?
Solved

Redhat+Firewall+Apache+DNS

Posted on 2003-02-24
23
Medium Priority
?
712 Views
Last Modified: 2010-04-22
Is it possible to operate an iptables firewall with apache, bind and email server on the same RH7.2 box.

My Setup:
I'm running a small network at home for web development. The RH7.2 box connects my 2 XP boxes to the outside via a cable modem on eth0 (internal on eth1). My external IP is fairly static (may change once or twice a year).

The RH box is running a bind dns server, apache web server and qmail email server which I need to keep working normally.

I have tried the example posted by jlevie on 08/12/2002 01:34PM PST in response to RedHat Firewall Help. It worked well except I couldn't access websites hosted on the RH box or access the email server. I did try forwarding port 80 etc to the internal IP for the RH box but no luck.

Would really appreciate any tips on where I'm going wrong. I'm new to this system so I'll put 200 points on it, if that should be more please let me know.

Thanks in advance.
0
Comment
Question by:bangelo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 11
23 Comments
 
LVL 9

Accepted Solution

by:
majorwoo earned 800 total points
ID: 8012870

http://majorwoo.dynup.net:1024/pub/rc.firewall

is the script I use for my firewall, and I run a redhat machine with an iptables firewall running DNS, httpd, ssh and a few other goodies.

IN the file (which is very well commented) you will see something like this:

# sshd - Enable the following lines if you run an sshd server
#
echo -e "      - Allowing EXTERNAL access to the sshd server"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j ACCEPT

for each service (program) you want to be reached from the outside copy this section, and change the port number, this one allows sshd through.

The script as is will allow http and ssh in, and nothing else.  DHCP and DNS are allowed on the internal eth device (I also have cable modem on my machine and other machines behind it, so MASQ support is included)

the only thing you will have to change is the IP's for your internal network, as you may not use 192.168.2.X and add a section for the email, by opening port 25 (just copy/paste the aboe part i showed)

there is no reason to forward port 80 anywhere(as apache is running on the machine doing the firewalling), but should you want to in the future there is a commented out part about forwarding port 4000 to the internal machine 192.168.2.2 (i use this for diablo games)
0
 

Author Comment

by:bangelo
ID: 8013635
Thanks majorwoo, still browsing the script, is it required to run the www server on 1024 or can it still run on 80?
0
 
LVL 9

Expert Comment

by:majorwoo
ID: 8013919
oh no, sorry -> port 8- is fine.

I just have roadrunner who blocks port 80 so i had to move it

(good eye though!)
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 9

Expert Comment

by:majorwoo
ID: 8013927
80... you know what i meant ;-)
0
 

Author Comment

by:bangelo
ID: 8014135
I am having some trouble loading the script, it gets to the section "Clearing any existing rules and setting default policy to DROP.." and hangs. At the same time it appears to knock out my ssh connection (although ssh is still running on the box).

Any ideas?
0
 
LVL 9

Expert Comment

by:majorwoo
ID: 8014153
yeah - if you are ssh'd to the box when it sets the default policy to drop it will terminate everything until the script finishes - which it will hang doing -> unles you are on an internal connection, if you are coming in over the external IP you will need to connect locally or from an internal machine
0
 

Author Comment

by:bangelo
ID: 8014526
Have got it up and running now, just some small problems. I can't connect via ssh or ftp (from the local network) using the local eth1 IP address, but can if I use the external eth0 IP address.

Also do I need to add an extra rule for port 53 so my DNS functions correctly.

Thank you for all your help.
0
 
LVL 9

Expert Comment

by:majorwoo
ID: 8014547
when you say you cant connect, you mean ssh eth1 address (192.168.2.1 or whatever) fails but the external address works?

what error do you get?

is your DNS server to be accessible from the internet? if so

# DNS - Enable the following lines if you run an DNS server
#
echo -e "      - Allowing EXTERNAL access to the DNS server"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $UNIVERSE -d $EXTIP --dport 53 -j ACCEPT

but from the internal network, nothing is being blocked (unles you changed it)
0
 

Author Comment

by:bangelo
ID: 8014698
Yes...My SecureCRT client just times out and error I get from my ftp client is:
STATUS:>  Connecting to ftp server 10.0.0.1:21 (ip = 10.0.0.1)...
ERROR:>   Can't connect to remote server. Socket error = #10060.

