locally access server behind firewall

locally access server behind firewall

[Tom]

Hi,

I have a linux firewall (iptables), and a linux server with apache 
behind that firewall. My provider blocks ports below 1024, so I have a 
prerouting-rule that redirects traffic like this:

$IPTABLES -A PREROUTING -t nat -i $WWW p tcp -d $EXTIP --dport 8888 -j 
DNAT --to $SERVER:80

I also have 2 forward-rules:

$IPTABLES -A FORWARD -i $WWW -o $LAN -p tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -i $LAN -o $WWW -p tcp --sport 80 -j ACCEPT

and I have these two lines to allow my local pc's to connect to the 
firewall with ssh and stuff like that:
$IPTABLES -A INPUT -i $LAN -s $INTLAN -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN -d $INTLAN -j ACCEPT


where:
  $EXTIP = my external IP address
  $WWW is eth1
  $LAN is eth0
  $SERVER = my server's internal IP address.
  $INTLAN = "192.168.0.0/24"

This works really well when I try to connect from the outside to my 
webserver. But, if I try to connect to http://myserver.com:8888 from the 
internal network (or from my server itself), I always get 'connection 
refused'. I'm pretty sure I need some other rules, but can someone 
please help me in the good direction here? Thanks a lot!!



PS: Here's a little drawing of the situation:

SERVER (eth0) <----> (eth0) GATEWAY-PC (eth1) <----> internet

Re: locally access server behind firewall

[John A. Sullivan III]

On Wed, 2004-09-01 at 13:53, Tom wrote:
> Hi,
> 
> I have a linux firewall (iptables), and a linux server with apache 
> behind that firewall. My provider blocks ports below 1024, so I have a 
> prerouting-rule that redirects traffic like this:
> 
> $IPTABLES -A PREROUTING -t nat -i $WWW p tcp -d $EXTIP --dport 8888 -j 
> DNAT --to $SERVER:80
> 
> I also have 2 forward-rules:
> 
> $IPTABLES -A FORWARD -i $WWW -o $LAN -p tcp --dport 80 -j ACCEPT
> $IPTABLES -A FORWARD -i $LAN -o $WWW -p tcp --sport 80 -j ACCEPT
> 
> and I have these two lines to allow my local pc's to connect to the 
> firewall with ssh and stuff like that:
> $IPTABLES -A INPUT -i $LAN -s $INTLAN -j ACCEPT
> $IPTABLES -A OUTPUT -o $LAN -d $INTLAN -j ACCEPT
> 
> 
> where:
>   $EXTIP = my external IP address
>   $WWW is eth1
>   $LAN is eth0
>   $SERVER = my server's internal IP address.
>   $INTLAN = "192.168.0.0/24"
> 
> This works really well when I try to connect from the outside to my 
> webserver. But, if I try to connect to http://myserver.com:8888 from the 
> internal network (or from my server itself), I always get 'connection 
> refused'. I'm pretty sure I need some other rules, but can someone 
> please help me in the good direction here? Thanks a lot!!
> 
> 
> 
> PS: Here's a little drawing of the situation:
> 
> SERVER (eth0) <----> (eth0) GATEWAY-PC (eth1) <----> internet
If I understand you correctly, you are trying to connect to the web
server on the internal network from devices on the internal network. 
That means the packets never pass through the firewall.  In that case,
no additional rules will help you.

You could force the traffic to pass through the firewall by placing the
web server on a physical DMZ (highly preferable if this web server
allows public access as it appears to - if someone cracks it, they will
be on your internal network) or on a logical DMZ.  To create a logical
DMZ, simply bind a second address for a separate subnet to the internal
interface of the firewall and change the web server internal address to
an address on that new subnet.

However, I would think the easiest thing to do is configure Apache to
answer on port 8888.  Hope this helps - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: locally access server behind firewall

[Tom]

John A. Sullivan III wrote:

>If I understand you correctly, you are trying to connect to the web
>server on the internal network from devices on the internal network. 
>That means the packets never pass through the firewall.  In that case,
>no additional rules will help you.
>
>  
>
Well, I try to connect from a machine on the internal network, but I 
don't use the internal IP address of the server. I try to connect using 
the external address, which is the public ip address of the firewall. So 
I thought the packets would pass the firewall..?

