Re: Protecting multiple webservers

Re: Protecting multiple webservers

[Bob Tellefson]

On Wednesday 12 January 2005 01:01, gui wrote:
> Hello,
>
> I work as a computer programmer for a small university and I was asked
> to set up a firewall to protect three Apache web servers.  Each server
> runs on its own machine, each server has its own name, public IP
> address and they all listen on port 80.
>
> After reading a few howto's, I came up with the following iptables
> rules (I won't list all of them):
>
> #www.server1.edu
> -A PREROUTING -i eth0 -p tcp -d X.X.X.103 --dport 80 -j DNAT --to
> 192.168.0.2:80
>
> #www.server2.edu
> -A PREROUTING -i eth0 -p tcp -d X.X.X.103 --dport 8080 -j DNAT --to
> 192.168.0.3:80
>
> Those rules work fine in the little network I created in my office.

Since your web servers have valid public IP addresses DNAT will not be needed. 

Just be sure that your FORWARD rules allow the required traffic through.  If 
your default FORWARD policy is DROP, add a line such as:

iptables -A FORWARD -p TCP -m multiport --dport 80,8080 -j ACCEPT

or you may wish to filter for each host like:

iptables -A FORWARD -p TCP -d x.x.x.103 --dport 80 -j ACCEPT
iptables -A FORWARD -p TCP -d x.x.x.104 --dport 8080 -J ACCEPT

Using the first example, you can have any number of hosts listening on ports 
80 and/or 8080 without firewall changes.  The second approach would, of 
course, require individual lines for each server you wish to open up.



-- 

Bob Tellefson
Java network application development & hosting

Re: Protecting multiple webservers

[Maxime Ducharme]

Hello

Protecting your Apache servers with iptables is a good
idea.

In order to use the FORWARD rule you must coordinate
with your ISP (or IT department) so they route packets
to your Apache web servers trought a precise IP
(which will be the IP of the firewall).

The idea of DNAT here isnt bad since you do not need
the ISP intervention. The IP will be mapped
to the firewall, so users wont see the difference since
they are accessing this IP already (no need to change
DNS information).

DNAT makes the firewall invisible and allows packet
filtering like FORWARDing.

You may then map each external IPs on the firewall and
DNAT each external IP to an internal IP.

Obvisouly you will adjust Apache servers IP to internal
IPs.

To limit iptables modification, add each external IPs
to the rules and map them to internal IPs.

If you want to add other servers, place them in the
good internal IP space.

If you have new IPs, you will have to modify iptables.

I do not think you can automagically forward packets,
DNAT module allows multiple hosts in to --to-destination
parameter, but hosts will be used at random
( see
http://iptables-tutorial.frozentux.net/iptables-tutorial.html#DNATTARGET )

Someone correct me if I'm wrong

Hope that helps

Have a nice day

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau

----- Original Message ----- 
From: "Bob Tellefson" <bob@zooid.com>
To: <netfilter@lists.netfilter.org>
Sent: Tuesday, January 11, 2005 11:01 PM
Subject: Re: Protecting multiple webservers


> On Wednesday 12 January 2005 01:01, gui wrote:
> > Hello,
> >
> > I work as a computer programmer for a small university and I was asked
> > to set up a firewall to protect three Apache web servers.  Each server
> > runs on its own machine, each server has its own name, public IP
> > address and they all listen on port 80.
> >
> > After reading a few howto's, I came up with the following iptables
> > rules (I won't list all of them):
> >
> > #www.server1.edu
> > -A PREROUTING -i eth0 -p tcp -d X.X.X.103 --dport 80 -j DNAT --to
> > 192.168.0.2:80
> >
> > #www.server2.edu
> > -A PREROUTING -i eth0 -p tcp -d X.X.X.103 --dport 8080 -j DNAT --to
> > 192.168.0.3:80
> >
> > Those rules work fine in the little network I created in my office.
>
> Since your web servers have valid public IP addresses DNAT will not be
needed.
>
> Just be sure that your FORWARD rules allow the required traffic through.
If
> your default FORWARD policy is DROP, add a line such as:
>
> iptables -A FORWARD -p TCP -m multiport --dport 80,8080 -j ACCEPT
>
> or you may wish to filter for each host like:
>
> iptables -A FORWARD -p TCP -d x.x.x.103 --dport 80 -j ACCEPT
> iptables -A FORWARD -p TCP -d x.x.x.104 --dport 8080 -J ACCEPT
>
> Using the first example, you can have any number of hosts listening on
ports
> 80 and/or 8080 without firewall changes.  The second approach would, of
> course, require individual lines for each server you wish to open up.
>
>
>
> -- 
>
> Bob Tellefson
> Java network application development & hosting
>

