Allowing external Web browsers access to a Web server on your firewall

Running a Web server on a firewall is not a good idea but might be necessary (resource wise) for a SOHO. In such case, you want to do the following:

♦ Create a rule that allows any IP address to connect to the HTTP port (80) on your firewall machine's external interface.

♦ Create a rule that allows the firewall/Web server to respond to unprivileged ports (which Web clients use for client-side connection) when source IP address is any IP and source port is HTTP (80).

The following lines can be added to the soho-firewall.sh script to implement these rules.

# Allow any IP to connect to firewall's external

# interface to send a HTTP request for the

# internal network

$IPTABLES -A input -i $EXTERNAL_LAN_INTERFACE -p tcp ! -y \ -s 0/0 1024-65535 \ -d $EXTERNAL_LAN_INTERFACE_ADDR 80 \ -j ACCEPT

# Allow internal HTTP response to go out to the

# world via the external interface of the firewall $IPTABLES -A output -i $EXTERNAL_LAN_INTERFACE

-s $EXTERNAL_LAN_INTERFACE_ADDR 80 \ -d 0/0 1024-65535 \ -j ACCEPT

If you want to enable HTTPS (Secure HTTP) connections, add the following lines:

# Enable incoming HTTPS connections $IPTABLES -A input -i $EXTERNAL_LAN_INTERFACE

-d $EXTERNAL_LAN_INTERFACE_ADDR 1024-65535 \ -j ACCEPT

# Enable outgoing HTTPS connections $IPTABLES -A output -i $EXTERNAL_LAN_INTERFACE

-s $EXTERNAL_LAN_INTERFACE_ADDR 1024-65535 \ -d 0/0 443 \ -j ACCEPT

In order to interact with the Internet, you are most likely to need a few other services enabled, such as DNS, SMTP, POP3, and SSH. In the following sections, I show you how.

Was this article helpful?

0 0

Post a comment