LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 01-14-2006, 08:35 AM   #1
dales79
LQ Newbie
 
Registered: Jan 2006
Posts: 11

Rep: Reputation: 0
Iptables Firewall Config - http and https


Hi

I have to do the following on a LINUX firewall using iptables:

"Provide access through the firewall to the webserver from address on the internal network using http and https. I then need to block access through the firewall from all other sources and to all other ports."

Having investigated this, I am so what confused as to how to configure the firewall to do this. I have founf two options, but am not sure what it is:

iptables -A FORWARD -m state --state ESTABLISHED, RELATED, -j accept
iptables -A FORWARD -p tcp --dport443 -j accept
iptables -A FORWARD -j log
iptables -A FORWARD -j drop

OR it is this:

iptables -A INPUT -i $ETHERNET -p tcp -d $MYIP --dport 80 -j ACCEPT
iptables -A OUTPUT -o $ETHERNET -p tcp -s $MYIP --sport 80 ! --syn -j ACCEPY

iptables -A INPUT -i $ETHERNET -p tcp -d $MYIP --dport 22 -s $MYNET -j ACCEPT
iptables -A OUTPUT -o $ETHERNET -p tcp -s $MYIP --sport 22 -d $MYNET ! --syn -j ACCEPT

Can someone help me? I am new to this and am confused what the difference is. - but I only want to enable internal traffic, not external.

I look forward to some replies

Dales79
 
Old 01-14-2006, 09:21 AM   #2
Sir_Limpalot
LQ Newbie
 
Registered: Jan 2006
Location: Norway
Distribution: Debian
Posts: 18

Rep: Reputation: 0
You need to set up the firewall so that users on the inside can reach a specific web-server on the outside?
Or are you trying to just allow your users to browse the web from the inside?
If you're trying to allow web-browsing from the inside just set up

iptables -A FORWARD -i eth<X> -s <internal netrange> -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i eth<X> -s <internal netrange> -p tcp --dport 443 -j ACCEPT

where <X> is the network interface pointing to your lan and <internal netrange> is the network range of you lan, for example 192.168.0.0/24

That takes care of the connections from the inside to web-servers on the ouside, you allso need

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

This is to allow the answers from the web-servers on the outside back in to the client requesting it.

Hope this helps
 
Old 01-14-2006, 09:41 AM   #3
dales79
LQ Newbie
 
Registered: Jan 2006
Posts: 11

Original Poster
Rep: Reputation: 0
Sorry if my post wasn't clear

The first thing I have to do is provide access through the firewall to a web-server (located on internal network) from addresses on internal network using http and https. Access should be blocked through firewall from all other sources and to all other ports.

The second thing I have to do (which I didn't mention) is to allow one machine (on internal network) to access web-servers on the internet through the firewall.

Does that make sense?

Thanks
 
Old 01-14-2006, 06:24 PM   #4
Sir_Limpalot
LQ Newbie
 
Registered: Jan 2006
Location: Norway
Distribution: Debian
Posts: 18

Rep: Reputation: 0
Just to clarify further:
Is the web-server in question inside the firewall in question or are we talking about the firewall on that web-server?
Are the web-server and the firewall the same machine?
If the web-server is inside the firewall the clients on the same net should be able to connect to it...
To answer the last question about allowing one client inside to reach http/https on the outside:

#Open for http-requests from one ip on the inside
iptables -A FORWARD -i <internal interface> -p tcp -m tcp --dport 80 -s <ip of client to allow> -j ACCEPT
#Open for https-requests from one ip on the inside
iptables -A FORWARD -i <internal interface> -p tcp -m tcp --dport 443 -s <ip of client to allow> -j ACCEPT
#Open for the replies to those requests
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

Did that help at all?
Still not sure I understand what you need, if you could give me the layout of the firewall/server/inside I should be able to help more...
 
Old 01-15-2006, 02:35 PM   #5
dales79
LQ Newbie
 
Registered: Jan 2006
Posts: 11

Original Poster
Rep: Reputation: 0
thanks that does, I think I can poss sort the rest out myself.

Cheers
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
http-->https not working realos Linux - Networking 3 07-03-2006 08:15 AM
https works, but not http squeaks_27 Linux - Networking 1 05-31-2005 09:41 PM
http and https wennie Linux - Software 1 04-01-2005 12:47 PM
HTTP to HTTPS shegde Linux - Software 8 01-31-2003 05:29 AM
https or http? antken Programming 3 10-30-2002 06:06 PM


All times are GMT -5. The time now is 11:42 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration