LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-08-2004, 09:47 PM   #1
puding
LQ Newbie
 
Registered: Aug 2004
Posts: 10

Rep: Reputation: 0
web server,dmz,iptables


I need to setup a server farm behind a firewall using dmz concept. Currently Iím working on setting up a web server using windows server 2003.

there are three NICs in the proxy server which are

201.139.100.90 = eth0 = ExternelAddress
192.168.1.251 = eth1 = InternalAddress
201.139.31.250 = eth2 = DMZ (which I get a block of static ip from our ISP-for the server farm
purpose)

all this network informations, I wrote it like this :

EXTERNALIF="eth0"
EXTERNALADDR="201.139.100.90"
EXTERNALBCAST="201.139.100.255"

INTERNALIF= " eth1 \ eth2"
INTERNALADDR= "192.168.1.251 \ 201.139.31.250"
INTERNALNET= "192.168.1.0/24 \ 201.139.31.0/24"
INTERNALBCAST= "192.168.1.255 \ 201.139.31.255"

# And for the port forwarding option, I put this code to open the port 80 to HTTP service behind the firewall

$IPTABLES -A FORWARD -j ACCEPT -p tcp --dport 80
$IPTABLES -t nat -A PREROUTING -i $EXTERNALIF -p tcp --dport 80 -j DNAT --to 201.139.31.2:80

but unfortunately, the web service do not succesfull, unless accessed from the same Vlan.

What should I do more? What i need to do with the default policies??Di I need to enable the -t nat -P Prerouting,postrouting and output?

As Iím very poor in linux, can anyone help me with this..

thanks in advanced
 
Old 08-09-2004, 09:51 AM   #2
maxut
Senior Member
 
Registered: May 2003
Location: istanbul
Distribution: debian - redhat - others
Posts: 1,188

Rep: Reputation: 50
www.iptables-script.dk
 
Old 08-09-2004, 10:25 AM   #3
arno
Member
 
Registered: Jul 2004
Location: Netherlands
Distribution: fedora core 8, suse 10.3, ubuntu 7.10, kamikaze 7.09
Posts: 515

Rep: Reputation: 30
You need to do the following

Read the information of the site refered by MAXUP

add an alias to the eth0 with the adress 201.139.31.250
add ip adress 10.0.0.1 to your DMZ eth2
give the ms webserver adress 10.0.0.2

Start building the script at that site

and this would be the result

#!/bin/sh

# iptables script generator: V0.1-2002
# Comes with no warranty!
# e-mail: michael@1go.dk

# Diable forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward

LAN_IP_NET='10.0.0.1/8'
LAN_NIC='eth1'
WAN_IP='201.139.100.90'
WAN_NIC='eth0'
FORWARD_IP='10.0.0.2'

# load some modules (if needed)

# Flush
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# enable Masquerade and forwarding
iptables -t nat -A POSTROUTING -s $LAN_IP_NET -j MASQUERADE
iptables -A FORWARD -j ACCEPT -i $LAN_NIC -s $LAN_IP_NET
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# STATE RELATED for router
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Open ports to server on LAN
iptables -A FORWARD -j ACCEPT -p tcp --dport 80
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 10.0.0.2:80

# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
 
Old 08-09-2004, 10:35 AM   #4
maxut
Senior Member
 
Registered: May 2003
Location: istanbul
Distribution: debian - redhat - others
Posts: 1,188

Rep: Reputation: 50
HEY my nick is maxut, NOT MAXUP
 
Old 08-10-2004, 12:25 AM   #5
puding
LQ Newbie
 
Registered: Aug 2004
Posts: 10

Original Poster
Rep: Reputation: 0
but i don think i can easily change the ip configurations, because it was given by the network administrator from the central.

They gave me the 201.139.31.250 for the DMZ_ip (eth2) and i gave the ms web server address as 201.139.31.2.

eth0 = Wan_ip = 201.139.100.90
eth1 = Lan_ip = 192.168.1.251
eth2 = DMZ_ip = 201.139.31.250 (our department received a block of ip 201.139.31.0 to 255 from our ISP - which will be used for our server farm, for example, web server = 201.139.31.1, DNS Server = 201.139.31.2, Mail Server = 201.139.31.3 )

I don think that i can change the DMZ ip to be added as an alias to the eth0. What the difference that i can see is...my DMZ_ip and Lan_ip is not in the same network segment as many example of iptables rules including the ip configuration that arno suggested.

-----errmm...what am i afraid of is i can't explain my problem clearly, but i do hope it will-------

thanks
 
Old 08-10-2004, 08:47 AM   #6
maxut
Senior Member
 
Registered: May 2003
Location: istanbul
Distribution: debian - redhat - others
Posts: 1,188

Rep: Reputation: 50
u better visit www.netfilter.org and read the howtos and docs of iptables. so u will understand how u can do that.
 
Old 08-10-2004, 10:54 AM   #7
arno
Member
 
Registered: Jul 2004
Location: Netherlands
Distribution: fedora core 8, suse 10.3, ubuntu 7.10, kamikaze 7.09
Posts: 515

Rep: Reputation: 30
I have adapted a standard script.
You wil see that your xxx.xxx.31 adres range wil be available to the internet but internally you will have to use the 192.168.31

PS never publish your ip adres on the net
does your ISP route the xxx.xxx.31.x range to xxx.xxx.100.90 ?

