LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-07-2001, 09:56 PM   #1
paulw
LQ Newbie
 
Registered: Nov 2001
Posts: 1

Rep: Reputation: 0
Question ipchains help ... please>


OK so I have taken over an existing ipchains firewall ... and I want to move a webserver behind the firewall, so I need to write rules to allow :80 thru right? This is what I have.
/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $UNIVERSE www -d $SECUREHOST158
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST158 www -d $UNIVERSE
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE www -d $SECUREHOST158
/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $SECUREHOST158 www -d $UNIVERSE
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE www -d $SECUREHOST158
/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $SECUREHOST158 www -d $UNIVERSE
/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $UNIVERSE www -d $SECUREHOST158
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST158 www -d $UNIVERSE
/sbin/ipchains -A forward -j ACCEPT ! -y -i $INTIF -p tcp -s $SECUREHOST158 www -d $INTLAN
/sbin/ipchains -A forward -j ACCEPT ! -y -i $EXTIF -p tcp -s $SECUREHOST158 www -d $UNIVERSE
/sbin/ipchains -A forward -j ACCEPT -i $INTIF -p tcp -s $SECUREHOST158 www -d $INTLAN
/sbin/ipchains -A forward -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST158 www -d $UNIVERSE

$SECUREHOST158 is my webserver.
To me this should allow absolutley everthing thru, but I still get errors .. as follows:

Nov 8 15:41:59 firewall kernel: Packet log: input REJECT eth1 PROTO=6 {from ip}:4015 {webserver ip}:80 L=60 S=0x00 I=61044 F=0x4000 T=50 SYN (#137)

can anyone help ?? please
Paul
paulw@davinci.co.nz
 
Old 11-08-2001, 02:29 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
So its not allowing to initiate a connection (SYN) from the outside. Try adding a rule -d $SECUREHOST158:80 -s $ANY $UNPRIVPORTS -j ACCEPT
, no TCP connection flags, and add logging to see if it sticks.
IIRC, ANY=0.0.0.0 and UNPRIVPORTS=1204:60000
 
Old 11-12-2001, 04:55 AM   #3
johnlee
Member
 
Registered: Oct 2001
Location: China
Distribution: RedHat 7.0
Posts: 43

Rep: Reputation: 15
WebServer behind the firewall

Hi ,
There is some confusion i am unable to understand weather your webserver is on real ip address or on fake ip address as you say that u are running it behind the firewall then u just need a packet forwarder runing on your firewall u can use "ipmasqadm"
command to redirect all 80 traffic on your secure webserver machine it means your firewall machine listening on port 80 but there is no webserver runing there webserver will be running on separate secure machine your firewall just redirecting all connections comming on port 80 to your secure machine for this purpose u can use any tcp_redirector programme

Regards,

John Lee
thristydesert@hotmail.com
 
Old 11-16-2001, 11:15 AM   #4
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
You'll need to do the following if your web server doesn't have a XPN address. i.e internet IP address.

Install the module for Port forwarding and tell your firewall to forward any inbound tcp connections to the external ip web address.

modprobe ip_masq_portfw
ipmasqadm portfw -a -P tcp -L firewalls_ip 80 -R webservers_internal_address 80
ipmasqadm portfw -a -P tcp -L firewalls_ip 443 -R webservers_internal_address 443

Then set your ipchains rules as follows.
ipchains -A input -p tcp -s 0/0 --sport 1023:65535 -d firewalls_ip_address --dport 80 -j ACCEPT
ipchains -A output -p tcp -s firewalls_ip_address --sport 80 -d 0/0 -j ACCEPT

This works well, but can be slow over high loads, so don't use it on anything higher then a E1 line.
If you can afford an E1 then route the packets with ip routing.
Obviously don't let anything on the firewall take port 80 like an Apache install, or it gets first choice.

/Raz
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Ipchains brokenflea Linux - Networking 1 02-03-2004 06:44 AM
ipchains i.d. Linux - Security 5 08-21-2002 03:12 PM
IpChains R4z0r Linux - Networking 3 03-01-2002 11:28 AM
IpChains again ETT Linux - Security 3 07-24-2001 08:49 AM
[ipchains] MrGreg Linux - General 4 07-15-2001 12:35 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:43 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration