Topic: iptables configuration

[nald]

Hi to all,

I do have a Web server running windows 2000 server and a Firewall running SME6.0.1.  I am a bit confuse with my configuration.  These are my configuration in my web-server

A:) gateway directly from our ISP
ipaddress: 203.xx.xx.xx
subnet:    255.255.xx.xx
gateway:   203.xx.xx.1 (address directly to our ISP)

B:) gateway directly from our firewall
ipaddress: 203.xx.xx.xx
subnet:    255.255.xx.xx
gateway:   203.xx.xx.21 (address from our firewall)

When my web-server uses the gateway from our ISP, people outside the net can view our web-site and if my Web-server uses the gateway from our firewall, they can't view our web-site.

I think the built-in iptables in SME6.0.1 is the one responsible for blocking our site.
Is there anyone who knows on where and how to configure the firewall.
I think its in /etc/rc.d/init.d/masq...

I will be grateful if someone can help me on this problem...Thanks so much...

this is my existing masq configuration...

FILTER
Chain INPUT (policy DROP)
target prot opt source destination
state_chk all -- anywhere anywhere
local_chk all -- anywhere anywhere
PPPconn all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/4
InboundICMP icmp -- anywhere anywhere
denylog icmp -- anywhere anywhere
InboundTCP tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
denylog tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
InboundUDP udp -- anywhere anywhere
denylog udp -- anywhere anywhere
gre-in gre -- anywhere anywhere
denylog gre -- anywhere anywhere
denylog all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ForwardDenyLocals all -- anywhere anywhere
state_chk all -- anywhere anywhere
local_chk all -- anywhere anywhere
ForwardedTCP tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
ForwardedUDP udp -- anywhere anywhere
denylog all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PPPconn all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/4
OutboundICMP icmp -- anywhere anywhere
denylog icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain ForwardDenyLocals (1 references)
target prot opt source destination

Chain ForwardedTCP (1 references)
target prot opt source destination
ForwardedTCP_3200 all -- anywhere anywhere
denylog tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN

Chain ForwardedTCP_3200 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 203.167.85.99 tcp dpt:www

Chain ForwardedUDP (1 references)
target prot opt source destination
ForwardedUDP_3200 all -- anywhere anywhere
denylog udp -- anywhere anywhere

Chain ForwardedUDP_3200 (1 references)
target prot opt source destination

Chain InboundICMP (1 references)
target prot opt source destination
InboundICMP_3200 all -- anywhere anywhere
denylog icmp -- anywhere anywhere

Chain InboundICMP_3200 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
denylog all -- anywhere anywhere

Chain InboundTCP (1 references)
target prot opt source destination
InboundTCP_3200 all -- anywhere anywhere
denylog tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN

Chain InboundTCP_3200 (1 references)
target prot opt source destination
denylog all -- anywhere !203.167.85.122
ACCEPT tcp -- anywhere anywhere tcp dpt:auth
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
denylog tcp -- anywhere anywhere tcp dpt:ldap
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:1723
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
denylog tcp -- anywhere anywhere tcp dpt:ssh
denylog tcp -- anywhere anywhere tcp dpt:telnet

Chain InboundUDP (1 references)
target prot opt source destination
InboundUDP_3200 all -- anywhere anywhere
denylog udp -- anywhere anywhere

Chain InboundUDP_3200 (1 references)
target prot opt source destination
denylog all -- anywhere !203.167.85.122

Chain OutboundICMP (1 references)
target prot opt source destination
OutboundICMP_3200 all -- anywhere anywhere
denylog icmp -- anywhere anywhere

Chain OutboundICMP_3200 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
denylog all -- anywhere anywhere

Chain PPPconn (2 references)
target prot opt source destination
PPPconn_1 all -- anywhere anywhere

Chain PPPconn_1 (1 references)
target prot opt source destination

Chain denylog (21 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere

Chain gre-in (1 references)
target prot opt source destination
denylog all -- anywhere !203.167.85.122
ACCEPT all -- anywhere anywhere

Chain local_chk (2 references)
target prot opt source destination
local_chk_3200 all -- anywhere anywhere

Chain local_chk_3200 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- 203.115.188.0/24 anywhere
ACCEPT all -- 192.168.1.0/24 anywhere
ACCEPT all -- 203.167.85.96/27 anywhere

Chain state_chk (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

NAT
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DROP all -- ft2.msg.yahoo.com anywhere
PortForwarding all -- anywhere anywhere
SMTPProxy tcp -- anywhere anywhere tcp dpt:smtp
TransProxy tcp -- anywhere anywhere tcp dpt:www

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
PostroutingOutbound all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain PortForwarding (1 references)
target prot opt source destination
PortForwarding_3200 all -- anywhere 203.167.85.122

Chain PortForwarding_3200 (1 references)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:www to:203.167.85.99:80

Chain PostroutingOutbound (1 references)
target prot opt source destination
ACCEPT all -- 203.167.85.122 anywhere
MASQUERADE all -- anywhere anywhere

Chain SMTPProxy (1 references)
target prot opt source destination
ACCEPT all -- anywhere localhost
ACCEPT all -- anywhere f1ls.isl-f1ls
ACCEPT all -- anywhere 203.167.85.122
DNAT tcp -- anywhere anywhere to:203.167.85.121:25

Chain TransProxy (1 references)
target prot opt source destination
ACCEPT all -- anywhere localhost
ACCEPT all -- anywhere f1ls.isl-f1ls
ACCEPT all -- anywhere 203.167.85.122
DNAT tcp -- anywhere anywhere to:203.167.85.121:3128

MANGLE
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
TOS tcp -- anywhere anywhere tcp dpt:ftp TOS set Minimize-Delay
TOS tcp -- anywhere anywhere tcp dpt:ssh TOS set Minimize-Delay
TOS tcp -- anywhere anywhere tcp dpt:telnet TOS set Minimize-Delay
TOS tcp -- anywhere anywhere tcp dpt:smtp TOS set Minimize-Delay
TOS tcp -- anywhere anywhere tcp dpt:www TOS set Minimize-Delay
TOS tcp -- anywhere anywhere tcp dpt:pop3 TOS set Minimize-Delay
TOS tcp -- anywhere anywhere tcp dpt:ftp-data TOS set Maximize-Throughput

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

[irian]

If SME is the firewall, you need to set a portforwarding rule.
You can do this in the SME Servermanager.

[nald]

I tried already placing the rule in port forwarding.

Protocol : TCP
Sourceport: 80
Destination host Ipaddress: 203.xx.xx.xx (our web-server)
Destinationport: 80

Still it doesnt work. I tried to remove all the iptables and it works.  Therefore i conclude that its in the iptables configuration.  I really need to check one by one the iptables configuration.
Is there anyone out there have the same problem of mine? Is there anyone knows on what part of the iptables need to be changed?

Thanks....
Nald

[raem]

I think you need to disable the port you wish to forward, before you can forward it elsewhere.

[nald]

Ray,

Accessing on the our web site "www.phisl.net" is using port 80, So it means that i am going to disable the port 80???
What about other local computers uses our firewall as their gateway?  Will they be affected in access to the net if ever i disable the port 80 in our firewall?

[raem]

I re-read your first post.
> When my (Win2K) web-server uses the gateway from
> our ISP, people outside the net can view our
> (Win2K) web-site and if my (Win2K) Web-server uses > the gateway from our (sme) firewall, they can't
> view our web-site.

http requests are probably looking at your sme server for the web site (which is not there).
I think you may need the proxypass contrib to redirect http requests to the win2K box where your web site actually is.

Here's an old post from my archives that may point you in the right direction.
I'm sure there is a updated contrib for sme 6.x.


Updated dmc-proxypass rpm's for 5.5 and 5.6.

I've tested with 5.6 successfully.  Have not tested any others yet..
hopefully the community will provide feedback, if there is a problem.

Abe Loveless
abe_AT_lovelesscentral.org

-------------------------------------------------------------------------------

ProxyPass to an Internal Host for E-Smith/SME (v5.6 and less... not tested on 6.x)

Developer:   Darrell May
Contributor: Abe Loveless (abe_AT_lovelesscentral.org)

Brief Description:
This package can be used to allow external access to web content on
internal web servers through your E-Smith/SME Gateway.  There are 2 ways to do this.

1. You can choose a sub-directory of your e-smith web server and direct that
subdirectory to an internal host.  For example: You can take the following url
(http://YOUR.ESMITH.ADDRESS/frontpage/) and use ProxyPass to forward the "frontpage"
directory to your Win32 server with Frontpage Server Extensions installed.  All other
content would be displayed from the E-Smith web server, like normal.
   NOTES:
   1. Don't ProxyPass the server root("/")... you won't be able to get back to
      the server-manager
   2. Remember to add the trailing slash when you create the directory name

2. You can create a Virtual Domain on the E-Smith server and forward all content
for that virtual domain to an internal server. (See below for details.)




Section 2 Name: ProxyPass VirtualDomains to an Internal Host

Description:
This program will allow your SME Server Gateway to forward web sites for  
Virtual Domains to the appropriate Internal IP address.  For example,
take a look at the following scenario.

1. You have multiple websites hosted on a web server (Windows 2000, or other)
2. Each of these websites is bound to an individual IP address
3. Each of these websites has its own registered domain name
4. You want to put your web server behind your SME gateway (security reasons)

By creating a virtual domain for each of your registered domains, we can
configure the SME server to forward all requests for the given domains to
their respective internal IP addresses.