Re: Protecting multiple webservers

[Samuel Jean]

On Wed, January 12, 2005 10:14 am, Maxime Ducharme said:
> Hello

Hi Maxime !

> I do not think you can automagically forward packets,
> DNAT module allows multiple hosts in to --to-destination
> parameter, but hosts will be used at random

Indeed. However, I guess NETMAP target could do the trick.

http://www.netfilter.org/patch-o-matic/pom-base.html#pom-base-NETMAP

> Have a nice day

Same for you!

>
> Maxime Ducharme
> Programmeur / Spécialiste en sécurité réseau

Samuel

Re: Protecting multiple webservers

[John A. Sullivan III]

On Wed, 2005-01-12 at 04:01 +0000, Bob Tellefson wrote:
> On Wednesday 12 January 2005 01:01, gui wrote:
> > Hello,
> >
> > I work as a computer programmer for a small university and I was asked
> > to set up a firewall to protect three Apache web servers.  Each server
> > runs on its own machine, each server has its own name, public IP
> > address and they all listen on port 80.
> >
> > After reading a few howto's, I came up with the following iptables
> > rules (I won't list all of them):
> >
> > #www.server1.edu
> > -A PREROUTING -i eth0 -p tcp -d X.X.X.103 --dport 80 -j DNAT --to
> > 192.168.0.2:80
> >
> > #www.server2.edu
> > -A PREROUTING -i eth0 -p tcp -d X.X.X.103 --dport 8080 -j DNAT --to
> > 192.168.0.3:80
> >
> > Those rules work fine in the little network I created in my office.
> 
> Since your web servers have valid public IP addresses DNAT will not be needed. 
> 
> Just be sure that your FORWARD rules allow the required traffic through.  If 
> your default FORWARD policy is DROP, add a line such as:
> 
> iptables -A FORWARD -p TCP -m multiport --dport 80,8080 -j ACCEPT
> 
> or you may wish to filter for each host like:
> 
> iptables -A FORWARD -p TCP -d x.x.x.103 --dport 80 -j ACCEPT
> iptables -A FORWARD -p TCP -d x.x.x.104 --dport 8080 -J ACCEPT
> 
> Using the first example, you can have any number of hosts listening on ports 
> 80 and/or 8080 without firewall changes.  The second approach would, of 
> course, require individual lines for each server you wish to open up.
> 
> 
> 
I may misunderstand but I'm not sure that it is so straightforward.  If
the public addresses are on the same network as the firewall public
interface, the traffic will not pass through the firewall.

There are a few options.  I have never tried to do this but one could
possible preserve the addresses and still move the devices to the
protected side of the firewall and use true proxy ARP.  I have no idea
how that interacts with iptables.  Perhaps, since it is bridging,
ebtables might help but I have never used ebtables.

I would typically move the public web servers to private addresses on a
DMZ behind the firewall.  One can do one-to-many NAT as you asked in
your original e-mail but, unless all the servers are providing the same
content and you are doing it as a load balancing mechanism, I do not
think it applies here.  You will have no way of ensuring that the
correct packet goes to the correct server.  Instead, I would do one-to-
one mappings between the web server's public address and its private
address while using iproute2 (the "ip" command) to bind the web server
public addresses to the public interface of the firewall.

This latter solution does create name resolution issues.  I typically
use a split DNS but it sounds like touching DNS is a problem for you.
Split DNS involves placing the private address in the DNS used by
internal users and the public address in the public DNS.  I believe
there is a non-split DNS solution outlined in Oskar Andreasson's
iptables tutorial(http://iptables-tutorial.frozentux.net/iptables-
tutorial.html).  Failing that, you could try the proxy ARP solution.
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

Re: Protecting multiple webservers

[gui]

>uh--where are the "allow incoming connections to my web servers" lines?

> -A FORWARD -i eth0 -o eth1 -p tcp --syn -d 192.168.0.2 --dport 80 \
>   -j ACCEPT
>
>-A FORWARD -i eth0 -o eth1 -p tcp --syn -d 192.168.0.3 --dport 80 \
>   -j ACCEPT
>
>make sure you also enabled IP forwarding:
>
> sysctl -w net.ipv4.ip_forward=1

The iptables start up script enables forwarding, but you were right I
was missing the  "allow incoming connections to my web servers" lines.
 Thanks James!

>are these webservers goingto be part of a cluster or do they need to
have there own resolved >hostnames?
>are they to be part of virtual hosting scenario ?

No, they are not in a cluster or anything fancy like that. These are
just stand alone web servers serving their own content that need to be
isolated from the rest of our network, but need to have their own
(current) hostnames resolved. I don't see what more information I can
provide.

The set up seems to be working fine after I added the lines suggested
by James. I'll report back if I encounter problems.

piranha,
Would you mind telling what are the other ways to do this?  Keep in
mind that I can't touch the DNS server.

Thanks again.

-gui

RE: Protecting multiple webservers

[Hudson Delbert J Contr 61 CS/SCBN]

are these webservers goingto be part of a cluster or do they need to have there own resolved hostnames?
we need more info as there are several different ways to do this.

are they to be part of virtual hosting scenario ?

more info, plz...

~piranha

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of gui
Sent: Wednesday, January 19, 2005 12:37 PM
To: netfilter@lists.netfilter.org
Subject: Re: Protecting multiple webservers


Hi,

I did some work but I still can't get my new set up to work.

I'm going describe my problem again to avoid confusions.

Some background info:
Firewall: linux kernel 2.6.9-1.667 & iptables v1.2.11
Zinfandel and Cabernet (not the actual names) are web servers with
real domain names and public IP addresses.
Zinfandel's  public IP address x.x.174.104
Cabernet's   public IP address x.x.174.106		     
I don't have access to the DNS server and the IT dept doesn't want to
make any changes to the DNS server.

Problem: I need to put two web servers behind a firewall without
making changes to the DNS server.

My new set up:

   Zinfandel              Cabernet    
  192.168.0.2	     192.168.0.3
	 |		             |
	 `---------- ------------'
	            |
	          switch        
	            |
	            |    eth1 192.168.01  
	       FIREWALL
		    |    eth0 x.x.174.103 (Primary address)
		    |    eth0:0 x.x.174.104
		    |    eth0:1 x.x.174.106
		    |
		Internet  

I added the two IP addresses to eth0 using iproute2 as previously
suggested and I can ping the new addresses without a problem. I can
even connect to the firewall with SSH using those addresses. This
tells me that anti-arp spoofing is not an issue on the network and
that I can have multiple IP addresses binded to one NIC. However, the
forward rules don't work. I will appreciate any help that you can
provide.

The following is my ruleset file:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter

:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT

# allow local loopback connections
-A INPUT -i lo -j ACCEPT

# allow pings
-A INPUT -i eth0 -p icmp -j ACCEPT

# drop INVALID connections
-A INPUT   -m state --state INVALID -j DROP
-A OUTPUT  -m state --state INVALID -j DROP
-A FORWARD -m state --state INVALID -j DROP

# allow all established and related
-A INPUT        -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT    -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT


# allow connections to DNS servers
-A OUTPUT  -d x.x.100.129 -m state --state NEW -p udp --dport 53 -o
eth0 -j ACCEPT

#allow computers behind the firewall to access the DNS servers.
-A FORWARD -d x.x.100.129 -m state --state NEW -p udp --dport 53 -i
eth1 -o eth0 -j ACCEPT

# allow incoming SSH connections
#Only my desktop can ssh to the firewall
-A INPUT -i eth0 -s x.x.174.12 -p tcp --dport ssh -j ACCEPT 

# allow outgoing connections from web servers.
# added these lines so I can browse the web from the web servers 
-A OUTPUT -d 0/0 -m state --state NEW -p tcp -m multiport --dport
http,https -o eth0 -j ACCEPT

-A FORWARD -s 192.168.0.3 -d 0/0 -m state --state NEW -p tcp -m
multiport --dport http,https -o eth0 -i eth1 -j ACCEPT
-A FORWARD -s 192.168.0.2 -d 0/0 -m state --state NEW -p tcp -m
multiport --dport http,https -o eth0 -i eth1 -j ACCEPT

COMMIT

*nat
#set up IP forwarding and nat
#This is the primary IP address for eth0
-A POSTROUTING -o eth0 -j SNAT --to x.x.174.103

# forward ports to the proper servers
-A PREROUTING -i eth0 -p tcp -d 130.17.174.104 --dport 80 -j DNAT --to
192.168.0.2:80
-A PREROUTING -i eth0 -p tcp -d 130.17.174.106 --dport 80 -j DNAT --to
192.168.0.3:80

COMMIT

Thanks.

Re: Protecting multiple webservers

[gui]

Hi,

I did some work but I still can't get my new set up to work.

I'm going describe my problem again to avoid confusions.

Some background info:
Firewall: linux kernel 2.6.9-1.667 & iptables v1.2.11
Zinfandel and Cabernet (not the actual names) are web servers with
real domain names and public IP addresses.
Zinfandel's  public IP address x.x.174.104
Cabernet's   public IP address x.x.174.106		     
I don't have access to the DNS server and the IT dept doesn't want to
make any changes to the DNS server.

Problem: I need to put two web servers behind a firewall without
making changes to the DNS server.

My new set up:

   Zinfandel              Cabernet    
  192.168.0.2	     192.168.0.3
	 |		             |
	 `---------- ------------'
	            |
	          switch        
	            |
	            |    eth1 192.168.01  
	       FIREWALL
		    |    eth0 x.x.174.103 (Primary address)
		    |    eth0:0 x.x.174.104
		    |    eth0:1 x.x.174.106
		    |
		Internet  

I added the two IP addresses to eth0 using iproute2 as previously
suggested and I can ping the new addresses without a problem. I can
even connect to the firewall with SSH using those addresses. This
tells me that anti-arp spoofing is not an issue on the network and
that I can have multiple IP addresses binded to one NIC. However, the
forward rules don't work. I will appreciate any help that you can
provide.

The following is my ruleset file:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter

:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT

# allow local loopback connections
-A INPUT -i lo -j ACCEPT

# allow pings
-A INPUT -i eth0 -p icmp -j ACCEPT

# drop INVALID connections
-A INPUT   -m state --state INVALID -j DROP
-A OUTPUT  -m state --state INVALID -j DROP
-A FORWARD -m state --state INVALID -j DROP

# allow all established and related
-A INPUT        -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT    -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT


# allow connections to DNS servers
-A OUTPUT  -d x.x.100.129 -m state --state NEW -p udp --dport 53 -o
eth0 -j ACCEPT

#allow computers behind the firewall to access the DNS servers.
-A FORWARD -d x.x.100.129 -m state --state NEW -p udp --dport 53 -i
eth1 -o eth0 -j ACCEPT

# allow incoming SSH connections
#Only my desktop can ssh to the firewall
-A INPUT -i eth0 -s x.x.174.12 -p tcp --dport ssh -j ACCEPT 

# allow outgoing connections from web servers.
# added these lines so I can browse the web from the web servers 
-A OUTPUT -d 0/0 -m state --state NEW -p tcp -m multiport --dport
http,https -o eth0 -j ACCEPT

-A FORWARD -s 192.168.0.3 -d 0/0 -m state --state NEW -p tcp -m
multiport --dport http,https -o eth0 -i eth1 -j ACCEPT
-A FORWARD -s 192.168.0.2 -d 0/0 -m state --state NEW -p tcp -m
multiport --dport http,https -o eth0 -i eth1 -j ACCEPT

COMMIT

*nat
#set up IP forwarding and nat
#This is the primary IP address for eth0
-A POSTROUTING -o eth0 -j SNAT --to x.x.174.103

# forward ports to the proper servers
-A PREROUTING -i eth0 -p tcp -d 130.17.174.104 --dport 80 -j DNAT --to
192.168.0.2:80
-A PREROUTING -i eth0 -p tcp -d 130.17.174.106 --dport 80 -j DNAT --to
192.168.0.3:80

COMMIT

Thanks.

Re: Protecting multiple webservers

[Jason Opperisano]

On Wed, Jan 19, 2005 at 12:37:06PM -0800, gui wrote:
> # allow outgoing connections from web servers.
> # added these lines so I can browse the web from the web servers 
> -A OUTPUT -d 0/0 -m state --state NEW -p tcp -m multiport --dport
> http,https -o eth0 -j ACCEPT
> 
> -A FORWARD -s 192.168.0.3 -d 0/0 -m state --state NEW -p tcp -m
> multiport --dport http,https -o eth0 -i eth1 -j ACCEPT
> -A FORWARD -s 192.168.0.2 -d 0/0 -m state --state NEW -p tcp -m
> multiport --dport http,https -o eth0 -i eth1 -j ACCEPT

uh--where are the "allow incoming connections to my web servers" lines?

  -A FORWARD -i eth0 -o eth1 -p tcp --syn -d 192.168.0.2 --dport 80 \
    -j ACCEPT

  -A FORWARD -i eth0 -o eth1 -p tcp --syn -d 192.168.0.3 --dport 80 \
    -j ACCEPT

make sure you also enabled IP forwarding:

  sysctl -w net.ipv4.ip_forward=1

-j

--
"Look, just give me some inner peace, or I'll mop the floor with ya!"
        --The Simpsons

Protecting multiple webservers

[gui]

Hello,

I work as a computer programmer for a small university and I was asked
to set up a firewall to protect three Apache web servers.  Each server
runs on its own machine, each server has its own name, public IP
address and they all listen on port 80.

After reading a few howto's, I came up with the following iptables
rules (I won't list all of them):

#www.server1.edu
-A PREROUTING -i eth0 -p tcp -d X.X.X.103 --dport 80 -j DNAT --to 192.168.0.2:80

#www.server2.edu
-A PREROUTING -i eth0 -p tcp -d X.X.X.103 --dport 8080 -j DNAT --to
192.168.0.3:80

Those rules work fine in the little network I created in my office.

Now I want to try the set up with the real servers. Due to the fact
that I know little about networking, can someone tell me whether I can
keep the public IP addresses and names of the servers and somehow make
requests to www.server2.edu go through the firewall?

I want to do this so that our users won't notice the change and if
something goes wrong I can easily undo the changes without having to
contact our IT department to make changes to the school's DNS server.

I would also appreciate if someone tells me whether I can add two more
web servers to this set up without having to open another "dport". Is
it possible to create a one-to-many mapping with iptables? That way I
only have to open port 80 on the firewall and still allow incoming
connections to different nated machines.

Any pointers, suggestions will be greatly appreciated.

Thanks.