HTTP SERVER ON FORWARDED MACHINE

Hi all...


I have a redhat linux 9 connected to the internet and 1 computer that
receives internet forwarded from the linux.

What i need is to run a valid on internet http server on this
forwarded computer where i run apache on port 80.

Anyone can help with iptables or anything? I know that a transparent
proxy is very similar, but it doesn't work.

Here goes my script anyway...

//////////////////////////////


#! /bin/sh
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe
IFACE_INTERNET=eth0
IFACE_LOCALLAN=eth2
IFACE_LOCALLAN_2=eth1

############################ SETTING UP IP ADDRESS
###########################

########################## ETH 0 #################

if=`ifconfig $ife 2>/dev/null | grep 'inet ' | sed s/[[:alpha:]:]//g |
gawk '{ print $1"/"$3" "$2 }'`
if [ ! "$if" ]; then
echo -e "Error: Interface $ife is down - failed to initialize"
exit 1
fi;

IP_INTERNET=`echo $if | cut -f1 -d'/'`
BROADCAST_INTERNET=`echo $if | cut -f2 -d' '`
NET_INTERNET=`echo $if | cut -f1 -d' '`

########################## ETH 1 & ETH 2 #################

#ife2=`echo $ife | cut -f1 -d:` # cut off alias

#declare -i c=0
#for i in $ifi; do
# if=`ifconfig $i 2>/dev/null | grep 'inet ' | sed s/[[:alpha:]:]//g
| gawk '{ print $1"/"$3" "$2 }'`
# if [ ! "$if" ]; then
# echo -e "Error: Interface $i is down - failed to initialize"
# exit 1
# fi;



#lan_if_ip[$c]=`echo $if | cut -f1 -d'/'`
#lan_if_bc[$c]=`echo $if | cut -f2 -d' '`
#local_net[$c]=`echo $if | cut -f1 -d' '`


# ((c=c+1))
# done;



#IP_INTERNET=200.167.253.63
#BROADCAST_INTERNET=200.167.253.255

IP_LOCALLAN=194.168.0.1
IP_LOCALLAN_2=193.168.0.1

SUBNET_LOCALLAN=194.168.0.0/24
SUBNET_LOCALLAN_2=193.168.0.0/24
BROADCAST_LOCALLAN=194.168.0.255
BROADCAST_LOCALLAN_2=193.168.0.255

########################### END SETTING UP NET ADDRESSES
#####################

#
# (0) Flush existing stuff
#
$IPTABLES --flush
$IPTABLES --table nat --flush
$IPTABLES --delete-chain
$IPTABLES --table nat --delete-chain
#
# (a) Start connection tracking
#
$MODPROBE ip_tables
$MODPROBE ip_conntrack
$MODPROBE iptable_filter
$MODPROBE iptable_mangle
$MODPROBE iptable_nat
$MODPROBE ipt_LOG
$MODPROBE ipt_limit
$MODPROBE ipt_state
$MODPROBE ipt_MASQUERADE
#
# (1) Policies (default)
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
# (2) User-defined chain for ACCEPTed TCP packets
#
#### $IPTABLES -N okay
#### $IPTABLES -A okay -p TCP --syn -j ACCEPT
#### $IPTABLES -A okay -p TCP -m state --state ESTABLISHED,RELATED -j
ACCEPT
#### $IPTABLES -A okay -p TCP -j DROP
#
# (log)
#
$IPTABLES -N log
#
# (3) INPUT chain rules
#
#allow this stuff before we log:
$IPTABLES -A INPUT -p ALL -i $IFACE_LOCALLAN -s $SUBNET_LOCALLAN -j
ACCEPT
$IPTABLES -A INPUT -p ALL -i $IFACE_LOCALLAN_2 -s $SUBNET_LOCALLAN_2
-j ACCEPT
$IPTABLES -A INPUT -p ALL -i $IFACE_INTERNET -m state --state
ESTABLISHED,RELATED -j ACCEPT

######################################$IPTABLES -A INPUT -p UDP -m udp
--sport 67 --dport 68 -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $IFACE_INTERNET -d $BROADCAST_LOCALLAN -j
ACCEPT
$IPTABLES -A INPUT -p ALL -i $IFACE_INTERNET -d $BROADCAST_LOCALLAN_2
-j ACCEPT

#drop this stuff before we log:
#### $IPTABLES -A INPUT -p udp -i $IFACE_INTERNET -d
$BROADCAST_INTERNET -j DROP
#### $IPTABLES -A INPUT -p udp -i $IFACE_INTERNET -m udp --dport 53 -j
DROP
#send this off to be logged:
#COARSE:
#### $IPTABLES -A INPUT -p TCP -m tcp --dport 0:1023 -m state --state
NEW -j LOG --log-prefix "LOW PORT TCP CONNECTION:"
#### $IPTABLES -A INPUT -p UDP -m udp --dport 0:1023 -m state --state
NEW -j LOG --log-prefix "LOW PORT UDP CONNECTION:"
#FINE:
#### $IPTABLES -A INPUT -p TCP -m state --state NEW -m tcp --dport
1024:65535 -j LOG --log-prefix "HIGH PORT TCP CONNECTION:"
#### $IPTABLES -A INPUT -p UDP -m state --state NEW -m udp --dport
1024:65535 -j LOG --log-prefix "HIGH PORT UDP CONNECTION:"
#### $IPTABLES -A INPUT -p TCP -m tcp ! --tcp-flags SYN,RST,ACK SYN
-m state --state NEW -j LOG --log-prefix "NEW NOT SYN:"
#Rules for incoming packets from the Internet
#### $IPTABLES -A INPUT -p TCP -i $IFACE_INTERNET -s 0/0 --dport 22 -j
okay
#
# (4) FORWARD chain rules
#
#Accept the packets we want to forward
#### $IPTABLES -A FORWARD -p TCP -m tcp -o $IFACE_INTERNET -m state
--state NEW -j LOG --log-prefix "OUTGOING TCP CONNECTION:"
#### $IPTABLES -A FORWARD -p UDP -m udp -o $IFACE_INTERNET -m state
--state NEW -j LOG --log-prefix "OUTGOING UDP CONNECTION:"
$IPTABLES -A FORWARD -i $IFACE_LOCALLAN -j ACCEPT
$IPTABLES -A FORWARD -i $IFACE_LOCALLAN_2 -j ACCEPT

$IPTABLES -A FORWARD -i $IFACE_INTERNET -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# (5) OUTPUT chain rules
#Only output packets with local addresses (no spoofing)
$IPTABLES -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $IP_LOCALLAN -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $IP_LOCALLAN_2 -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $IP_INTERNET -j ACCEPT
# (6) POSTROUTING chain rules
$IPTABLES -t nat -A POSTROUTING -o $IFACE_INTERNET -j MASQUERADE
#########################
# PORT 21##
#########################
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 20:21 -j ACCEPT
#########################

echo -e "Done!"

JoeAley2003 wrote:
> Hi all...
>
>
> I have a redhat linux 9 connected to the internet and 1 computer that
> receives internet forwarded from the linux.
>
> What i need is to run a valid on internet http server on this
> forwarded computer where i run apache on port 80.

Use these as a starting point:

iptables -A FORWARD -s 0.0.0.0/0 -d $IP_INTERNET -p tcp \
--destination-port 80 -j ACCEPT

iptables -t nat -A PREROUTING -d $IP_INTERNET -j DNAT \
--to-destination <local-ip-address>

iptables -t nat -A POSTROUTING -o $IFACE_INTERNET \
-s <local-ip-address> -j SNAT --to-source $IP_INTERNET

Those will almost certainly need some modification to suit your
situation. They're based on my setup where externally visible machines
get 1-1 NATed, since I have more than one publically visible IP address.
But the idea should get you started. Note that local-ip-address
refers to the address of the machine running Apache, *not* the local
address of the machine running iptables.

JoeAley2003 wrote:
> Hi all...
>
>
> I have a redhat linux 9 connected to the internet and 1 computer that
> receives internet forwarded from the linux.
>
> What i need is to run a valid on internet http server on this
> forwarded computer where i run apache on port 80.
>
> Anyone can help with iptables or anything? I know that a transparent
> proxy is very similar, but it doesn't work.
>
> Here goes my script anyway...

I think your script it's a little mess. I'll try to
tell you what I think that could be better.

>
> //////////////////////////////
>
>
> #! /bin/sh
> # Turn on IP forwarding
> echo 1 > /proc/sys/net/ipv4/ip_forward
> echo 1 > /proc/sys/net/ipv4/ip_dynaddr
> IPTABLES=/sbin/iptables
> MODPROBE=/sbin/modprobe
> IFACE_INTERNET=eth0
> IFACE_LOCALLAN=eth2
> IFACE_LOCALLAN_2=eth1
>
> ############################ SETTING UP IP ADDRESS
> ###########################
>
> ########################## ETH 0 #################
>
> if=`ifconfig $ife 2>/dev/null | grep 'inet ' | sed s/[[:alpha:]:]//g |
> gawk '{ print $1"/"$3" "$2 }'`
> if [ ! "$if" ]; then
> echo -e "Error: Interface $ife is down - failed to initialize"
> exit 1
> fi;
>
> IP_INTERNET=`echo $if | cut -f1 -d'/'`
> BROADCAST_INTERNET=`echo $if | cut -f2 -d' '`
> NET_INTERNET=`echo $if | cut -f1 -d' '`
>
> ########################## ETH 1 & ETH 2 #################
>
> #ife2=`echo $ife | cut -f1 -d:` # cut off alias
>
> #declare -i c=0
> #for i in $ifi; do
> # if=`ifconfig $i 2>/dev/null | grep 'inet ' | sed s/[[:alpha:]:]//g
> | gawk '{ print $1"/"$3" "$2 }'`
> # if [ ! "$if" ]; then
> # echo -e "Error: Interface $i is down - failed to initialize"
> # exit 1
> # fi;
>
>
>
> #lan_if_ip[$c]=`echo $if | cut -f1 -d'/'`
> #lan_if_bc[$c]=`echo $if | cut -f2 -d' '`
> #local_net[$c]=`echo $if | cut -f1 -d' '`
>
>
> # ((c=c+1))
> # done;
>
>
>
> #IP_INTERNET=200.167.253.63
> #BROADCAST_INTERNET=200.167.253.255
>
> IP_LOCALLAN=194.168.0.1
> IP_LOCALLAN_2=193.168.0.1
>
> SUBNET_LOCALLAN=194.168.0.0/24
> SUBNET_LOCALLAN_2=193.168.0.0/24
> BROADCAST_LOCALLAN=194.168.0.255
> BROADCAST_LOCALLAN_2=193.168.0.255
>
> ########################### END SETTING UP NET ADDRESSES
> #####################
>
> #
> # (0) Flush existing stuff
> #
> $IPTABLES --flush
> $IPTABLES --table nat --flush
> $IPTABLES --delete-chain
> $IPTABLES --table nat --delete-chain
> #
> # (a) Start connection tracking
> #
> $MODPROBE ip_tables
> $MODPROBE ip_conntrack
> $MODPROBE iptable_filter
> $MODPROBE iptable_mangle
> $MODPROBE iptable_nat
> $MODPROBE ipt_LOG
> $MODPROBE ipt_limit
> $MODPROBE ipt_state
> $MODPROBE ipt_MASQUERADE

You should load here the modules for dealing with FTP, because
you use it at the end of the script. The modules are:
ip_conntrack_ftp and ip_nat_ftp (if you want to NAT ftp)

> #
> # (1) Policies (default)
> #
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT DROP
> $IPTABLES -P FORWARD DROP
> #
> # (2) User-defined chain for ACCEPTed TCP packets
> #
> #### $IPTABLES -N okay
> #### $IPTABLES -A okay -p TCP --syn -j ACCEPT

I think the --syn rule it's not necessary, or you will be
accepting all the initial connections, even the scanports.
What it's usually done it's to deny the NEW without a SYN
connections, using conntrack (-m state --state ...)

I suppose you commented it because of this.

> #### $IPTABLES -A okay -p TCP -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> #### $IPTABLES -A okay -p TCP -j DROP

The second rule drops every new connection if you don't use the
above rule, the one with --syn, but it's repetitive to do it,
just accept the initial connection and use the ESTABLISHED,RELATED rule
to accept the session.

> #
> # (log)
> #
> $IPTABLES -N log
> #
> # (3) INPUT chain rules
> #
> #allow this stuff before we log:
> $IPTABLES -A INPUT -p ALL -i $IFACE_LOCALLAN -s $SUBNET_LOCALLAN -j
> ACCEPT
> $IPTABLES -A INPUT -p ALL -i $IFACE_LOCALLAN_2 -s $SUBNET_LOCALLAN_2
> -j ACCEPT
> $IPTABLES -A INPUT -p ALL -i $IFACE_INTERNET -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> ######################################$IPTABLES -A INPUT -p UDP -m udp
> --sport 67 --dport 68 -j ACCEPT

¿Are you enabling DHCP? You should do it with conntrack as with any
other connection.

> $IPTABLES -A INPUT -i lo -j ACCEPT

Here you use the interface and under you use the 127.0.0.1 IP to
accept outgoing lo packets.

> $IPTABLES -A INPUT -p ALL -i $IFACE_INTERNET -d $BROADCAST_LOCALLAN -j
> ACCEPT
> $IPTABLES -A INPUT -p ALL -i $IFACE_INTERNET -d $BROADCAST_LOCALLAN_2
> -j ACCEPT

You should not accept all the broadcast traffic, only for the services
you need, as Netbios or similar.

>
> #drop this stuff before we log:
> #### $IPTABLES -A INPUT -p udp -i $IFACE_INTERNET -d
> $BROADCAST_INTERNET -j DROP
> #### $IPTABLES -A INPUT -p udp -i $IFACE_INTERNET -m udp --dport 53 -j
> DROP
> #send this off to be logged:
> #COARSE:
> #### $IPTABLES -A INPUT -p TCP -m tcp --dport 0:1023 -m state --state
> NEW -j LOG --log-prefix "LOW PORT TCP CONNECTION:"
> #### $IPTABLES -A INPUT -p UDP -m udp --dport 0:1023 -m state --state
> NEW -j LOG --log-prefix "LOW PORT UDP CONNECTION:"
> #FINE:
> #### $IPTABLES -A INPUT -p TCP -m state --state NEW -m tcp --dport
> 1024:65535 -j LOG --log-prefix "HIGH PORT TCP CONNECTION:"
> #### $IPTABLES -A INPUT -p UDP -m state --state NEW -m udp --dport
> 1024:65535 -j LOG --log-prefix "HIGH PORT UDP CONNECTION:"
> #### $IPTABLES -A INPUT -p TCP -m tcp ! --tcp-flags SYN,RST,ACK SYN
> -m state --state NEW -j LOG --log-prefix "NEW NOT SYN:"
> #Rules for incoming packets from the Internet
> #### $IPTABLES -A INPUT -p TCP -i $IFACE_INTERNET -s 0/0 --dport 22 -j
> okay

I hope this mess it's all commented. You should use conntrack with
SSH also.

> #
> # (4) FORWARD chain rules
> #
> #Accept the packets we want to forward
> #### $IPTABLES -A FORWARD -p TCP -m tcp -o $IFACE_INTERNET -m state
> --state NEW -j LOG --log-prefix "OUTGOING TCP CONNECTION:"
> #### $IPTABLES -A FORWARD -p UDP -m udp -o $IFACE_INTERNET -m state
> --state NEW -j LOG --log-prefix "OUTGOING UDP CONNECTION:"

You normally don't need to load the modules with -m tcp or -m udp, and
you are allowing all the outgoing traffic and the corresponding incoming
traffic.

> $IPTABLES -A FORWARD -i $IFACE_LOCALLAN -j ACCEPT
> $IPTABLES -A FORWARD -i $IFACE_LOCALLAN_2 -j ACCEPT
>
> $IPTABLES -A FORWARD -i $IFACE_INTERNET -j ACCEPT
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

The same thing commented before, you shouldn't accept all the
traffic coming from IFACE_INTERNET, use the conntrack to allow
only the traffic you want.

> # (5) OUTPUT chain rules
> #Only output packets with local addresses (no spoofing)
> $IPTABLES -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT

Now you use the IP, but before you used the interface.

> $IPTABLES -A OUTPUT -p ALL -s $IP_LOCALLAN -j ACCEPT
> $IPTABLES -A OUTPUT -p ALL -s $IP_LOCALLAN_2 -j ACCEPT
> $IPTABLES -A OUTPUT -p ALL -s $IP_INTERNET -j ACCEPT

¿Why not using conntrack for all this rules?

