David,
I will have to compare your ideas and the ipchains rules I have in
place. This will take a while as I am new enough at this that I have to
continually refer to books etc. I'll let you know in a couple of days -
I do have a couple of ideas to pursue.
One question about httpd.conf:
I am running the main server as localhost for testing inside the
home network. I am running the server that will have [someday] outside
access as a virtual server. Maybe it should be the other way around?!?
Thanks for your thoughts.
Bob
David Talkington wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Bob Hartung wrote:
>
> >
> >5. Ideas and suggestions appreciated. It may be that my
> >problem is with the Virtual Server portion of httpd.conf
>
> Bob -
>
> I know it doesn't address your question, but I do recommend that if
> you're just getting started, you upgrade to a 2.4 kernel and use
> iptables. It's a much better design, and I find it much easier to
> work with. You can get info at http://netfilter.kernelnotes.org.
>
> First, your web server doesn't need to know anything about the real
> world. It should be internally consistent, using the actual hostname
> and IP address of the privately addressed machine on which it's
> running.
>
> Now then ... I'll take a stab at this, based on what works for me.
> It's important to keep a few things straight in your head (and
> iptables makes it easier wrap your brain around it than does
> ipchains): filtering, forwarding, and masquerading are different
> things, but in your case, all necessary. First set up the filtering,
> which decides who gets in or out. THEN decide what to forward where,
> after the gatekeeper's done with the packet. And finally, for private
> address spaces, set up masquerading.
>
> I'm a little confused by your ipchains rules. Like everything else,
> there are probably a gazillion ways to do this, but if you only have
> one external real IP in front and a masqueraded private network in
> back, I think you'll find it easier to keep track of what's going on
> if you keep your filtering on the INPUT chain, since that's the first
> thing incoming packets will hit. Something rudimentary like this
> should allow the traffic you're interested in:
>
> # Default policies
> /sbin/ipchains -P input DENY
> /sbin/ipchains -P forward ACCEPT
> /sbin/ipchains -P output ACCEPT
>
> # Allow replies from connections we initiated
> /sbin/ipchains -A input -i eth1 -p tcp ! -y -j ACCEPT
>
> # Deny illegal external addresses
> /sbin/ipchains -A input -i eth1 -s 192.168.0.0/16 -j DENY -l
> /sbin/ipchains -A input -i eth1 -s 172.16.0.0/12 -j DENY -l
> /sbin/ipchains -A input -i eth1 -s 10.0.0.0/8 -j DENY -l
>
> # Allow web traffic from the outside world, as per your specs
> /sbin/ipchains -A input -i eth1 -p tcp --dport 80 -j ACCEPT
>
> # Allow some ICMP packets (such as pings)
> /sbin/ipchains -A input -i eth1 -p icmp --dport 0 -j ACCEPT
> /sbin/ipchains -A input -i eth1 -p icmp --dport 3 -j ACCEPT
> /sbin/ipchains -A input -i eth1 -p icmp --dport 11 -j ACCEPT
>
> # Anything else, drop it and log it.
> /sbin/ipchains -A input -j DENY -l
>
> Of course, you're not done yet. You need to configure 80 to forward
> from eth1 back to your web server, which I haven't done with
> ipmasqadm, so I can't help with your syntax. You also need a rule to
> enable masquerading, which I didn't see in your code. That would look
> something like this, assuming you're using 192.168.1.x for internal
> machines:
>
> /sbin/ipchains -A forward -s 192.168.1.0/16 -j MASQ
>
> And finally, the kernel has to be told to forward:
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> Does any of this help?
>
> - --
> David Talkington
> http://www.spotnet.org
>
> PGP key: http://www.prairienet.org/~dtalk/dt000823.asc
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
> Comment: Made with pgp4pine 1.75-6
>
> iQEVAwUBOrUb3L1ZYOtSwT+tAQF8kggAypURpIt+nyxTNwcsuTapj1Jhd96SS3q1
> CtWonrysgOaLGpbwYcWSqqWQxXmtF4WwGnzEQRZ3kb0W1NS7Z/P19+VafWdwYnik
> vg2VGGUgUoImwMH9DDw+Cz/jhXTh8uqxOPsiU6Whhfdqmjjnam3lgzhcaBvyGl3p
> rHLpHJ/F6OA5OfCZxmM+h+Yh0kWSP0CzP5tb6NdX2nNqhnCmMWLZWkEdOKM0Wi9J
> Fda7zC2IFZZVUR4p1eTu31wy37MZ4Onnve1AgUh7XRUHsyfHhl+k2IIjpWKYwRit
> Jd8Hswrt7pdH+lz0mfjB6/prmlggxcj57r9xtPLqMLrBDJxEmjVS8Q==
> =qYjl
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