Directions:
1. Login to your SME server console as root
2. Download the package
   - wget http://www.tech-geeks.org
           /contrib
           /loveless
           /proxypass
           /dmc-mitel-proxypass-0.0.1-3.noarch.rpm
3. Install
    rpm -Uvh dmc-mitel-proxypass-0.0.1-3.noarch.rpm


-Abe Loveless

[raem]

Has anyone tried these on sme 6.0 or 6.0.1 and can confirm they are OK to use ?

http://www.tech-geeks.org/contrib/loveless/SMEServer/contribs/proxypass/

http://www.tech-geeks.org/contrib/loveless/SMEServer/contribs/proxypass/README.txt

[nald]

I tried to install the rpm and the add a virtual domain.  Still no luck...

Hope there is anyone out there can help us...

Thanks...

[raem]

nald

> I tried to install the rpm....

Tried ???
Did the rpm install OK or not ?
Did it add a panel called ProxyPass to server manager ?

> ....and then add a virtual domain. Still no luck...

It's not just a virtual domain you need to create, you need to create both the virtual domain AND the ProxyPass virtual domain entry.
Did you add the virtual domain in the Domains panel ?
Did you add the ProxyPass virtual domain entry in the ProxyPass panel ?

[nald]

Ray,

Sorry for the late reply...

Yes it appears in my server-manager.  i tried to add virtual domain and ProxyPass Virtual Domain.
Still it didn't work... Below is my confguration...

Current List of ProxyPass virtual domain entries:

Virtual Domain Target    
phisl.net      http://phisl.net/ Modify... Remove...

I tried to explore the "Current List of ProxyPass URL entries:"  Below is the list of my configuration. Still its not working but it created another problem...

Current List of ProxyPass URL entries:

Path Target Description HTTP HTTPS ValidFrom    
            http://203.167.85.99 none yes yes all Modify... Remove...
/phisl.net/ http://phisl.net none yes yes all Modify... Remove...

The first line cannot be remove maybe because it doesn't have any path.  The second line can be remove cause it has a path.  Once the httpd.conf is restarted i can't anymore browse my server-manager.  I need to configure manually the httpd.conf.  Below is the configuration shown inside httpd.conf.

Server-manager not good:

Listen 0.0.0.0:80
# ProxyPass:
# Description: none
ProxyPass       /       http://phisl.net
ProxyPassReverse        /       http://phisl.net
<Location />
    order deny,allow
    deny from all
    allow from all

Server-manager good:

Listen 0.0.0.0:80
# ProxyPass:
# Description: none
#ProxyPass       /       http://phisl.net
#ProxyPassReverse        /       http://phisl.net
<Location />
    order deny,allow
    deny from all
    allow from all

I really don't understand this kind of rule.  I tried to search inside templates-custom but i can't find anything on how to get back to its original configuration.  
I copied the files inside
/etc/e-smith/templates/etc/httpd/conf/httpd.conf to
/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
then i tried to run
/sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
still it doesn't work...

I really can't anymore determine on how to get my original httpd.conf.

Am i doing the wrong configuration???

[nald]

Ray,

The ip address that is found in my previous message is the ip address of my web-server.  I was trying to explore using domain and ip address.  Hope you are not confuse...
Thanks so much for your time... Hope you can help me...

[raem]

nald

The next 3 paragraphs were actually at the end of my post, but it may be the answer to your problem so I have pasted them at the start.

Come to think of it, if all you want is for both boxes to have the same domain name ie www.phisl.net, but just want to send www requests to the Win2K box, then you can do this in the Hostnames and Addresses panel, without needing any Virtual Domain or Proxy Pass entries.

In Hostnames and addresses panel:
Look for the entry for www.phisl.net, Modify it, select Local for Location (instead of Self), then enter the IP of your Win2K server, say No to publish globally (only applies to Mitel supported servers).

You will find that requests for www.phisl.net go to the Win2K, and all other traffic for phisl.net (eg mail, ftp, proxy etc) go to the sme server.
I just tried this and it works OK too.
Is that what you are really trying to do ? If so forget the rest of what I write.




My original reply started here.

I just tried proxypass on a main sme 5.6 in server/gateway mode with a second sme 6.5 in server only mode, and proxypass works fine. Requests for the second domain are passed to the second server.

In your case I assume you are trying to have requests come into your sme box for http://www.phisl.net and have these proxypasssed to the Win2K server.


> phisl.net      http://phisl.net/ Modify... Remove...

Unless you have your local sme DNS setup correctly (& I suspect you don't), your sme will have trouble resolving that URL. Try using the IP of the Win2K server instead, eg
phisl.net    http://192.168.x.xx   Modify  Remove



The ProxyPass URL entries screen is for situations where you want a URL on your sme server to forward to another server eg

http://mydomain.com/whatevername  >>  Win2K server

This is not what you are trying to do, so I would delete any ProxyPass URL entries.
The only entry you want is in the ProxyPass virtual domain screen as suggested above using the Win2K IP.


> Once the httpd.conf is restarted i can't anymore
> browse my server-manager.

You are getting yourself into trouble doing this, I don't think you really understand what you are doing, so you should not be doing that. It is not necessary anyway as Proxy pass works OK without requiring manual configuration using the command line.

The sme server requires minimal or no user intervention of iptables rules etc, as these are setup correctly and services started and stopped by the system as a result of choices you make in the server manager. The correct ports are opened or closed as determined by configuration choices made in server manager. That is the beauty of sme server, it is simple to use, and you are complicating it by doing manual changes.

I suggest you reverse any changes you made to http.conf. Remove all entries in the Domains panel and all entries in the ProxyPass panel and your http.conf should come back to "normal".

Part of the reason it is not working may be due to using a name URL rather than a IP URL in the proxypass virtual domain entry, try that again.

Also where does your external record for your domain name point to, ie is it the IP of your sme server (which I assume you are using primarily as a firewall) or is it to the IP for your Win2K box ?
What domain name do you have setup on your sme box, I think that it should be a different name than the domain name of your Win2K server eg
sme = domain2.com   (???)
win2K = domain1.com  (www.phisl.net)

[nald]

Ray,

Our domain phisl.net is hosted in our ISP and it is a registered domain.  Then we assigned it with a public ip address.  It is under Win2k Server.
phisl.net = 203.167.85.99 (public ip)

The domain of my SME box(Firewall) is not a registered domain.  I just named it with my own. This is the configuration of my Firewall
eth0 = 203.167.85.121
eth1 = 203.167.85.122
gateway = 203.167.85.97 (from our ISP router)

All our ip addresses is in our segment.  Some of my colleagues are using public ip address n it is behind our SME box (Firewall).

I tried your suggestion by adding under section "Hostname and Addresses".  I added already a virtual domain 'phisl.net'.  In modifying hostname, it needs a local address but my domain 'phisl.net' is configure as public ip address.  Still it didn't work.

Do you get the scenario of all my configurations?

[raem]

nald

No I don't really understand your configuration, it seems a bit unusual.

ping 203.167.85.99
gets no respone
Any reason you know of why (or why not) ?

ping 203.167.85.121
receive a reply OK

ping 203.167.85.122
receive a reply OK

ping 203.167.85.97
receive a reply OK

Why have you put your local IP for eth0 in the public range ?
see
http://www.vicomsoft.com/glossary/addresses.html
......reserved certain addresses that will never be registered publicly. These are known as private IP addresses, and are found in the following ranges:
From 10.0.0.0 to 10.255.255.255
From 172.16.0.0 to 172.31.255.255
From 192.168.0.0 to 192.168.255.255


In a usual situation your sme server (in server & gateway mode) would be using the external IP of 203.167.85.99 for eth1
and 203.167.85.97 for the gateway.

Your eth0 would have a local IP in the range 192.xxx.xxx.xx as would your Win2K server.

Is this a new setup ie never been working before, or has it already existed and been proven to work ?

Are these the only 2 servers ?

What are the configuration details from server manager Review configuration screen ?

What is the output from ifconfig on the sme server ?

What is the output from ipconfig /all on your Win2K server ?

[raem]

nald

If you do indeed have multiple public IPs perhaps this new post may be of use:

http://forums.contribs.org/index.php?topic=22414.0

[nald]

Ray,

Before i enter to this company, this server is already working for almost a year now.  Our Main head of our system was the one who designed our network.   He changed the network configuration by adding a SME server where all of my coleagues uses public ip address and there are all behind this particular SME server.

Suppossedley, we really don't need to configure all our computers to public ip address coz we are provided by a private ip address, 192.168.xx.xx, as what you have stated.  The only main reason most of us uses public ip coz we often download and upload files to our clients.  It will be easy for us to access to our clients coz we don't need to connect VPN.  We are currently using "PC Anywhere" application where you can access PC remotely.  

Regarding the pinging of the Ip address 203.167.85.99, we disable the ICMP rules.  

I understand everything u've stated.  It is just that it won't really correspond on our current configuration.  

I tried also the new post but still it is the same behavior on what we have been discussing since in the beginning.  It needs still an internal ip address which we don't actually using it at this moment.  Well anyway, we will be discussing this week regrading our whole network configuration and we will try evaluate it.
Thanks to everything...

Nald