netfilter and IIS5

netfilter and IIS5

[Keith R. Weiner]

Excuse me if this is a newbie question.

I am running IIS on Windows 2000 behind the DMZ.  The first linux box is using the old ipchains.  The second box is using netfilter.  From within the DMZ, I can access it.  From the outside world, it is not accessible.  Other services are, but not IIS.

Any help would be greatly appreciated.  Thanks.

Re: netfilter and IIS5

[Antony Stone]

On Monday 07 October 2002 5:21 pm, Keith R. Weiner wrote:

> Excuse me if this is a newbie question.
>
> I am running IIS on Windows 2000 behind the DMZ.  The first linux box is
> using the old ipchains.  The second box is using netfilter.  From within
> the DMZ, I can access it.  From the outside world, it is not accessible. 
> Other services are, but not IIS.

Tell us your firewall rules and show us your network configuration.

Antony.

-- 

What is this talk of software 'release' ?
Our software evolves and matures until it becomes capable of escape,
leaving a bloody trail of designers and quality assurance people in its wake.

RE: netfilter and IIS5

[Darrell Dieringer]

Awhile ago I was dealing with what amounted to be an IIS issue.

First, are you doing any NAT?  Specifically, are you NAT-ing any
ports?

In my network setup (cable ISP, single real IP address, LAN plus
separate DMZ - all NAT-ed to the Internet with some services being
forwared to the DMZ), where my ISP blocked incomming port 80 requests
somewhere upstream from me, I had the following problem:

If I forwarded w.x.y.z:3080 to dmz.a:80 (where IIS was listening), the
first thing IIS did was issue a redirect.  Check your IIS logs for
HTTP code 302 (IIRC) - redirect - that tells the requesting client
"Reach me on port 80 instead".  Since my port 80 was blocked upstream
by the ISP, the new request from the client never got to me.

But it worked fine inside my LAN since I didn't block port 80 to the
DMZ.

Since at the time I was a newbie to netfilter, I naturally assumed it
was a problem with my rules / setup.  Instead, it was a feature of IIS
(in my case IIS 4), combined with my ISP blocking port 80.

I changed IIS4 to listen on 3080 and changed my NAT to forward
w.x.y.z:3080 -> dmz.a:3080.  IIS no longer issued the redirect to the
blocked port, and everything worked fine.

This may not be your situation, but lacking most specifics about your
network, I'm taking a guess.  Hope it helps.

Darrell


> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of
> Keith R. Weiner
> Sent: Monday, October 07, 2002 11:21 AM
> To: netfilter@lists.netfilter.org
> Subject: netfilter and IIS5
>
>
> Excuse me if this is a newbie question.
>
> I am running IIS on Windows 2000 behind the DMZ.  The first
> linux box is using the old ipchains.  The second box is
> using netfilter.  From within the DMZ, I can access it.
> From the outside world, it is not accessible.  Other
> services are, but not IIS.
>
> Any help would be greatly appreciated.  Thanks.
>
>

RE: netfilter and IIS5

[Keith R. Weiner]

As a matter of fact I think that you have the answer.

I remember having problems in the past with IIS running behind an netfilter firewall.  The problem was when I changed the external address to forward to the same internal address.  Even rebooting both the linux and the windows servers didn't help.  Microsoft had a bulletin on the subject of IIS having problems behind a natted firewall, but offered no solution.

It magically started working again.
I will focus on IIS and see the logs.  I will try your solutions for the future should this occur again.

Once again, your help was greatly appreciated.

-----Original Message-----
From: Darrell Dieringer [mailto:netfilter@darrelldieringer.com]
Sent: Monday, October 07, 2002 3:42 PM
To: Keith R. Weiner; netfilter@lists.netfilter.org
Subject: RE: netfilter and IIS5


Awhile ago I was dealing with what amounted to be an IIS issue.

First, are you doing any NAT?  Specifically, are you NAT-ing any
ports?

In my network setup (cable ISP, single real IP address, LAN plus
separate DMZ - all NAT-ed to the Internet with some services being
forwared to the DMZ), where my ISP blocked incomming port 80 requests
somewhere upstream from me, I had the following problem:

If I forwarded w.x.y.z:3080 to dmz.a:80 (where IIS was listening), the
first thing IIS did was issue a redirect.  Check your IIS logs for
HTTP code 302 (IIRC) - redirect - that tells the requesting client
"Reach me on port 80 instead".  Since my port 80 was blocked upstream
by the ISP, the new request from the client never got to me.

But it worked fine inside my LAN since I didn't block port 80 to the
DMZ.

Since at the time I was a newbie to netfilter, I naturally assumed it
was a problem with my rules / setup.  Instead, it was a feature of IIS
(in my case IIS 4), combined with my ISP blocking port 80.

I changed IIS4 to listen on 3080 and changed my NAT to forward
w.x.y.z:3080 -> dmz.a:3080.  IIS no longer issued the redirect to the
blocked port, and everything worked fine.

This may not be your situation, but lacking most specifics about your
network, I'm taking a guess.  Hope it helps.

Darrell


> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of
> Keith R. Weiner
> Sent: Monday, October 07, 2002 11:21 AM
> To: netfilter@lists.netfilter.org
> Subject: netfilter and IIS5
>
>
> Excuse me if this is a newbie question.
>
> I am running IIS on Windows 2000 behind the DMZ.  The first
> linux box is using the old ipchains.  The second box is
> using netfilter.  From within the DMZ, I can access it.
> From the outside world, it is not accessible.  Other
> services are, but not IIS.
>
> Any help would be greatly appreciated.  Thanks.
>
>

Re: netfilter and IIS5

[Antony Stone]

On Monday 07 October 2002 8:41 pm, Keith R. Weiner wrote:

> I actually got it working.  However, I remember having problems in the past
> with IIS running behind an netfilter firewall.  The problem was when I
> changed the external address to forward to the same internal address.

What do you mean by that ?

> Even rebooting both the linux and the windows servers didn't help.
> Microsoft had a bulletin on the subject of IIS having problems behind a
> natted firewall, but offered no solution.

When you say you are running IIS, what network services are you talking 
about?   Is this HTTP, FTP, SMB file sharing, or what ?

Antony.

> -----Original Message-----
> From: Antony Stone [mailto:Antony@Soft-Solutions.co.uk]
> Sent: Monday, October 07, 2002 3:14 PM
> To: netfilter@lists.netfilter.org
> Subject: Re: netfilter and IIS5
>
> On Monday 07 October 2002 5:21 pm, Keith R. Weiner wrote:
> > Excuse me if this is a newbie question.
> >
> > I am running IIS on Windows 2000 behind the DMZ.  The first linux box is
> > using the old ipchains.  The second box is using netfilter.  From within
> > the DMZ, I can access it.  From the outside world, it is not accessible.
> > Other services are, but not IIS.
>
> Tell us your firewall rules and show us your network configuration.
>
> Antony.

-- 

Success is a lousy teacher.   It seduces smart people into thinking they 
can't lose.

 - William H Gates III