#!/bin/sh
#
# rc.DMZ.firewall - DMZ IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.net>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA 02111-1307 USA
#

###########
# Configuration options, these will speed you up getting this script to
# work with your own setup.

#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#
# STATIC_IP is used by me to allow myself to do anything to myself, might
# be a security risc but sometimes I want this. If you don't have a static
# IP, I suggest not using this option at all for now but it's stil
# enabled per default and will add some really nifty security bugs for all
# those who skips reading the documentation=)

INET_IP="xxx.xxx.100.90"
INET_IFACE="eth0"


LAN_IP="192.168.1.251"
LAN_BCAST_ADRESS="192.168.1.255"
LAN_IFACE="eth1"


NAT_HTTP_IP="xxx.xxx.31.1"
NAT_DNS_IP="xxx.xxx.31.2"
NAT_SMTP_IP="xxx.xxx.31.3"
NAT_IP="xxx.xxx.31.251"
DMZ_HTTP_IP="192.168.31.1"
DMZ_DNS_IP="192.168.31.2"
DMZ_SMTP_IP="192.168.31.3"
DMZ_IP="192.168.31.251"
DMZ_IFACE="eth2"

LO_IP="127.0.0.1"
LO_IFACE="lo"

# "General SNAT" Example
MAP_FROM=192.168.31.0/255.255.255.0
MAP_TO= xxx.xxx.31.0-xxx.xxx.31.255

IPTABLES="/usr/local/sbin/iptables"

###########################################
#
# Load all required IPTables modules
#

#
# Needed to initially load modules
#

/sbin/depmod -a

#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#

/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_MASQUERADE

#
# Support for connection tracking of FTP and IRC.
#
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc


#CRITICAL: Enable IP forwarding since it is disabled by default.
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# Dynamic IP users:
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################
#
# Chain Policies gets set up before any bad packets gets through
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# the allowed chain for TCP connections, utilized in the FORWARD chain
#

$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# ICMP rules, utilized in the FORWARD chain
#


$IPTABLES -N icmp_packets

# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# bad_tcp_packets chain
#
# Take care of bad TCP packets that we don't want.
#

$IPTABLES -N bad_tcp_packets
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# Do some checks for obviously spoofed IP's
#

$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 172.16.0.0/12 -j DROP
###########################################
# POSTROUTING chain in the nat table
#
# Enable IP SNAT for all internal networks trying to get out on the Internet
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

$iptables -t nat -A POSTROUTING -s $DMZ_HTTP_IP -j SNAT --to-destination $NAT_HTTP_IP
$iptables -t nat -A POSTROUTING -s $DMZ_DNS_IP -j SNAT --to-destination $NAT_DNS_IP
$iptables -t nat -A POSTROUTING -s $DMZ_SMTP_IP -j SNAT --to-destination $NAT_SMTP_IP
$iptables -t nat -A POSTROUTING -s $DMZ_IP -j SNAT --to-destination $NAT_IP

###########################################
# PREROUTING chain in the nat table
#
# Enable IP Destination NAT for DMZ zone
#

$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $NAT_HTTP_IP --dport 80 \
-j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $NAT_DNS_IP --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP
$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $NAT_DNS_IP --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $NAT_SMTP_IP --dport 25 \
-j DNAT --to-destination $DMZ_SMTP_IP

###########################################
#
# FORWARD chain
#
#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets


#
# DMZ section
#
# General rules
#

$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -j ACCEPT

#
# HTTP server
#

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \
--dport 80 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \
-j icmp_packets

#
# DNS server
#

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
--dport 53 -j allowed
$IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
--dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
-j icmp_packets

#
# LAN section
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# LOG all packets reaching here
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "


###########################################################
#
# Firewall rules
# Rules applying to the firewall box
#
#
# INPUT chain
#
# Bad TCP packets we don't want
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Packets from the Internet to this box
#

$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# Packets from LAN, DMZ or LOCALHOST
#

# From DMZ Interface to DMZ firewall IP
$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT

# From LAN Interface to LAN firewall IP
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT

# From Localhost interface to Localhost IP
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

# All established and related packets incoming from the internet to the
# firewall
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT

# Logging rule
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 \
-j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "

###########################################################
#
# OUTPUT chain
#
#
# Bad TCP packets we don't want
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Allow ourself to send packets not spoofed everywhere
#

$IPTABLES -A OUTPUT -p ALL -o $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $LAN_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -s $INET_IP -j ACCEPT

#
# Logging rule
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
 
Old 08-10-2004, 02:48 PM   #8
arno
Member
 
Registered: Jul 2004
Location: Netherlands
Distribution: fedora core 8, suse 10.3, ubuntu 7.10, kamikaze 7.09
Posts: 515

Rep: Reputation: 30
sorry all the $iptables should be $IPTABLES
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[IPTABLES] open ext access to web server on GW server kozaki Linux - Networking 3 08-27-2005 05:11 PM
Can't browse internal web server using iptables iel Linux - Networking 7 03-25-2004 12:56 AM
Access Web Server lacated on DMZ plexi100 Linux - Newbie 2 10-13-2003 09:01 PM
smoothwall DMZ web server andyroshill Linux - Networking 1 09-16-2003 03:38 AM
IPTables Slow Web Server dwest576 Linux - Networking 1 12-07-2002 06:58 AM


All times are GMT -5. The time now is 05:52 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration