LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 04-06-2004, 02:45 PM   #1
bluefish1
Member
 
Registered: Apr 2004
Location: PA
Distribution: CentOS 6
Posts: 47

Rep: Reputation: 0
Linksys & Firewall for Webserver Appliance


Question/Advise:
I am setting up webserver on a cable connection.... which only has one IP.
Currently I have a linksys router running DHCP.
The server is configured with 2 net cards eth0 is the untrusted with ports 80 & 443 open
eth1 has all my other services bound to it 21, 22, 3306, 10000 etc.

Because I am not experienced with fire-walling and box hardening (I have done some of the basics to ensure security) I was planning on port forwarding from the linksys router to the server... obviously forwarding only ports 80 and 443 to the eth0 address (192.168.1.x).

This works fine but I did not have any packet filtering in place which is not good.

I found this great script at freshmeat_dot_net/projects/iptables-firewall/ that is easy to setup and implement.... /arno-iptables-firewall.tgz

Problem is that I can't have the two nics on the same subnet because the eth1 (trusted device) subnet is accept everything which effectively removes the firewall from eth0 ? Is there a work around?

Am I making this unnecessary complicated by leaving the linksys in place or should I nat through the webserver appliance and eliminate the linksys? I have very little experience with IpTables and am relying on the script above and the use of the Webmin interface for IPtables.

Your thoughts would be well received and greatly appreciated.
___________________
eth0 Link encap:Ethernet HWaddr 00:A0:C9:99D:EE
inet addr:192.168.1.x Bcast:192.168.1.254 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth1 Link encap:Ethernet HWaddr 00:01:53:81:B6:39
inet addr:192.168.1.x Bcast:192.168.1.254 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
 
Old 04-06-2004, 03:01 PM   #2
bentman78
Member
 
Registered: Mar 2003
Location: Washington DC, USA
Distribution: Redhat
Posts: 212

Rep: Reputation: 30
are you running a linux firewall? or linksys. Is the Linux box acting as a firewall behind the router?
 
Old 04-06-2004, 03:07 PM   #3
bentman78
Member
 
Registered: Mar 2003
Location: Washington DC, USA
Distribution: Redhat
Posts: 212

Rep: Reputation: 30
never mind I see. Here is a good script. It's self explantory, just enable the stuff you need. It leaves eth1 (the interior interface) open for all outbound traffic, while blocking anything inbound. The script looks intimadating, however just read in the intro. Just enable "true"to the protocols you want forwarded back.(or type in the ip address of the server the packets are forwarded to). It will block portscans and other stuff Since your using iptables, ensure you change the path to iptables to the default redhat (/sbin/iptables):
 
Old 04-06-2004, 03:10 PM   #4
bentman78
Member
 
Registered: Mar 2003
Location: Washington DC, USA
Distribution: Redhat
Posts: 212

Rep: Reputation: 30
Okay, it's to long to post here. I will post it on my website later. Here is the URL www.bentleyslounge.com/linux/iptables.txt
 
Old 04-06-2004, 03:12 PM   #5
bluefish1
Member
 
Registered: Apr 2004
Location: PA
Distribution: CentOS 6
Posts: 47

Original Poster
Rep: Reputation: 0
Any help is appreciated....

The whole task has taken up more time then I expected and am now looking for a light at the end of the tunnel.
 
Old 04-06-2004, 07:07 PM   #6
bentman78
Member
 
Registered: Mar 2003
Location: Washington DC, USA
Distribution: Redhat
Posts: 212

Rep: Reputation: 30
try the link, it's up
 
Old 04-06-2004, 11:22 PM   #7
bluefish1
Member
 
Registered: Apr 2004
Location: PA
Distribution: CentOS 6
Posts: 47

Original Poster
Rep: Reputation: 0
Thank you...
This appears to be a good script.
But I am unsure if it addresses my problem unless I make my web appliance my nat as well. Currently my setup is [linksys with nat] to [server] ... with port forwarding from the linksys to a local ip address on the server.

or remove the second nic and run all my services from the single eth0?
 
Old 04-07-2004, 06:36 AM   #8
bentman78
Member
 
Registered: Mar 2003
Location: Washington DC, USA
Distribution: Redhat
Posts: 212

Rep: Reputation: 30
that would be best, use the linksys to nat to your web server. If your tyring to get double the protection I could see configuring Eth0 to use your linksys as a gateway.

This way you have the linksys-----Iptables firewall. In between the two would be a DMZ were you could put webservers and stuff. It is a better idea to put your web servers and any other servers being accessed from the internet into a different subnet than your clients, however if hardware is limited, you could use the script to NAT to the inside interface. Install apache on that Linux box and configure Apache to listen to traffic eth1. Or configure apache to listen to Eth0 and port forward from the linksys router to the Eth0 and have your clients use Eth1 as a gateway for your inside clients. Possibilities are endless
 
Old 04-07-2004, 09:53 AM   #9
bluefish1
Member
 
Registered: Apr 2004
Location: PA
Distribution: CentOS 6
Posts: 47

Original Poster
Rep: Reputation: 0
Is it possible to setup tow subnets on the linksys?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Help! Port Forward Linksys firewall to Linux Webserver ryant Linux - Networking 3 09-20-2004 02:06 PM
webserver behind firewall and squid ultraav Linux - Networking 6 06-17-2004 05:08 PM
webserver behind a firewall with iptables Raphael_T Linux - Security 17 04-28-2004 03:08 PM
where does it go? sshd firewall or webserver? piratebiter Linux - Security 4 09-14-2003 10:41 AM
Mandrake webserver on NT network behind firewall slipsy Linux - Networking 1 02-10-2003 11:49 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration