Introduction
This tutorial is a follow up for the Install IPFire Linux Firewall tutorial. Once we have IPFire running, we want to access some services provided by servers behind the firewall. This tutorial will demonstrate how to access a web server running on an internal server.
Requirements
This tutorial assumes you have access to a running IPFire firewall configured to protect an internal network containing at least one server providing http service on port 80. Here is an example network layout in the DCD.
The IPFire Server in this example has a RED / Public IP address of 162.254.27.246
which also can be accessed via the hostname: ip162-254-27-246.pbiaas.com
. The GREEN / Private IP address is 172.16.1.1
. The TestInt Server is attached to the GREEN network and has an internal IP address of 172.16.1.10
. The TestInt Server is currently running varnish
as a web accelerator on port 80 in front of the nginx
web server running on port 8080. You will want to substitute the appropriate ip addresses and ports for your network / server configuration.
Add New Firewall Rule
To begin, log into the IPFire web interface. Remember that this runs on port 444 by default. If you have OpenVPN configured according to OpenVPN on IPFire for Road Warriors then you can access your firewall over the GREEN network at https://172.16.1.1:444
. In any case, please login and then navigate to Firewall->Firewall Rules.
Clicking the New rule button will take you to a blank Firewall Rules screen.
- In the Source section, select the radio button for Standard networks: and make sure the drop down menu shows Any.
- In the NAT section, check the box for Use Network Address Translation (NAT)
- In the Destination section, enter the IP address of your internal server in the Destination address (IP address or network):form field. In this tutorial, the value to enter is
172.16.1.10
- In the Protocol section, choose TCP from the drop down menu, and enter 80 for Destination Port:
- Under Additional Settings, you may wish to add a Remark: to help you remind you or someone else why this rule was added.
Press the Add button in the lower right section of the screen to add the new rule. We are presented with the new rule for review.
Go ahead and press the Apply changes button. Now we have the new rule in place on the firewall.
Test
At this point we should be able to test by trying to connect to the public ip address using a browser pointed to http://162.254.27.246
or the hostname http://ip162-254-27-246.pbiaas.com
.
We could also test from an external server using curl
like this:
$ curl -v http://ip162-254-27-246.pbiaas.com/
* About to connect() to ip162-254-27-246.pbiaas.com port 80 (#0)
* Trying 162.254.27.246... connected
* Connected to ip162-254-27-246.pbiaas.com (162.254.27.246) port 80 (#0)
> GET / HTTP/1.1
> Host: ip162-254-27-246.pbiaas.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.6.3
< Date: Mon, 25 Jan 2016 22:15:21 GMT
< Last-Modified: Sun, 04 Oct 2015 07:53:44 GMT
< ETag: "5610db08-e74"
< Content-Type: text/html
< Content-Length: 3700
< X-Varnish: 32775 27
< Age: 30
< Via: 1.1 varnish-v4
< Connection: keep-alive
< Accept-Ranges: bytes
Everything looks good with the http headers returned. We can see that we are connecting to the public ip address on port 80 and are getting content back from our internal server running varnish
and nginx
.