The script still contains this rule.

# local interface, local machines, going anywhere is valid
#                                          
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT

INTNET="10.0.0.0/24"
INTIP="10.0.0.1"
0
 

Author Comment

by:bangelo
ID: 8014709
majorwoo's help has been perfect, and easy to understand and follow.
Thanks
0
 
LVL 9

Expert Comment

by:majorwoo
ID: 8016620
Did you set the INTIF correctly above that in the script?

That error is not what I would expect from the firewall blocking it, you should get a timeout (as this firewall is a "stealth" firewall, if you try to do something you shouldnt it ignores you as opposed to saying no which proves that your machine is there - try this out sometime to see what i mean)

https://grc.com/x/ne.dll?bh0bkyd2

0
 

Author Comment

by:bangelo
ID: 8017638
The logs are telling me that it cannot reverse map my local ip address. Other than that everything is perfect, I can still use everything as long as I specify the RH's real IP (in the ssh & ftp clients).
0
 
LVL 9

Expert Comment

by:majorwoo
ID: 8018268
can you paste the entire line ?

There are a few things that could be happening I want to look into it before i send you on a bunch of bogus explorations ;-)
0
 

Author Comment

by:bangelo
ID: 8021394
Ignore that error message, here are the last few lines of /var/log/messages. Is there someway to log iptables in it own log file.


Feb 26 09:42:33 www kernel: DROPITIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:7d:61:80:54:08:00 SRC=10.224.16.1 DST=255.255.255.255 LEN=372 TOS=0x00 PREC=0x00 TTL=255 ID=12920 PROTO=UDP SPT=67 DPT=68 LEN=352

Feb 26 09:42:55 www kernel: DROPITIN= OUT=eth1 SRC=10.0.0.1 DST=10.0.0.2 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=22 DPT=4191 WINDOW=5840 RES=0x00 ACK SYN URGP=0

Feb 26 09:42:56 www kernel: DROPITIN= OUT=eth1 SRC=10.0.0.1 DST=10.0.0.2 LEN=188 TOS=0x00 PREC=0xC0 TTL=255 ID=54145 PROTO=ICMP TYPE=3 CODE=3 [SRC=10.0.0.2 DST=10.0.0.1 LEN=160 TOS=0x00 PREC=0x00 TTL=128 ID=42029 PROTO=UDP SPT=1036 DPT=1900 LEN=140 ]

Feb 26 09:42:56 www kernel: DROPITIN= OUT=eth1 SRC=10.0.0.1 DST=10.0.0.2 LEN=189 TOS=0x00 PREC=0xC0 TTL=255 ID=54146 PROTO=ICMP TYPE=3 CODE=3 [SRC=10.0.0.2 DST=10.0.0.1 LEN=161 TOS=0x00 PREC=0x00 TTL=128 ID=42030 PROTO=UDP SPT=1036 DPT=1900 LEN=141 ]

Feb 26 09:42:56 www kernel: DROPITIN= OUT=eth1 SRC=10.0.0.1 DST=10.0.0.2 LEN=188 TOS=0x00 PREC=0xC0 TTL=255 ID=54147 PROTO=ICMP TYPE=3 CODE=3 [SRC=10.0.0.2 DST=10.0.0.1 LEN=160 TOS=0x00 PREC=0x00 TTL=128 ID=42034 PROTO=UDP SPT=1036 DPT=1900 LEN=140 ]

Feb 26 09:42:56 www kernel: DROPITIN= OUT=eth1 SRC=10.0.0.1 DST=10.0.0.2 LEN=189 TOS=0x00 PREC=0xC0 TTL=255 ID=54148 PROTO=ICMP TYPE=3 CODE=3 [SRC=10.0.0.2 DST=10.0.0.1 LEN=161 TOS=0x00 PREC=0x00 TTL=128 ID=42035 PROTO=UDP SPT=1036 DPT=1900 LEN=141 ]

Feb 26 09:42:58 www kernel: DROPITIN= OUT=eth1 SRC=10.0.0.1 DST=10.0.0.2 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=22 DPT=4191 WINDOW=5840 RES=0x00 ACK SYN URGP=0

Feb 26 09:46:16 www kernel: DROPITIN= OUT=eth1 SRC=10.0.0.1 DST=10.0.0.2 LEN=189 TOS=0x00 PREC=0xC0 TTL=255 ID=54180 PROTO=ICMP TYPE=3 CODE=3 [SRC=10.0.0.2 DST=10.0.0.1 LEN=161 TOS=0x00 PREC=0x00 TTL=128 ID=42820 PROTO=UDP SPT=1036 DPT=1900 LEN=141 ]

Feb 26 09:46:28 www kernel: DROPITIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:7d:61:80:54:08:00 SRC=10.224.16.1 DST=255.255.255.255 LEN=373 TOS=0x00 PREC=0x00 TTL=255 ID=13092 PROTO=UDP SPT=67 DPT=68 LEN=353

Feb 26 09:46:29 www kernel: DROPITIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:7d:61:80:54:08:00 SRC=10.224.16.1 DST=255.255.255.255 LEN=373 TOS=0x00 PREC=0x00 TTL=255 ID=13096 PROTO=UDP SPT=67 DPT=68 LEN=353
0
 
LVL 9

Expert Comment

by:majorwoo
ID: 8021415
im sorry, i meant the error when you try to connect from ssh

0
 

Author Comment

by:bangelo
ID: 8022187
Thanks for all your help majorwoo, I have it working fully now. I didn't do much except:

Change this:
#if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
#   /sbin/insmod ip_conntrack_irc
#fi

TO THIS:
if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
   /sbin/insmod ip_conntrack_irc
fi

AND THIS:
$IPTABLES -P INPUT DROP  
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP  
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP  
$IPTABLES -F FORWARD
$IPTABLES -F -t nat

TO THIS:
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -F -t mangle

AND moved all "\" to be between "-m state" and "--state"

Not sure which made the difference, but it's workin perfectly, Thank you.
0
 

Author Comment

by:bangelo
ID: 8022245
Is there a way to know when an attempted attack has happened on the firewall?
0
 
LVL 9

Expert Comment

by:majorwoo
ID: 8022419
TO THIS:
if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
  /sbin/insmod ip_conntrack_irc
fi

ok this inserted the ip_conntrack_irc module, a module used for tracking IRC chats (which you seem to use)

the \ is used to incicate
"this is too long for one line, but it needs to be all one line, so don't wrap it"

whenever anyone makes a connection that the firewall logs (which could in theory allow you to be hacked through any port you have open, say port 22 with ssh -> if someone cracked the password they would technically get in and the firewall wouldnt know because we setup ssh to be allowed through the firewall) -- but any other connection attempt will be logged similar to these:


Feb 26 09:46:29 www kernel: DROPITIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:7d:61:80:54:08:00 SRC=10.224.16.1 DST=255.255.255.255 LEN=373 TOS=0x00 PREC=0x00 TTL=255 ID=13096 PROTO=UDP SPT=67 DPT=68 LEN=353

which more or less explain themeslves:
Feb 26 09:46:29 www kernel: # message from the kernel
DROPIT #identifier DROPIT (as we told the log to do)
IN=eth0 #came in eth0
OUT= #was not going out any interface
MAC=ff:ff:ff:ff:ff:ff:00:02:7d:61:80:54:08:00 #machines MAC
SRC=10.224.16.1 #source IP of the connection
DST=255.255.255.255 #destination (this was a broadcast to anyone out there)
LEN=373 TOS=0x00 PREC=0x00 TTL=255 ID=13096 #some specific information that you have to understand more of to make sense of
PROTO=UDP #protocol used to send it
SPT=67 #port it came from
DPT=68 #port it was going to
0
 

Author Comment

by:bangelo
ID: 8022614
My remote slave dns server can't update from my master dns server(with the new firewall) enen though I have the following rule in the firewall.

# DNS - Enable the following lines if you run an DNS server
echo -e "      - Allowing EXTERNAL access to the DNS server"
$IPTABLES -A INPUT -i $EXTIF -m state \
--state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 53 -j ACCEPT

Firewall Log:
Feb 26 13:31:19 www kernel: DROPITIN=eth0 OUT= MAC=00:02:e3:1f:1a:d4:00:02:7d:61:80:54:08:00 SRC=64.239.136.66 DST=203.45.234.145 LEN=66 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=48526 DPT=53 LEN=46

Slave Log:
Feb 25 19:23:45 www named[21148]: zone goldcoastjingles.com/IN: refresh: retry limit for master 203.45.234.145#53 exceeded
Feb 25 19:31:04 www named[21148]: zone goldcoastjingles.com/IN: refresh: failure trying master 203.45.234.145#53: timed out
Feb 25 19:31:49 www last message repeated 3 times
0
 
LVL 9

Expert Comment

by:majorwoo
ID: 8022891
what is your EXTIF defined as eth0? and what IP is it connecting to?

because that would only permit if if it came in from
EXTIF going to EXTIP

unless EXTIF=eth0 and EXTIP=203.45.234.145 it will get dropped, are we sure those ar eset?
0
 

Author Comment

by:bangelo
ID: 8022920
Here are the config details:

Loading STRONGER rc.firewall - version ..

  External Interface:  eth0
  Internal Interface:  eth1
  ---
  External IP: 203.45.234.145
  ---
  Internal Network: 10.0.0.0/24
  Internal IP:      10.0.0.1
  ---
0
 
LVL 9

Expert Comment

by:majorwoo
ID: 8023103
Firewall Log:
Feb 26 13:31:19 www kernel: DROPITIN=eth0 OUT= MAC=00:02:e3:1f:1a:d4:00:02:7d:61:80:54:08:00 SRC=64.239.136.66 DST=203.45.234.145 LEN=66 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=48526 DPT=53 LEN=46

I just noticed, this is UDP
I have never setup a slave DNS server, does it use UDP to update from the primary?

# DNS - Enable the following lines if you run an DNS server
echo -e "      - Allowing EXTERNAL access to the DNS server"
$IPTABLES -A INPUT -i $EXTIF -m state \
--state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 53 -j ACCEPT

if so you will have to add a copy of the above and change -p tcp to -p udp
0
 

Author Comment

by:bangelo
ID: 8031480
How can I allow my ISP's heartbeat throught the firewall, I'm finding that my connection is being closed by the ISP because they're not receiving a response. They have told me that the heartbeat should be comming 61.9.208.13 with an ext port of 5050 and an int port of 5055 UDP.

Thi is being logged every minute or so:
Feb 27 16:23:43 CPE-203-45-234-145 kernel: DROPITIN=eth0 OUT= MAC=01:00:5e:00:00:01:00:e0:0c:a0:8f:9b:08:00 SRC=61.9.209.103 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=60812 PROTO=2

This is being logged every 20 minutes:
Feb 27 15:59:21 CPE-203-45-234-145 kernel: DROPITIN=eth0 OUT= MAC=00:02:e3:1c:c4:a7:00:e0:0c:a0:8f:9b:08:00 SRC=61.9.208.13 DST=203.45.147.72 LEN=36 TOS=0x00 PREC=0x00 TTL=62 ID=43265 DF PROTO=UDP SPT=5051 DPT=32770 LEN=16

0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question