>You could force the traffic to pass through the firewall by placing the
>web server on a physical DMZ (highly preferable if this web server
>allows public access as it appears to - if someone cracks it, they will
>be on your internal network) or on a logical DMZ.  To create a logical
>DMZ, simply bind a second address for a separate subnet to the internal
>interface of the firewall and change the web server internal address to
>an address on that new subnet.
>
>  
>
That's maybe a good idea... Will try that when I have some more time. 
But for the time being, I want to be able to connect to my webserver as 
if it were somewhere else on the internet...

>However, I would think the easiest thing to do is configure Apache to
>answer on port 8888.  Hope this helps - John
>  
>
Then I still need the prerouting-rule, but it will only alter the 
destination address and not the port anymore. Would that help you think?

Thanks!
Tom.

Re: locally access server behind firewall

[Jason Opperisano]

On Wed, 2004-09-01 at 13:53, Tom wrote:
> This works really well when I try to connect from the outside to my 
> webserver. But, if I try to connect to http://myserver.com:8888 from the 
> internal network (or from my server itself), I always get 'connection 
> refused'. I'm pretty sure I need some other rules, but can someone 
> please help me in the good direction here? Thanks a lot!!

because your server doesn't listen on port 8888--it listens on port 80. 
that's why you had to create the DNAT rule.

as far as trying to connect "from the internal network"--these packets
will go directly from LAN client to WWW server and never traverse your
firewall, so no DNAT can take place.  if you must be able to do
this--configure your WWW server to listen on port 8888 ("Listen 8888" in
apache).

NAT-ing of locally-generated packets on your firewall would require a
rule in the OUTPUT chain of the nat table:

        iptables -t nat -A OUTPUT -p tcp -d $EXTIP --dport 8888 \
          -j DNAT --to-destination $SERVER:8888
        
note:  i don't even know if that will work, as it requires the output
interface to change from external to internal and i vaguely recall that
this doesn't work cleanly without a patch.

-j

-- 
Jason Opperisano <opie@817west.com>

RE: locally access server behind firewall

[Deepak Seshadri]

Hi Tom,

I think your Apache server is expecting connections on port 80 & your
Nat'ing will occur only if the packet comes in form the $WWW interface.
Since you are on the local LAN the packets are not Nat'ted and hence you get
the connection refused from the server as it is getting requests on a port
where no application is listening.

You don't need any rule, just type http://myserver.com within the LAN.


Hope this helps!
Regards,

Deepak Seshadri


-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Tom
Sent: Wednesday, September 01, 2004 1:54 PM
To: netfilter@lists.netfilter.org
Subject: locally access server behind firewall

Hi,

I have a linux firewall (iptables), and a linux server with apache 
behind that firewall. My provider blocks ports below 1024, so I have a 
prerouting-rule that redirects traffic like this:

$IPTABLES -A PREROUTING -t nat -i $WWW p tcp -d $EXTIP --dport 8888 -j 
DNAT --to $SERVER:80

I also have 2 forward-rules:

$IPTABLES -A FORWARD -i $WWW -o $LAN -p tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -i $LAN -o $WWW -p tcp --sport 80 -j ACCEPT

and I have these two lines to allow my local pc's to connect to the 
firewall with ssh and stuff like that:
$IPTABLES -A INPUT -i $LAN -s $INTLAN -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN -d $INTLAN -j ACCEPT


where:
  $EXTIP = my external IP address
  $WWW is eth1
  $LAN is eth0
  $SERVER = my server's internal IP address.
  $INTLAN = "192.168.0.0/24"

This works really well when I try to connect from the outside to my 
webserver. But, if I try to connect to http://myserver.com:8888 from the 
internal network (or from my server itself), I always get 'connection 
refused'. I'm pretty sure I need some other rules, but can someone 
please help me in the good direction here? Thanks a lot!!



