How to direct packets to my server. DOES THIS LOOK RIGHT?

How to direct packets to my server. DOES THIS LOOK RIGHT?

[Joel Linuxdude]

My Netfilter firewall (unfortunately) is running also
my Apache web server, FTP server and Telnet daemon.
I honestly think this is ok but its confusing me with
the whole firewall aspect.

I wanted to allow new packets to go to my Linux box
such as port 21 and 80 but only about 4 new connections
per second.

Eth0 = <Internet IP from my ISP/cable modem company>
Eth1 = 192.168.0.1

Would I do it like this;

/sbin/iptables -A PREROUTING -i eth0 -p tcp -d x.x.x.x --dport 21 -m state 
--state NEW -m limit --limit 4/second -j DNAT --to x.x.x.x

Whereas x.x.x.x is my IP that my ISP assigns me. Or would I use
the following;

/sbin/iptables -A PREROUTING -i eth0 -p tcp -d x.x.x.x --dport 21 -m state 
--state NEW -m limit --limit 4/second -j DNAT --to 192.168.0.1

THANKS!!!

Joel




_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE* 
http://join.msn.com/?page=features/virus

RE: How to direct packets to my server. DOES THIS LOOK RIGHT?

[Rob Sterenborg]

> My Netfilter firewall (unfortunately) is running also
> my Apache web server, FTP server and Telnet daemon.
> I honestly think this is ok but its confusing me with
> the whole firewall aspect.

One could argue about security, but it's not uncommon.

> I wanted to allow new packets to go to my Linux box
> such as port 21 and 80 but only about 4 new connections
> per second.

> /sbin/iptables -A PREROUTING -i eth0 -p tcp -d x.x.x.x
> --dport 21 -m state
> --state NEW -m limit --limit 4/second -j DNAT --to x.x.x.x
>
> Whereas x.x.x.x is my IP that my ISP assigns me. Or would I use
> the following;
>
> /sbin/iptables -A PREROUTING -i eth0 -p tcp -d x.x.x.x
> --dport 21 -m state
> --state NEW -m limit --limit 4/second -j DNAT --to 192.168.0.1

If you're running servers on the firewall itself, packets sent to the
server are going to the INPUT chain ; you don't have to redirect the
traffic if your servers are accessible on your external IP.
The INPUT chain is in the filter table. If you don't specify a table
(-t <tablename>) on the iptables line, the filter table is assumed
when creating the rule.
Besides, the filter table has no PREROUTING chain so both rules above
would not work anyway.

I guess this rule would do the trick for http :
(/sbin/iptables -P INPUT DROP)
(/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j
ACCEPT)
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state
NEW -m limit --limit 4/second -j ACCEPT

As for telnet : you might want to switch to ssh if possible.
Telnet!=secure because everything is sent in plaintext.


Rob

Re: How to direct packets to my server. DOES THIS LOOK RIGHT?

[Roy Sigurd Karlsbakk]

On Sunday 15 December 2002 06:33, Joel Linuxdude wrote:
> My Netfilter firewall (unfortunately) is running also
> my Apache web server, FTP server and Telnet daemon.

er. are you running telnet??? how about ssh? you've got free clients for ssh 
even for windows (google for putty).
-- 
Roy Sigurd Karlsbakk, Datavaktmester
ProntoTV AS - http://www.pronto.tv/
Tel: +47 9801 3356

Computers are like air conditioners.
They stop working when you open Windows.

Re: How to direct packets to my server. DOES THIS LOOK RIGHT?

[Zoilo]

Joel Linuxdude wrote:
> My Netfilter firewall (unfortunately) is running also
> my Apache web server, FTP server and Telnet daemon.
> I honestly think this is ok but its confusing me with
> the whole firewall aspect.

Yes and no, i.e. I can agree with the concept, but I really disagree 
with the provided services.

It is OK to provide some services from your firewall, provided that they 
are *secure* services. I would recommend to replace telnet and ftp by 
openssh, as telnet and FTP are both serious security hazards.

Openssh provides sshd (daemon running on your firewall), ssh (secure 
telnet replacement), sftp (secure ftp replacement) and scp (secure 
remote copy); "grep ssh /etc/services" and "grep sftp /etc/services" 
will tell you which ports to open. In case you need to login from a 
Windoze-machine, a utility called "putty" is available on the internet 
for download.

Also make sure that your Apache server software is up-to-date, and *if* 
you use PHP (or you don't, but it is enabled), then carefully check the 
settings in /etc/php.ini: in particular register_globals and 
register_argc_argv should be set to Off, unless you want the whole world 
to be able to setup an environment for your PHP scripts....

With these precautions, I believe that your firewall would be quite well 
protected.

-- 
Z.
---------------------------------------------------------
If all you have is a hammer, everything looks like a nail
---------------------------------------------------------