you are running a DHCP server on the
# firewall.
#
#$IPTABLES -A INPUT -i $INSIDE -d 10.1.0.255 -j ACCEPT
#$IPTABLES -A INPUT -i $INSIDE -d 255.255.255.255 -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
#
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Silently drop and SMB traffic. We've slipped the surly bonds of windows
# and are dancing on the silvery wings of Linux, so block that windows trash.
#
$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j silent
#
# If you want to be able to connect via SSH from the Internet
# to the firewall uncomment the next line.
#
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT
#
# Allow inbound SMTP and IMAP connections to the firewall system.
# very usefull if your firewall is also your mail server.
#
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 25 -j ACCEPT
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 143 -j ACCEPT
#
# Examples of allowing inbound for the port forwarding examples above.
#
$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 2300:2400 -j ACCEPT
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 2300:2400 -j ACCEPT
#
# Anything that hasn't already matched gets logged and then dropped.
#
$IPTABLES -A INPUT -j firewalled

0
 

Author Comment

by:carrado94
ID: 7128628
The Linux box is doing NAT.  There is only 1 real IP which is used by Linux.  The Web server has a internal IP 192.168.0.11.
0
 

Author Comment

by:carrado94
ID: 7129169
Thanks jlevie!

I tried the script and made some changes on it since I am using a ADSL connection.  I change the

OUTSIDE=ppp0 (nat won't work if =eth1)
INSIDE=eth0 (the one with gateway ip 192.168.0.1 Right?)

But I still cannot access the win2k web server from outside.  Beside, one more problem happened.  After enabling the Linux Web server(on same machine with the firewall), I cannot see it in both inside and outside the network!

Then, I added a rule near to the end like this
$IPTABLES -A INPUT -i $INSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT

The Linux Web server is accessable only inside the local network.

Here is the list:
#!/bin/sh
#
# For a system to function as a firewall the kernel has to be told to forward
# packets between interfaces, i.e., it needs to be a router. Since
# you'll save the running config with 'iptables-save' for RedHat to reinstate
# at the next boot IP fordarding must be enabled by other than this script for
# production use. That's best done by editing /etc/sysctl.comf and setting
# 'net.ipv4.ip_forward = 1'.
#
# Once the rule sets are to your liking you can easily arrainge to have them
# installed at boot on a Redhat box (7.1 or later). Save the rules with:
#
# iptables-save >/etc/sysconfig/iptables
#
# When /etc/init.d/iptables executes it will see the file and restore the
# saved rules.
#
# Since /etc/sysctl.conf will only be read at boot, you can uncomment the
# following line to enable forwarding on the fly. Just remember that the
# saved iptables data won't include the command.
#
echo 1 > /proc/sys/net/ipv4/ip_forward
#
# Set an absolute path to IPTABLES and define the interfaces
# OUTSIDE is the outside or untrusted interface that connects to the Internet
# and INSIDE is, well that ought to be obvious.
#
IPTABLES="/sbin/iptables"
OUTSIDE=ppp0
INSIDE=eth0
#
# Clear out any existing firewall rules, and any chains that might have
# been created. Then set the default policies.
#
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
#
# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packetsthat we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.
#
# silent   - Just drop it on the floor, used for internal traffic
# badflags - Log packets with bad flags, most likely an attack
# dropit   - Log packets that that we refuse, possibly from an attack
#
$IPTABLES -N silent
$IPTABLES -A silent -j DROP

$IPTABLES -N tcpflags
$IPTABLES -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
$IPTABLES -A tcpflags -j DROP

$IPTABLES -N firewalled
$IPTABLES -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$IPTABLES -A firewalled -j DROP
#
# Use up NPAT if you have a dynamic IP. Otherwise comment out the following
# line and use the Source NAT below.
#
#$IPTABLES -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
#
# Use Source NAT if to do the NPAT you have a static IP or netblock.
# Remember to change the IP to be that of your OUTSIDE NIC.
#
#$IPTABLES -t nat -A POSTROUTING -o $OUTSIDE -j SNAT --to 111.222.333.444
#
# Examples of Port forwarding.
#
# The first forwards HTTP traffic to 10.1.0.1 (internal web server)
# The second forwards SSH to 10.1.0.1
# The third forwards a block of tcp and udp ports (2300-2400) to 10.1.0.1
#
# Remember that if you intend to forward something that you'll also
# have to add a rule to permit the inbound traffic.
#
$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j DNAT --to 192.168.0.51
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 22 -j DNAT --to 10.1.0.1
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 2300:2400 -j DNAT --to 10.1.0.1
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 2300:2400 -j DNAT --to 10.1.0.1
#
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
#
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j firewalled
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things on the firewall will break. Uncomment the line following
# if the inside machines are trustworthy and there are services on the firewall,
# like DNS, web, DHCP etc., that they need to access.
#
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -d 192.168.0.1 -j ACCEPT
#
# Uncomment the following two lines if you are running a DHCP server on the
# firewall.
#
$IPTABLES -A INPUT -i $INSIDE -d 192.168.0.255 -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -d 255.255.255.255 -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
#
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Silently drop and SMB traffic. We've slipped the surly bonds of windows
# and are dancing on the silvery wings of Linux, so block that windows trash.
#
$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j silent
#
# If you want to be able to connect via SSH from the Internet
# to the firewall uncomment the next line.
#
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT
#
# Allow inbound SMTP and IMAP connections to the firewall system.
# very usefull if your firewall is also your mail server.
#
$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 25 -j ACCEPT
$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 143 -j ACCEPT
#
# Examples of allowing inbound for the port forwarding examples above.
#
$IPTABLES -A INPUT -i $INSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 23 -j ACCEPT
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 2300:2400 -j ACCEPT
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 2300:2400 -j ACCEPT
#
# Anything that hasn't already matched gets logged and then dropped.
#
$IPTABLES -A INPUT -j firewalled

What else should I try to make the Win2K Web server work?
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 40

Accepted Solution

by:
jlevie earned 100 total points
ID: 7130101
The ruleset looks okay except for this line:

$IPTABLES -A INPUT -i $INSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT

I think that's going to confuse the firewall since all port 80 traffic is to be forwarded to 192.168.0.51 by a previous rule. Remember that when you port forward something there can only be one target for data to that port. You can have as many web servers as you like on hosts inside of the firewall, but with only one outside IP only one of them can be reached from the outside.

Since I don't otherwise see anything wrong with the ruleset I'd say that there may be a problem with the config of the w2k box. Check to be sure that its default gateway points to the inside interface of the firewall (apparently 192.168.0.1).
0
 

Author Comment

by:carrado94
ID: 7133178
Thanks to all!  I knew what happened.  My ISP blocked the port 80!  FTP is working fine and http works if using any other port.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 7133242
That certainly explains the problem. Not much you can do about that expect to run your web server on some othe port.
0
 

Expert Comment

by:rophilli
ID: 7795137
Why is there now way to access a internal webserver having an external IP port forwarded to it by surfing to the external ip from a internal machine?  

It seems like if you were at a internal machine and went to the external address your data would flow from the internal machine, to the router, accepted by iptables, then routed to the other internal machine hosting the website.

What if you were also running a DNS server that had the address of www.yourwebsite.com so that it was available to the outside world?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 7796017
rophilli,

Trying to do that is a mess and you really don't want to. The solution is to have an DNS that only the inside clients use that defines the A record as having an inside IP. You can still run another DNS that is only used by the outside world that defines the A record with an Internet routable IP. With Bind 9.x you can do this with a single DNS server using ACL's and to views. It is usually refered to a split DNS.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now