Server setup for Web Purposes with custom Firewall

Discussion in 'Installation/Configuration' started by ramangill, Jan 31, 2006.

  1. ramangill

    ramangill New Member

    Hi,

    I am a little bit of a newbie starting out with Linux. I must say that I am pretty impressed so far. I just managed to get my firewall setup and let me explain the setup as to how I got there so you have an understanding of my architecture and will allow you guys to help me here.

    Linux Distro: Fedora Core 4
    2 NIC cards.
    -eth0 has DSL line coming in from provider
    -eth1 is connected to D-LINK router with an IP of 192.168.*.*
    Running FireStarter (http://www.fs-security.com/) as my firewall and it is up an running. I can ping my XP box and vice versa.

    Question #1: I am able to SSH into my linux box from PC’s within my network. I would like to also connect to my linux box from my work also via SSH, but I am unsure as to how? Can someone please help?

    Questions #2: I read the “Perfect Setup for Fedora Core 4”, and there are some gaps that I need answered to as my setup is a little different. I would like to setup my Linux Firewall box as a Web Server as well with Apache running on it. What would be the steps for this if I am running a setup like I have listed above as the document on the site assumes you have a static IP address from your provider with a host name?

    I hope this all makes sense. If not, please post a reply and I will reply in more detail.

    Thanks again 
     
  2. falko

    falko Super Moderator Howtoforge Staff

    Is your Fedora box in a local network behind a router, or is it directly connected to the internet? Why does it have 2 network cards? I found this a little bit unclear...
     
  3. ramangill

    ramangill New Member

    Hi Falko,

    Thanks for your reply. My Linux box is acting as the firewall and as such I have 2 NIC cards. eth0 has the external line from my DSL Provider and eth1 has the internal line with an IP of 192.168.*.* and is directly connected to my D-LINK router. So I guess "Yes, my linux box is in a local network behind a router.

    Also, I last night just setup a domain and configured it with Apache, and I am able to run http://localhost and http://IP_ADDRESS_OF_SERVER and I can see my Apache test page, but when I http://mydomain.org is comes to some sort of Modem Status page from my provider...weird????!!!!! Why do I not see the apache test page like I should be. The reason why I am posting it here is because it almost seems like the same thing where an outside source is not able to see my network/domain. Internall I can run everything smoothly, but from the outside I can not.

    I did read a little more on the web after I posted this that thing much be 99% more easier if I had domain registered and configured on my linux box with Apache, which I did now. So essentially I can SSH into my domain and get onto that Linux box like SSH mydomain.com

    I hope this clears up some things for you :)

    Awaiting for your reply eagerly :)
     
  4. ramangill

    ramangill New Member

    Also, I went to your site and read up on "Perfect Setup for Fedora Core 4". Can you please explain a little more on ISPConfig. I went to the site and I am still a little unclear as to the purpose of it. Is it a GUI for a firewall like FireStarter?

    Should I be using ISPConfig to benifit my needs?
     
  5. falko

    falko Super Moderator Howtoforge Staff

    Your server has two network cards, one having the DSL line. But why then do you need another router (D-Link)? :confused:

    IP_ADDRESS_OF_SERVER: is it your public IP address, or your internal one (192.168.*.*)?

    I guess it's either a problem with the DNS records of mydomain.org, or you haven't properly enabled port forwarding on your router (but to know better I have to fully understand your network setup first -> why do you have another router (D-Link)).
     
  6. falko

    falko Super Moderator Howtoforge Staff

    ISPConfig is a server control panel like Plesk, Cpanel, ..., but it's free. You can manage web sites, email addresses, databases, quota, DNS records, etc. with it, and you have 3 levels of administration: the admin user, resellers, and clients.
    You can also set up a simple firewall with it. With this firewall you can block ports. It's good for servers, but as I'M not quite sure yet if your system is also acting as a router I can't tell you if the ISPConfig firewall is good for you.
     
  7. ramangill

    ramangill New Member

    Sorry, let me be a little more clear and in detail.

    The way I set it up is the way many online howto documents are telling me to do it. Here are two examples:
    #1
    http://www.webmonkey.com/webmonkey/99/30/index3a_page2.html?tw=backend
    (Look at the 4th Paragraph)
    #2
    http://www.fs-security.com/docs/connection-sharing.php
    (This is the site for the firewall app and it also gave a rundown on how to setup a home firewall)

    So my 2nd NIC card is plugged into my Hub/Router and the rest of my PC's (Windows based for now) are set with a static IP like 192.168.*.* with the default gateway set to the IP address of the eth1 on my linux box

    The IP_ADDRESS_OF_SERVER is the IP Address of my Linux machine (192.168.*.*) and not of the DSL Provider (I assume you mean this as my public IP Address)

    Does this give you a better understanding of what I have setup? Another thing I have now noticed is that to try and work with my D-LINK Router to see if I can enable port forwarding, I need to get into my D-LINK settings via logging into it as the IP Address of the router is 192.168.0.1 (the default). But now I can not for some reason. It will not reconize it anymore. What happened here????

    Any other questions please ask.

    Also, great site!!! I like what you have done with it and there is plenty of info there for people like me :)
     
  8. ramangill

    ramangill New Member

    I just wanted to give an update here. I was fooling around a little more this evening and this is where I got now. I am no longer seeing my DSL's modem status page when I type http://idbsgroup.hoptp.com. Now I see the infamous page can not be found on XP and on my linux machine I get "The connection was refused when attempting to contact 69.156.*.*:8***"

    So when I do a ping on my domain it is working now and I can do it from the web also (I had my friend test it with ping). When I performed a trace route, it went back to my domain provider so I am assume I got the domain issue solved. Now it seems like my firewall is not letting me see my apache test page. In my httpd.conf file I have an entry for my listener as

    listen 192.168.*.*:8***
    Is this right? Or should I have

    listen 8***
    ???

    So now my issue is why I can not access the actual page now. Seems like I have gotten one step further :)
     
  9. falko

    falko Super Moderator Howtoforge Staff

    Try to put
    Code:
    Listen 80
    in httpd.conf instead of
    Code:
    listen 192.168.*.*:8***
    , at least for debugging purposes. Then restart Apache.
     
  10. falko

    falko Super Moderator Howtoforge Staff

    I've just found out this:

    Code:
    # dig idbsgroup.hoptp.com
    
    ; <<>> DiG 9.2.1 <<>> idbsgroup.hoptp.com
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59337
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 4
    
    ;; QUESTION SECTION:
    ;idbsgroup.hoptp.com.           IN      A
    
    ;; ANSWER SECTION:
    [B][COLOR="Red"]idbsgroup.hoptp.com.    86400   IN      CNAME   pjn.qsrch.net.
    pjn.qsrch.net.          30      IN      A       64.94.29.64[/COLOR][/B]
    
    ;; AUTHORITY SECTION:
    qsrch.net.              257344  IN      NS      ns3.qsrch.net.
    qsrch.net.              257344  IN      NS      ns4.qsrch.net.
    qsrch.net.              257344  IN      NS      ns1.qsrch.net.
    qsrch.net.              257344  IN      NS      ns2.qsrch.net.
    
    ;; ADDITIONAL SECTION:
    ns1.qsrch.net.          172799  IN      A       64.74.134.1
    ns2.qsrch.net.          259199  IN      A       64.74.134.51
    ns3.qsrch.net.          172799  IN      A       64.94.29.1
    ns4.qsrch.net.          172799  IN      A       64.94.29.51
    
    ;; Query time: 821 msec
    ;; SERVER: 81.169.163.104#53(81.169.163.104)
    ;; WHEN: Thu Feb  2 09:34:44 2006
    ;; MSG SIZE  rcvd: 216
    So idbsgroup.hoptp.com points to pjn.qsrch.net which then points to 64.94.29.64. Is this your public IP address?
     
  11. ramangill

    ramangill New Member

    No. I don't think so as when I go to for example www.myipaddress.com it tells me that my IPaddress is 69.156.104.137

    I actually had listen 8016 in my httpd.conf file. So I thought this would route my port 80 to 8016 on my firewall software. I have changed it back to 80 for now.

    Anymore help?

    Please
     
  12. falko

    falko Super Moderator Howtoforge Staff

    You must change the DNS record for idbsgroup.hoptp.com so that it points to 69.156.104.137 (BTW, is it a static IP address? If not, then you must update your DNS record each time your IP address changes).
     
  13. ramangill

    ramangill New Member

    My IP Address changes everytime I reboot my machine. I am using www.no-ip.com as they offer a free personal domain which happens to be idbsgroup.hopto.org. They also provide a software that will check to see if your IP has changed and if so it will update there server...pretty cool, howver I only have rebooted once so my IP has not changed.

    So for Port forwarding, I am not too sure what I am doing wrong here. In my httpd.conf file I have changed the entry for listener back to 80 so it reads like

    listener 80

    I also noticed that where it says ServerName https://idbsgroup.hopto.org is actully set like

    #https://idbsgroup.hopto.org

    So it is commented out. When I uncomment it, and restart my apache server it fails as it says that I have an invalid port range and needs to be between 1...65553. But I do don't I?

    I think I am getting close...thanks to you Falko...man you are good.

    Tell where I can submit a donation as I saw something like that on your website
     
  14. falko

    falko Super Moderator Howtoforge Staff

    It must be
    Code:
    Listen 80
    I think the server name shouldn't contain https://, so you should try idbsgroup.hopto.org.
     
  15. ramangill

    ramangill New Member

    So I have a quick question. When I am setting up port forwarding, am I supposed to be doing it on the Linux box that has the DSL directly coming into it or on my DLINK router?
     
  16. ramangill

    ramangill New Member

    I just called my ISP (Bell Canada) and they told me that they are not blocking any ports and they have never in the past.

    So I don't think I have an issue with blocked ports I guess
     
  17. falko

    falko Super Moderator Howtoforge Staff

    On the system that is connected to your DSL line and does the routing.
     
  18. ramangill

    ramangill New Member

    Thought so...Thanks Falko!!!

    So with talking to my ISP provider, they confirmed that they are not blocking any ports and they do allow users to run a server behind there lines. So on my fedora I setup statis network routes for my eth1 card (the NIC that has the DSL Line). I set it up like this

    IP: 192.168.10.1
    Mask: 255.255.255.255 (I got this from my modem's status page)
    Gateway: 192.168.2.1 (this being my modem's IP address)

    So when I try to get to my site I still get my ISP's modem status page. Ahhhhhhhhh!!!!! WHY!!!!

    Also, when I get someone to ping my IP address being 64.231.215.198 it just times out and can not be reached. Why is this?

    So I think I know what is going on here. My DNS providers is routing idbsgroup.hopto.org to 64.231.215.198. When it hits that, it just tries to log into the modem and the linux box receiving the connection is not forwarding the request to the same box at 192.168.10.1 (being that my routing and web server are all on the same linux machine). I added static network routes and that part is working, but then why is it not fowarding it off.

    Any thoughts.

    I am almost at my wits-ends here with this. I have not starting to think maybe re-installing this whole thing and just following your "Perfect Fedora Core 4 Setup".

    I am really getting frustrated and tired with this...please save me!!!!
     
  19. falko

    falko Super Moderator Howtoforge Staff

    Your modem has an IP address? Are you sure it is only a modem and not a router? Also, I'm not quite sure if the network details are correct, especially the network mask. MAybe www.subnetmask.info can help you.

    I can't ping it either, and I can't see your modem's status page...
     
  20. ramangill

    ramangill New Member

    Yes it is a Speedstream 5200 modem. Check out this site so you can see what I am using and talking about

    http://www.dsldepot.com/item.asp?id=80&referid=160159167165

    It is acting as a modem since I need to connect to my ISP. I did read on some sites that through Firmware, I can turn it into a router. The default gateway is 255.255.255.255. I know it looks weird and I thought to myself that this can not be right. But when I went to my modems status page, that is what is said.
     

Share This Page