Putting a public IP on my Debian squeeze server....firewall rules.

tango0202 · 11-30-2011, 01:18 PM

What I am wanting to do is give some one access to the server without them having to login to my VPN.

Configure the server 192.168.x.x to have a DMZ allowing only access on port 443 and only from their IP range (67.218.x.x)

How can this be done within the server itself? I dont really want to change the setup of my VPN as it sits now.

corp769 · 11-30-2011, 01:34 PM

Are you going through a router? If so, you can forward port 443 to your server, and then edit iptables to reflect what you need done, as such:

Code:

-A INPUT -p tcp --destination-port 443 -m iprange --src-range 67.218.1.100-67.218.1.200 -j ACCEPT

Of course, you would need to make changes to that in order to reflect what you need.

Cheers,

Josh

tango0202 · 11-30-2011, 01:39 PM

Quote:

Originally Posted by corp769

Are you going through a router? If so, you can forward port 443 to your server, and then edit iptables to reflect what you need done, as such:

Code:

-A INPUT -p tcp --destination-port 443 -m iprange --src-range 67.218.1.100-67.218.1.200 -j ACCEPT

Of course, you would need to make changes to that in order to reflect what you need.

Cheers,

Josh

The only thing between the VPN and the server is the switch it is all connected to.

corp769 · 11-30-2011, 01:41 PM

Oh ok, I see what you mean. You will have to turn on IP forwarding, and forward that range to port 443 of your server, then use what I posted on your server to allow access to port 443.

tango0202 · 11-30-2011, 01:54 PM

ok so I have turned on IP forwarding I used

vi /etc/sysctl.conf:
net.ipv4.ip_forward =1 (I uncommented this line and set from "0" to "1")

Then ran...to make the changes take effect
sysctl -p /etc/sysctl.conf

Is there anything in rc.local that need to be changed as well to make this work?

corp769 · 11-30-2011, 01:59 PM

Read here - http://serverfault.com/questions/140...-with-iptables
Not being lazy, but it does a good job of explaining what needs to be done.

tango0202 · 11-30-2011, 02:01 PM

thanks

corp769 · 11-30-2011, 02:02 PM

Not a problem at all, man. Report back once you get everything up and running, and let me know if you need any more assistance.

Over and out,

Josh

tango0202 · 11-30-2011, 02:19 PM

OK so after setting up IP forwarding I created three rules within the firewall.

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j DNAT --to 192.168.x.x:443
iptables -A INPUT -p tcp -m state --state NEW --dport 443 -i eth0 -j ACCEPT

I then added..
iptables -A PREROUTING -t nat -i eth0 -p tcp --source 67.218.x.x/24 --dport 443 -j DNAT --to 192.168.x.x:443

I have no fully tested these just yet but I am fairly confident they should work as described. Unless I missed something....which is quite possible :-)

tango0202 · 12-01-2011, 08:29 AM

The above lines were accept when I added the three rules...BUT this is what I get what I try iptables -L. Is this correct? Just dont look right to me....

# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

corp769 · 12-02-2011, 06:56 PM

After you added the rules, did you fully restart your iptables service?

tango0202 · 12-02-2011, 07:04 PM

yes I restarted the entire network. Will I need to bounce the entire server for this to take effect?

/etc/init.d/procps restart

corp769 · 12-02-2011, 07:13 PM

How exactly are you configuring iptables in the first place? Are you using the configuration located in /etc/sysconfig?

fukawi1 · 12-02-2011, 07:21 PM

Quote:

procps is the package that has a bunch of small useful utilities that give information about processes using the /proc filesystem. The package includes the programs ps, top, vmstat, w, kill, free, slabtop, and skill.

I am not familiar with procps, but a quick look at the website indicates to me, it doesn't have anything to do with iptables.

Code:

/etc/init.d/iptables restart

will restart the firewall. but in doing so, will reload the default rules, contained (centos/rhel at least), in /etc/sysconfig/iptables

so once your rules are configured, and working, you would probably want to do something to the effect of:

Code:

cp /etc/sysconfig/iptables /etc/sysconfig/iptables.backup
iptables-save > /etc/sysconfig/iptables

to save the currently implemented rules. This will also make the rules persistent across reboots as they are loaded from that file via the init scipts.