LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-18-2004, 04:08 PM   #1
tomammon
LQ Newbie
 
Registered: Jun 2004
Posts: 6

Rep: Reputation: 0
Firewall + port forwarding question


Hello everyone:

My webserver is also my file server, because it has 3 cdroms and 40GB of HD space. The problem is, now, it's outside the firewall, so I can't use NFS (with the current iptables rules).So if I am going to use that storage, I have to FTP everything.

Here's the layout of my network:
Incomiong connection from comcast through cable modem and then netgear router
webserver is connected to netgear router
linux iptables firewall is connected to netgear router (script attached below)
internal network is connected and routes through linux firewall (3 machines on internal network)

I have port forwarding set up on the netgear router to send all port 80 requests to the webserver.

Here's my thought, and tell me if I'm trying to do something that's impossible: If the netgear router can forward all http traffic to the server, why couldn't I just point those forwarding rules (on the netgear router) to my firewall, and then have the firewall forward all port 80 requests to the webserver (which would then be inside the firewall, where I can use NFS without changing the firewall rules). The problems are these: Can iptables forward ports the same way the netgear router can (I'm pretty sure it can), if so, what rules would need to be added to make it do that, and third, will the webserver still work from the outside if port 80 is forwarded twice on the inbound connection?

I'd like to keep the firewall as locked down as possible, which is why I don't want to set up rules to let NFS through it. Can this be done?

Tom

(iptables script follows)

# Generated by iptables-save v1.2.8 on Fri Sep 3 04:51:04 2004
*filter
:INPUT DROP [154:12242]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:allowed - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_packets - [0:0]
:udp_packets - [0:0]
-A INPUT -p tcp -j bad_tcp_packets
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -j tcp_packets
-A INPUT -i eth0 -p udp -j udp_packets
-A INPUT -i eth0 -p icmp -j icmp_packets
-A INPUT -i eth1 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A FORWARD -p tcp -j bad_tcp_packets
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -j bad_tcp_packets
-A OUTPUT -s 192.168.1.0/255.255.255.0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A allowed -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A allowed -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A allowed -p tcp -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A tcp_packets -p tcp -m tcp --dport 22 -j allowed
-A tcp_packets -p tcp -m tcp --dport 80 -j allowed
-A tcp_packets -p tcp -m tcp --dport 20:21 -j allowed
-A udp_packets -s 192.168.0.0/255.255.255.0 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A udp_packets -i eth0 -p udp -m udp --dport 135:139 -j DROP
-A udp_packets -d 255.255.255.255 -i eth0 -p udp -m udp --dport 67:68 -j DROP
COMMIT
# Completed on Fri Sep 3 04:51:04 2004
# Generated by iptables-save v1.2.8 on Fri Sep 3 04:51:04 2004
*nat
:PREROUTING ACCEPT [172:14757]
:POSTROUTING ACCEPT [5:420]
:OUTPUT ACCEPT [34:2583]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Sep 3 04:51:04 2004
 
Old 09-18-2004, 11:30 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Iptables should be able to forward the traffic, but I'd be hesistant to put an NFS server outside the firewall and just forward traffic in and out of the firewall like that. There are probably more secure ways of doing it. A good starting point would be using something like ssh/scp to transfer files or even just run your vuln traffic through an encryption tunnel (like an ssh or ssl tunnel) and then only allow the network to communicated with exposed file server. Something like a VPN would work well too.

To be honest though, I think the best solution would be to get a low end PC and build a dedicated file server that you can put inside the LAN. Considering the abuse and potential for security compromise on a webserver, it's probably one of the worst places to put a fileshare server.
 
Old 09-21-2004, 05:55 PM   #3
mac_casey
Member
 
Registered: Jun 2002
Location: Edmonton
Distribution: SUSE 10
Posts: 62

Rep: Reputation: 15
Wink

i may be wrong but i think from a networking perspective that would be "double natting" of your address. At the netgear it has to translate the outside IP to internal and then forward to your other box. Im not so sure the webserver would be able to find the correct route back outside the network. I could be wrong and if i missed the boat i totaly apologize. Im still a newbie
 
Old 09-28-2004, 12:07 AM   #4
tomammon
LQ Newbie
 
Registered: Jun 2004
Posts: 6

Original Poster
Rep: Reputation: 0
Hello all,

Thanks for your posts. I finally got things up and running like I wanted them, and this is what happened:

I put the webserver behind the firewall, which enabled me to use NFS freely.(I have not tried mounting an
NFS share on the firewall itself, but I really don't need to- it works on my internal workstation). I set up
port forwarding with iptables- forwarding port 80 requests through my already-established rules.

What I was asking for was, in fact, what amounts to "double-natting", which I only could have done if
the ISP had given me another address. So it works. Thanks for everybody's insights.

Tom
 
Old 09-28-2004, 12:39 AM   #5
qbsu21th
LQ Newbie
 
Registered: Jul 2004
Location: auckland, new zealand
Posts: 23

Rep: Reputation: 15
how to setup IP firewall in linux enterprise ws (ES) version 3 for these port?

Dear Sir:

Happy to know that you make your firewall working. i'm new to linux firewall setup and got the following needs help.

I installed the linux enterprise ws (ES) version 3 on my laptop pc, gateway solo and want to setup the IP firewall for the application i want to use in this environment. the following are the ports i want to setup, however, i don't know how to do it in linux. it will be very appreciated if someone can give me a hand.

A. In general only the following ports are required for VSP connections.
1) Port 5060 SIP messaging for TCP & UDP Both Directions
2) ICMP Ping Replies (ICMP.type 8) for UCP replies inbound only
3) Port 514 Syslog UDP Outbound only

B. The following ports are required for Management Connections
1) Port 3288 COPS messaging TCP Both Directions.
2) Port 514 SYSLOG outbound only
3) Port 22 SSH inbound only
4) Port xxx DHCP both directions
5) Port xxx SNMP (not required immediately but could be handy)

Thanks and regards!
David
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Simple Port Forwarding Firewall - not forwarding MadTurki Linux - Security 14 04-09-2006 01:08 PM
SSH port forwarding thru a NAT Firewall whoever Linux - Networking 3 07-29-2005 04:24 AM
SSH port forwarding through a firewall linuxLuser Linux - Networking 1 07-15-2005 12:29 AM
Port-Forwarding with Firewall (Masquarading) for i.e. eDonkey ThePreacherMan Linux - Networking 0 07-13-2004 09:53 AM
firewall port forwarding manthram Linux - Networking 0 04-01-2002 08:08 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:59 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration