Running a Web server on a firewall is not a good idea but might be necessary (resource wise) for a SOHO. In such case, you want to do the following:
♦ Create a rule that allows any IP address to connect to the HTTP port (80) on your firewall machine's external interface.
♦ Create a rule that allows the firewall/Web server to respond to unprivileged ports (which Web clients use for client-side connection) when source IP address is any IP and source port is HTTP (80).
The following lines can be added to the soho-firewall.sh script to implement these rules.
# Allow any IP to connect to firewall's external
# interface to send a HTTP request for the
# internal network
$IPTABLES -A input -i $EXTERNAL_LAN_INTERFACE -p tcp ! -y \ -s 0/0 1024-65535 \ -d $EXTERNAL_LAN_INTERFACE_ADDR 80 \ -j ACCEPT
# Allow internal HTTP response to go out to the
# world via the external interface of the firewall $IPTABLES -A output -i $EXTERNAL_LAN_INTERFACE
-s $EXTERNAL_LAN_INTERFACE_ADDR 80 \ -d 0/0 1024-65535 \ -j ACCEPT
If you want to enable HTTPS (Secure HTTP) connections, add the following lines:
# Enable incoming HTTPS connections $IPTABLES -A input -i $EXTERNAL_LAN_INTERFACE
-d $EXTERNAL_LAN_INTERFACE_ADDR 1024-65535 \ -j ACCEPT
# Enable outgoing HTTPS connections $IPTABLES -A output -i $EXTERNAL_LAN_INTERFACE
-s $EXTERNAL_LAN_INTERFACE_ADDR 1024-65535 \ -d 0/0 443 \ -j ACCEPT
In order to interact with the Internet, you are most likely to need a few other services enabled, such as DNS, SMTP, POP3, and SSH. In the following sections, I show you how.
Was this article helpful?