Webserver behind nat/ipfw

freebsd-questions freebsd-questions at amadeus.demon.nl
Fri Mar 3 02:26:44 PST 2006


Hello all,

I have been struggling for the last months now to run a webserver  
behind a firewall.
I have installed apache 2 on a Opendarwin G4 machine hebind a FreeBSD  
6 firewall/nat box:

internet  ]-----[ outside IP ] modem [ 192.168.1.1 ]-----[ nge0:  
192.168.1.40 ] FreeBSD 6.0 : natd, ipfw [ fxp0: 10.31.21.1 ]----- 
[ en0: 10.31.21.2 ] OpenDarwin webserver

When I run apache from the firewall people can connect.
Tcpdump on en0, fxp0 both show the right incoming and outgoing  
traffic on the webserver as expected.
It also shows that incoming traffic on the firewall on port 80 is  
succesfully translated to to the firewall's IP.
I can access the website from the LAN (from the firewall itself and  
going through the firewall via not shown nge1 10.31.20.1)

I am clearly missing something here in the way the respond from the  
webserver should be sent back to the internet requests.
If I only knew what...

I have tried adding lines like:
ipfw 3 add divert 8668 all from any to any 80
I even tried running a second natd and diverting all traffic on port  
80 through it without any result.
I am out of ideas now...
Goole-ing for a month lead me to instructions how to run ipfw OR  
natd, i couldn't find one that combinse the two.
Can anyone help me setup nat and ipfw so that the webserver is able  
to respond to incoming http requests?

Many thanks in advance,

Arno


HARDWARE:
internet  ]-----[ outside IP ] modem [ 192.168.1.1 ]-----[ nge0:  
192.168.1.40 ] FreeBSD 6.0 : natd, ipfw [ fxp0: 10.31.21.1 ]----- 
[ en0: 10.31.21.2 ] OpenDarwin webserver

GREP NAT /ETC/RC.CONF:
natd_program="/sbin/natd"       # path to natd, if you want a  
different one.
natd_enable="YES"               # Enable natd (if firewall_enable ==  
YES).
natd_interface="nge0"           # Public interface or IPaddress to use.
natd_flags="-f /etc/natd.conf"  # Additional flags for natd.


/ETC/NATD.CONF:
unregistered_only yes
use_sockets yes
same_ports yes
dynamic yes

### Forward all incoming http access to Webserver
redirect_port tcp 10.31.21.2:80	    80
redirect_port tcp 192.168.1.40:80 10.31.21.2:80



/ETC/IPFW.CONF:
#!/bin/sh
################ Start of IPFW rules file  
###############################
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
skip="skipto 800"
pif="nge0"     # public interface name of NIC
                		# facing the public Internet
lif1="fxp0"	# local web interface
lif2="nge1"	# local toxik interface
dhcp="192.168.1.56"
dns1="ISP_DNS1"
dns2="ISP_DNS2"
webserver="10.31.21.2"

#################################################################
# No restrictions on Inside LAN Interface for private network
#################################################################
$cmd 005 allow all from any to any via $lif1
$cmd 006 allow all from any to any via $lif2

#################################################################
# No restrictions on Loopback Interface
#################################################################
$cmd 010 allow all from any to any via lo0

#################################################################
# check if packet is inbound and nat address if it is
#################################################################
$cmd 014 divert natd ip from any to any in via $pif

#################################################################
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by a allow keep-state statement.
#################################################################
$cmd 015 check-state

#################################################################
# Interface facing Public Internet (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network or from this gateway server
# destine for the public Internet.
#################################################################

# Allow out access to my ISP's Domain name server.
# x.x.x.x must be the IP address of your ISP's DNS
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
$cmd 020 $skip all from any to $dns1 53 out via $pif keep-state
$cmd 021 $skip all from any to $dns2 53 out via $pif keep-state

# Allow out non-secure standard www function
$cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state

# Allow out secure www function https over TLS SSL
$cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state

# Allow out send & get email function
$cmd 060 $skip tcp from any to any 25,110,995 out via $pif setup keep- 
state

# Allow out FreeBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
$cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root

# Allow out ping
$cmd 080 $skip icmp from any to any out via $pif keep-state

# Allow out Time
$cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state

# Allow out whois
$cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state

# Allow ntp time server
$cmd 130 $skip udp from any to any 123 out via $pif keep-state


#################################################################
# Interface facing Public Internet (Inbound Section)
# Interrogate packets originating from the public Internet
# destine for this gateway server or the private network.
#################################################################

# Deny all inbound traffic from non-routable reserved address spaces
$cmd 301 deny all from 172.16.0.0/12   to any in via $pif  #RFC 1918  
private IP
$cmd 302 deny all from 10.0.0.0/8      to any in via $pif  #RFC 1918  
private IP
$cmd 303 deny all from 127.0.0.0/8     to any in via $pif  #loopback
$cmd 304 deny all from 0.0.0.0/8       to any in via $pif  #loopback
$cmd 305 deny all from 169.254.0.0/16  to any in via $pif  #DHCP auto- 
config
$cmd 306 deny all from 192.0.2.0/24    to any in via $pif  #reserved  
for docs
$cmd 307 deny all from 204.152.64.0/23 to any in via $pif  #Sun cluster
$cmd 308 deny all from 224.0.0.0/3     to any in via $pif  #Class D &  
E multicast

# Deny ident
$cmd 315 deny tcp from any to any 113 in via $pif

# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 320 deny tcp from any to any 137 in via $pif
$cmd 321 deny tcp from any to any 138 in via $pif
$cmd 322 deny tcp from any to any 139 in via $pif
$cmd 323 deny tcp from any to any 81  in via $pif

# Deny any late arriving packets
$cmd 330 deny all from any to any frag in via $pif

# Deny ACK packets that did not match the dynamic rule table
$cmd 332 deny tcp from any to any established in via $pif

# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP's DHCP server as it's the only
# authorized source to send this packet type.
# Only necessary for cable or DSL configurations.
# This rule is not needed for 'user ppp' type connection to
# the public Internet. This is the same IP address you captured
# and used in the outbound section.
$cmd 360 allow udp from $dhcp to any 68 in via $pif keep-state

# Allow in standard www function because I have (secure) Apache server
$cmd 371 allow tcp from any to $webserver 80 in setup limit src-addr 2

# Reject & Log all unauthorized incoming connections from the public  
Internet
$cmd 400 deny log all from any to any in via $pif

# Reject & Log all unauthorized out going connections to the public  
Internet
$cmd 450 deny log all from any to any out via $pif

# This is skipto location for outbound stateful rules
$cmd 800 divert natd ip from any to any out via $pif
$cmd 801 allow ip from any to any

# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 999 deny log all from any to any
################ End of IPFW rules file ###############################


More information about the freebsd-questions mailing list