PS: Here's a little drawing of the situation:

SERVER (eth0) <----> (eth0) GATEWAY-PC (eth1) <----> internet

Re: locally access server behind firewall

[Alistair Tonner]

On September 1, 2004 01:53 pm, Tom wrote:
> Hi,
>
> I have a linux firewall (iptables), and a linux server with apache
> behind that firewall. My provider blocks ports below 1024, so I have a
> prerouting-rule that redirects traffic like this:
>
> $IPTABLES -A PREROUTING -t nat -i $WWW p tcp -d $EXTIP --dport 8888 -j
> DNAT --to $SERVER:80
>
> I also have 2 forward-rules:
>
> $IPTABLES -A FORWARD -i $WWW -o $LAN -p tcp --dport 80 -j ACCEPT
> $IPTABLES -A FORWARD -i $LAN -o $WWW -p tcp --sport 80 -j ACCEPT
>
> and I have these two lines to allow my local pc's to connect to the
> firewall with ssh and stuff like that:
> $IPTABLES -A INPUT -i $LAN -s $INTLAN -j ACCEPT
> $IPTABLES -A OUTPUT -o $LAN -d $INTLAN -j ACCEPT
>
>
> where:
>   $EXTIP = my external IP address
>   $WWW is eth1
>   $LAN is eth0
>   $SERVER = my server's internal IP address.
>   $INTLAN = "192.168.0.0/24"
>
> This works really well when I try to connect from the outside to my
> webserver. But, if I try to connect to http://myserver.com:8888 from the
> internal network (or from my server itself), I always get 'connection
> refused'. I'm pretty sure I need some other rules, but can someone
> please help me in the good direction here? Thanks a lot!!
	
	Your inbound DNAT rule doesn't translate connections from the LAN.
	 (-i $WWW)
	
	IF you want to do this without a DMZ (*not a good thing*) you will need to 
both DNAT and SNAT the connections from the LAN to the webserver. i.e. DNAT 
the connection from the LAN to the webserver as in the (-i $WWW rule) AND 
SNAT the connection on the way to the webserver to come back to the LAN ip of 
the firewall.

	Better to follow Jason's advise, create a virtual DMZ and route through to 
that.

>
>
>
> PS: Here's a little drawing of the situation:
>
> SERVER (eth0) <----> (eth0) GATEWAY-PC (eth1) <----> internet

Re: locally access server behind firewall

[Tom]

>	IF you want to do this without a DMZ (*not a good thing*) you will need to 
>both DNAT and SNAT the connections from the LAN to the webserver. 
>

Guess you guys are right. I will put the server in a DMZ, but that 
requires some work and thinking about my firewall script... I will try 
to find some spare time and when I have more problems, I will get back 
here :-) Thanks a lot for the fast responses!!!

RE: locally access server behind firewall

[Daniel Chemko]

Deepak Seshadri wrote:
> Hi Tom,
> 
> I think your Apache server is expecting connections on port 80 & your
> Nat'ing will occur only if the packet comes in form the $WWW
> interface. Since you are on the local LAN the packets are not Nat'ted
> and hence you get the connection refused from the server as it is
> getting requests on a port where no application is listening.
> 
> You don't need any rule, just type http://myserver.com within the LAN.

Problem:

You root problem is that your resolving myserver.com as an intrernet
address. The client connects to the GW (linux) in order to get routed to
the box. The linux machine passes the connection request on to
${internal_www} server without making any changes. The Server reads the
client's source address (knowing its in the internal network) and passes
it back to the client directly. So, your route  now looks like this:

Client->Firewall->Server->Client

THIS DOES NOT WORK
The every packet after the SYN will be tossed because the firewall never
received the corresponding SYN-ACK packet from ${internal_www}


Solution:

There are two ways to accomplish this: The right way and the wrong way.
The easiest way is just to implement the lines below.
	
	iptables -t nat -A POSTROUTING --destination ${internal_www} -p
tcp --dport 80 -j SNAT ${internal_gw_ip}
	# In case this isn't covered by other rules, you need a loopback
rule for that network interface
	iptables -A FORWARD -i ${internal_if} -o ${internal_if} -j
ACCEPT

The other solution is to use Split DNS. Where myserver.com resolves to
an internal DNS address like 192.168.1.1 instead of 24.1.1.1. There's a
lot of information about split-dns on the internet. I'm not going to
repeat it here again and again...