Subj : Re: HTTP SERVER ON FORWARDED MACHINE To : comp.os.linux.networking,comp.os.linux,comp.os.linux.redhat,comp.os.linux.security,comp.os.linux.misc From : Jose Maria Lopez Hernandez Date : Tue Aug 24 2004 06:39 am JoeAley2003 wrote: > Hi all... > > > I have a redhat linux 9 connected to the internet and 1 computer that > receives internet forwarded from the linux. > > What i need is to run a valid on internet http server on this > forwarded computer where i run apache on port 80. > > Anyone can help with iptables or anything? I know that a transparent > proxy is very similar, but it doesn't work. > > Here goes my script anyway... I think your script it's a little mess. I'll try to tell you what I think that could be better. > > ////////////////////////////// > > > #! /bin/sh > # Turn on IP forwarding > echo 1 > /proc/sys/net/ipv4/ip_forward > echo 1 > /proc/sys/net/ipv4/ip_dynaddr > IPTABLES=/sbin/iptables > MODPROBE=/sbin/modprobe > IFACE_INTERNET=eth0 > IFACE_LOCALLAN=eth2 > IFACE_LOCALLAN_2=eth1 > > ############################ SETTING UP IP ADDRESS > ########################### > > ########################## ETH 0 ################# > > if=`ifconfig $ife 2>/dev/null | grep 'inet ' | sed s/[[:alpha:]:]//g | > gawk '{ print $1"/"$3" "$2 }'` > if [ ! "$if" ]; then > echo -e "Error: Interface $ife is down - failed to initialize" > exit 1 > fi; > > IP_INTERNET=`echo $if | cut -f1 -d'/'` > BROADCAST_INTERNET=`echo $if | cut -f2 -d' '` > NET_INTERNET=`echo $if | cut -f1 -d' '` > > ########################## ETH 1 & ETH 2 ################# > > #ife2=`echo $ife | cut -f1 -d:` # cut off alias > > #declare -i c=0 > #for i in $ifi; do > # if=`ifconfig $i 2>/dev/null | grep 'inet ' | sed s/[[:alpha:]:]//g > | gawk '{ print $1"/"$3" "$2 }'` > # if [ ! "$if" ]; then > # echo -e "Error: Interface $i is down - failed to initialize" > # exit 1 > # fi; > > > > #lan_if_ip[$c]=`echo $if | cut -f1 -d'/'` > #lan_if_bc[$c]=`echo $if | cut -f2 -d' '` > #local_net[$c]=`echo $if | cut -f1 -d' '` > > > # ((c=c+1)) > # done; > > > > #IP_INTERNET=200.167.253.63 > #BROADCAST_INTERNET=200.167.253.255 > > IP_LOCALLAN=194.168.0.1 > IP_LOCALLAN_2=193.168.0.1 > > SUBNET_LOCALLAN=194.168.0.0/24 > SUBNET_LOCALLAN_2=193.168.0.0/24 > BROADCAST_LOCALLAN=194.168.0.255 > BROADCAST_LOCALLAN_2=193.168.0.255 > > ########################### END SETTING UP NET ADDRESSES > ##################### > > # > # (0) Flush existing stuff > # > $IPTABLES --flush > $IPTABLES --table nat --flush > $IPTABLES --delete-chain > $IPTABLES --table nat --delete-chain > # > # (a) Start connection tracking > # > $MODPROBE ip_tables > $MODPROBE ip_conntrack > $MODPROBE iptable_filter > $MODPROBE iptable_mangle > $MODPROBE iptable_nat > $MODPROBE ipt_LOG > $MODPROBE ipt_limit > $MODPROBE ipt_state > $MODPROBE ipt_MASQUERADE You should load here the modules for dealing with FTP, because you use it at the end of the script. The modules are: ip_conntrack_ftp and ip_nat_ftp (if you want to NAT ftp) > # > # (1) Policies (default) > # > $IPTABLES -P INPUT DROP > $IPTABLES -P OUTPUT DROP > $IPTABLES -P FORWARD DROP > # > # (2) User-defined chain for ACCEPTed TCP packets > # > #### $IPTABLES -N okay > #### $IPTABLES -A okay -p TCP --syn -j ACCEPT I think the --syn rule it's not necessary, or you will be accepting all the initial connections, even the scanports. What it's usually done it's to deny the NEW without a SYN connections, using conntrack (-m state --state ...) I suppose you commented it because of this. > #### $IPTABLES -A okay -p TCP -m state --state ESTABLISHED,RELATED -j > ACCEPT > #### $IPTABLES -A okay -p TCP -j DROP The second rule drops every new connection if you don't use the above rule, the one with --syn, but it's repetitive to do it, just accept the initial connection and use the ESTABLISHED,RELATED rule to accept the session. > # > # (log) > # > $IPTABLES -N log > # > # (3) INPUT chain rules > # > #allow this stuff before we log: > $IPTABLES -A INPUT -p ALL -i $IFACE_LOCALLAN -s $SUBNET_LOCALLAN -j > ACCEPT > $IPTABLES -A INPUT -p ALL -i $IFACE_LOCALLAN_2 -s $SUBNET_LOCALLAN_2 > -j ACCEPT > $IPTABLES -A INPUT -p ALL -i $IFACE_INTERNET -m state --state > ESTABLISHED,RELATED -j ACCEPT > > ######################################$IPTABLES -A INPUT -p UDP -m udp > --sport 67 --dport 68 -j ACCEPT ¿Are you enabling DHCP? You should do it with conntrack as with any other connection. > $IPTABLES -A INPUT -i lo -j ACCEPT Here you use the interface and under you use the 127.0.0.1 IP to accept outgoing lo packets. > $IPTABLES -A INPUT -p ALL -i $IFACE_INTERNET -d $BROADCAST_LOCALLAN -j > ACCEPT > $IPTABLES -A INPUT -p ALL -i $IFACE_INTERNET -d $BROADCAST_LOCALLAN_2 > -j ACCEPT You should not accept all the broadcast traffic, only for the services you need, as Netbios or similar. > > #drop this stuff before we log: > #### $IPTABLES -A INPUT -p udp -i $IFACE_INTERNET -d > $BROADCAST_INTERNET -j DROP > #### $IPTABLES -A INPUT -p udp -i $IFACE_INTERNET -m udp --dport 53 -j > DROP > #send this off to be logged: > #COARSE: > #### $IPTABLES -A INPUT -p TCP -m tcp --dport 0:1023 -m state --state > NEW -j LOG --log-prefix "LOW PORT TCP CONNECTION:" > #### $IPTABLES -A INPUT -p UDP -m udp --dport 0:1023 -m state --state > NEW -j LOG --log-prefix "LOW PORT UDP CONNECTION:" > #FINE: > #### $IPTABLES -A INPUT -p TCP -m state --state NEW -m tcp --dport > 1024:65535 -j LOG --log-prefix "HIGH PORT TCP CONNECTION:" > #### $IPTABLES -A INPUT -p UDP -m state --state NEW -m udp --dport > 1024:65535 -j LOG --log-prefix "HIGH PORT UDP CONNECTION:" > #### $IPTABLES -A INPUT -p TCP -m tcp ! --tcp-flags SYN,RST,ACK SYN > -m state --state NEW -j LOG --log-prefix "NEW NOT SYN:" > #Rules for incoming packets from the Internet > #### $IPTABLES -A INPUT -p TCP -i $IFACE_INTERNET -s 0/0 --dport 22 -j > okay I hope this mess it's all commented. You should use conntrack with SSH also. > # > # (4) FORWARD chain rules > # > #Accept the packets we want to forward > #### $IPTABLES -A FORWARD -p TCP -m tcp -o $IFACE_INTERNET -m state > --state NEW -j LOG --log-prefix "OUTGOING TCP CONNECTION:" > #### $IPTABLES -A FORWARD -p UDP -m udp -o $IFACE_INTERNET -m state > --state NEW -j LOG --log-prefix "OUTGOING UDP CONNECTION:" You normally don't need to load the modules with -m tcp or -m udp, and you are allowing all the outgoing traffic and the corresponding incoming traffic. > $IPTABLES -A FORWARD -i $IFACE_LOCALLAN -j ACCEPT > $IPTABLES -A FORWARD -i $IFACE_LOCALLAN_2 -j ACCEPT > > $IPTABLES -A FORWARD -i $IFACE_INTERNET -j ACCEPT > $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT The same thing commented before, you shouldn't accept all the traffic coming from IFACE_INTERNET, use the conntrack to allow only the traffic you want. > # (5) OUTPUT chain rules > #Only output packets with local addresses (no spoofing) > $IPTABLES -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT Now you use the IP, but before you used the interface. > $IPTABLES -A OUTPUT -p ALL -s $IP_LOCALLAN -j ACCEPT > $IPTABLES -A OUTPUT -p ALL -s $IP_LOCALLAN_2 -j ACCEPT > $IPTABLES -A OUTPUT -p ALL -s $IP_INTERNET -j ACCEPT ¿Why not using conntrack for all this rules? > # (6) POSTROUTING chain rules > $IPTABLES -t nat -A POSTROUTING -o $IFACE_INTERNET -j MASQUERADE > ######################### > # PORT 21## > ######################### > $IPTABLES -A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT > $IPTABLES -A INPUT -p tcp --dport 20:21 -j ACCEPT You should use conntrack also for FTP, and the corresponding modules. > ######################### > > echo -e "Done!" I think what you need to solve the problem of redirecting the packets to the web server is just to do DNAT the packets you want to forward to the destination address. -- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac@bgsec.com bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÑA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road" .