OK so I have taken over an existing ipchains firewall ... and I want to move a webserver behind the firewall, so I need to write rules to allow :80 thru right? This is what I have.
/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $UNIVERSE www -d $SECUREHOST158
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST158 www -d $UNIVERSE
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE www -d $SECUREHOST158
/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $SECUREHOST158 www -d $UNIVERSE
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE www -d $SECUREHOST158
/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $SECUREHOST158 www -d $UNIVERSE
/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $UNIVERSE www -d $SECUREHOST158
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST158 www -d $UNIVERSE
/sbin/ipchains -A forward -j ACCEPT ! -y -i $INTIF -p tcp -s $SECUREHOST158 www -d $INTLAN
/sbin/ipchains -A forward -j ACCEPT ! -y -i $EXTIF -p tcp -s $SECUREHOST158 www -d $UNIVERSE
/sbin/ipchains -A forward -j ACCEPT -i $INTIF -p tcp -s $SECUREHOST158 www -d $INTLAN
/sbin/ipchains -A forward -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST158 www -d $UNIVERSE

$SECUREHOST158 is my webserver.
To me this should allow absolutley everthing thru, but I still get errors .. as follows:

Nov 8 15:41:59 firewall kernel: Packet log: input REJECT eth1 PROTO=6 {from ip}:4015 {webserver ip}:80 L=60 S=0x00 I=61044 F=0x4000 T=50 SYN (#137)

can anyone help ?? please
Paul
paulw@davinci.co.nz

So its not allowing to initiate a connection (SYN) from the outside. Try adding a rule -d $SECUREHOST158:80 -s $ANY $UNPRIVPORTS -j ACCEPT
, no TCP connection flags, and add logging to see if it sticks.
IIRC, ANY=0.0.0.0 and UNPRIVPORTS=1204:60000

Hi ,
There is some confusion i am unable to understand weather your webserver is on real ip address or on fake ip address as you say that u are running it behind the firewall then u just need a packet forwarder runing on your firewall u can use "ipmasqadm"
command to redirect all 80 traffic on your secure webserver machine it means your firewall machine listening on port 80 but there is no webserver runing there webserver will be running on separate secure machine your firewall just redirecting all connections comming on port 80 to your secure machine for this purpose u can use any tcp_redirector programme

Regards,

John Lee
thristydesert@hotmail.com

You'll need to do the following if your web server doesn't have a XPN address. i.e internet IP address.

Install the module for Port forwarding and tell your firewall to forward any inbound tcp connections to the external ip web address.

modprobe ip_masq_portfw
ipmasqadm portfw -a -P tcp -L firewalls_ip 80 -R webservers_internal_address 80
ipmasqadm portfw -a -P tcp -L firewalls_ip 443 -R webservers_internal_address 443

Then set your ipchains rules as follows.
ipchains -A input -p tcp -s 0/0 --sport 1023:65535 -d firewalls_ip_address --dport 80 -j ACCEPT
ipchains -A output -p tcp -s firewalls_ip_address --sport 80 -d 0/0 -j ACCEPT

This works well, but can be slow over high loads, so don't use it on anything higher then a E1 line.
If you can afford an E1 then route the packets with ip routing.
Obviously don't let anything on the firewall take port 80 like an Apache install, or it gets first choice.

/Raz