> # (6) POSTROUTING chain rules
> $IPTABLES -t nat -A POSTROUTING -o $IFACE_INTERNET -j MASQUERADE
> #########################
> # PORT 21##
> #########################
> $IPTABLES -A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 20:21 -j ACCEPT

You should use conntrack also for FTP, and the corresponding
modules.

> #########################
>
> echo -e "Done!"

I think what you need to solve the problem of redirecting the
packets to the web server is just to do DNAT the packets you want
to forward to the destination address.

--

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"

John-Paul Stewart <jpstewart@binaryfoundry.ca> wrote in message news:<d4bdgc.jgf.ln@mail.binaryfoundry.ca>...
> JoeAley2003 wrote:
> > Hi all...
> >
> >
> > I have a redhat linux 9 connected to the internet and 1 computer that
> > receives internet forwarded from the linux.
> >
> > What i need is to run a valid on internet http server on this
> > forwarded computer where i run apache on port 80.
>
> Use these as a starting point:
>
> iptables -A FORWARD -s 0.0.0.0/0 -d $IP_INTERNET -p tcp \
> --destination-port 80 -j ACCEPT
>
> iptables -t nat -A PREROUTING -d $IP_INTERNET -j DNAT \
> --to-destination <local-ip-address>
>
> iptables -t nat -A POSTROUTING -o $IFACE_INTERNET \
> -s <local-ip-address> -j SNAT --to-source $IP_INTERNET
>
> Those will almost certainly need some modification to suit your
> situation. They're based on my setup where externally visible machines
> get 1-1 NATed, since I have more than one publically visible IP address.
> But the idea should get you started. Note that local-ip-address
> refers to the address of the machine running Apache, *not* the local
> address of the machine running iptables.



Thank you for your reply but those command lines doesn't work.

Unfortunatly, i did not undertand the "0.0.0.0/0".

Iptables accept all these command lines but, when i request
http://IP_INTERNET from an internet machine, it doesn't work.

JoeAley2003 wrote:
> John-Paul Stewart <jpstewart@binaryfoundry.ca> wrote in message news:<d4bdgc.jgf.ln@mail.binaryfoundry.ca>...
>
>>JoeAley2003 wrote:
>>
>>>Hi all...
>>>
>>>
>>> I have a redhat linux 9 connected to the internet and 1 computer that
>>>receives internet forwarded from the linux.
>>>
>>> What i need is to run a valid on internet http server on this
>>>forwarded computer where i run apache on port 80.
>>
>>Use these as a starting point:
>>
>>iptables -A FORWARD -s 0.0.0.0/0 -d $IP_INTERNET -p tcp \
>> --destination-port 80 -j ACCEPT
>>
>>iptables -t nat -A PREROUTING -d $IP_INTERNET -j DNAT \
>> --to-destination <local-ip-address>
>>
>>iptables -t nat -A POSTROUTING -o $IFACE_INTERNET \
>> -s <local-ip-address> -j SNAT --to-source $IP_INTERNET
>>
>>Those will almost certainly need some modification to suit your
>>situation. They're based on my setup where externally visible machines
>>get 1-1 NATed, since I have more than one publically visible IP address.
>> But the idea should get you started. Note that local-ip-address
>>refers to the address of the machine running Apache, *not* the local
>>address of the machine running iptables.
>
>
>
>
> Thank you for your reply but those command lines doesn't work.
>
> Unfortunatly, i did not undertand the "0.0.0.0/0".

That's one way of saying "any Internet address". You type in literally
"0.0.0.0/0" and iptables interprets it as "anywhere".

> Iptables accept all these command lines but, when i request
> http://IP_INTERNET from an internet machine, it doesn't work.

You do realize that you cannot just type in those exact commands and
expect it to work. You need to add the rules at the appropriate places
in the chains. For example, I'd make sure the two NAT rules are *first*
in their respective NAT chains, and the port 80 rule needs to go early
enough in its chain that it will actually take effect. If you just type
in the iptables commands, it will place these rules last, and
potentially after another (more general) rule which has already denied
the packet (thus rendering the new rule useless).

Looking back at the original post, I'd suggest putting the first rule I
gave you as the first one in the "(4) FOWRARD chain rules" section of
your script, and the two new NAT rules before the existing rule in "(6)
POSTROUTING chain rules".

Getting the rules into the right place in a running firewall is easy
enough if you know what you're doing. If not, you can always resort to
editing the script and rebooting.