Samba, Web Server, Dual Homed (am I asking for it?)

[drhiii]

Is it possible to set up a server that:

- run apache and associated web site stuff accessible via the public
- run Samba and have it accessible via an internal network, primarily for transferring files from the linux box to a set of Windows machines
- and do this on a dual homed machine?

Or is this asking for it? Have always been cautioned that a dual homed server, especially into a windoze environment, is a train wreck waiting to happen. Are there enough checks and balances to protect the uploaded files via the internet/Apache side and still give access via a second NIC card via Samba to these files?

Any opinions would be highly valued.

[drhiii]

Ok, let me try this question.

If I had two NIC cards, one facing the internet and answering as a web server (eth0), the second (eth1) on the internal network and answering to Samba services.... anyone know of a tutorial on how to do this? The routing and firewalling? Have been Googling around but have yet to find an answer.

Help?

[gtmtnbiker98]

Multi-homed machines, either Windows and/or Linux is fine. What do you think routers and firewalls are? As for Apache and Samba on the same box and being publicly reachable, not a good idea. For home use, not so bad, for corporate use - find a new career.

[drhiii]

Tx for the response. Yes, I know what routers and firewalls are.

You however didn't answer my question. I'll rephrase it for hopefully someone else who can offer help...

Anyone know of a tutorial or how-to on setting up a dual-homed box, one answering as a web server onto the internet, the second nic serving Samba on a private network? Specifically the routing?

Multi-homed machines, either Windows and/or Linux is fine. What do you think routers and firewalls are? As for Apache and Samba on the same box and being publicly reachable, not a good idea. For home use, not so bad, for corporate use - find a new career.

[camh]

The routing shouldn't be an issue. In your apache (assumed) config, you can specify the IP you wish to bind to. This would be your external connection (internet side).

The same kind of thing is in your smb.conf, in the hosts allow directive. Allow your internal ip range only.

You will probably also want to firewall the connection from the internet side to the internal side, blocking all traffic except what's necessary (ex. port 80) *edit* Take a look for documentation on IPTABLES.. this will help out in this area.

Hope this helps.

@gtmtnbiker98

For home use, not so bad, for corporate use - find a new career.

There are instances where you might want this setup in a small business. For example, a CMS system with an internal mgmt side with a smb share to drop files and an apache web server on an external line to serve the content.

[drhiii]

Hello,

And yes, your response is very helpful. I understand most of this. I will go into the apache .conf file to bind to the external IP, and have already created a hosts allow directive for the smb.conf file for the internet network. And have also created a firewall that blocks all but the needed ingress ports.

Where I am stuck is on eth0 and eth1. Example follows:

eth0 = 192.160.123.234 (external IP)
eth1 = 192.168.10.104 (internal IP)

When the interfaces come up, the gateway ends up defined for the eth1 interface. Am not getting how to set up these two interfaces in other words so packets that hit eth0 are answered back out, and Samba services work internally on the internal network. Will keep at it.... is my deficiency in networking and routing. Am just looking for apache to answer on as you say, port 80 in/out the external IP/eth0, and samba to answer on eth1.

I appreciate your response to this.

The routing shouldn't be an issue. In your apache (assumed) config, you can specify the IP you wish to bind to. This would be your external connection (internet side).

The same kind of thing is in your smb.conf, in the hosts allow directive. Allow your internal ip range only.

You will probably also want to firewall the connection from the internet side to the internal side, blocking all traffic except what's necessary (ex. port 80) *edit* Take a look for documentation on IPTABLES.. this will help out in this area.

Hope this helps.

@gtmtnbiker98


There are instances where you might want this setup in a small business. For example, a CMS system with an internal mgmt side with a smb share to drop files and an apache web server on an external line to serve the content.

[camh]

Can you post your firewall rules?

[drhiii]

Can you post your firewall rules?

Yes, I will post the iptables, ifconfig and routing results. I use apf which has worked well, hence the long list. Just can't seem to get past the routing issue.

Thank you again for your help on this.

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- 192.168.77.0/24 anywhere
ACCEPT all -- 192.168.0.0/24 anywhere
DROP tcp -- anywhere anywhere tcp dpt:ftp
DROP udp -- anywhere anywhere udp dpt:ftp
DROP tcp -- anywhere anywhere tcp dpt:ssh
DROP udp -- anywhere anywhere udp dpt:ssh
DROP tcp -- anywhere anywhere tcp dpt:telnet
DROP udp -- anywhere anywhere udp dpt:telnet
DROP tcp -- anywhere anywhere tcp dpts:epmap:netbios-ssn
DROP udp -- anywhere anywhere udp dpts:epmap:netbios-ssn
DROP tcp -- anywhere anywhere tcp dpt:sunrpc
DROP udp -- anywhere anywhere udp dpt:sunrpc
DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds
DROP udp -- anywhere anywhere udp dpt:microsoft-ds
DROP tcp -- anywhere anywhere tcp dpt:login
DROP udp -- anywhere anywhere udp dpt:who
DROP tcp -- anywhere anywhere tcp dpt:efs
DROP udp -- anywhere anywhere udp dpt:router
DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds
DROP udp -- anywhere anywhere udp dpt:microsoft-ds
DROP tcp -- anywhere anywhere tcp dpt:ms-sql-s
DROP udp -- anywhere anywhere udp dpt:ms-sql-s
DROP tcp -- anywhere anywhere tcp dpt:ms-sql-m
DROP udp -- anywhere anywhere udp dpt:ms-sql-m
DROP tcp -- anywhere anywhere tcp dpt:search-agent
DROP udp -- anywhere anywhere udp dpt:search-agent
IN_SANITY tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE

ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:51828
ACCEPT tcp -- anywhere anywhere tcp dpt:51829
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable limit: avg 30/sec burst 5
ACCEPT icmp -- anywhere anywhere icmp redirect limit: avg 30/sec burst 5
ACCEPT icmp -- anywhere anywhere icmp time-exceeded limit: avg 30/sec burst 5
ACCEPT icmp -- anywhere anywhere icmp echo-reply limit: avg 30/sec
burst 5
ACCEPT icmp -- anywhere anywhere icmp type 30 limit: avg 30/sec burst 5
ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 30/sec burst 5
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- resolver.qwest.net anywhere udp spt:domain dpts:1023:65535
ACCEPT tcp -- resolver1.qwest.net anywhere tcp spt:domain dpts:1023:65535
DROP tcp -- anywhere anywhere tcp spt:domain dpts:1023:65535
DROP udp -- anywhere anywhere udp spt:domain dpts:1023:65535
ACCEPT udp -- resolver.qwest.net anywhere udp spt:domain dpts:1023:65535
ACCEPT tcp -- resolver2.qwest.net anywhere tcp spt:domain dpts:1023:65535
ACCEPT tcp -- anywhere anywhere tcp spts:1023:65535 dpt:ftp state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiport dports ftp,ftp-data state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere multiport dports ftp,ftp-data state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ssh dpts:login:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ssh flags:FIN,SYN,RST,ACK/SYN state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:ssh state ESTABLISHED
ACCEPT udp -- anywhere anywhere state NEW udp dpts:traceroute:33534
DROP tcp -- anywhere anywhere
DROP udp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere 192.168.77.0/24
ACCEPT all -- anywhere 192.168.0.0/24
DROP tcp -- anywhere anywhere tcp dpt:ftp
DROP udp -- anywhere anywhere udp dpt:ftp
DROP tcp -- anywhere anywhere tcp dpt:ssh
DROP udp -- anywhere anywhere udp dpt:ssh
DROP tcp -- anywhere anywhere tcp dpt:telnet
DROP udp -- anywhere anywhere udp dpt:telnet


OUT_SANITY tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG
OUT_SANITY tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
OUT_SANITY tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
OUT_SANITY tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
OUT_SANITY tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
OUT_SANITY tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH
OUT_SANITY tcp -- anywhere anywhere tcp flags:ACK,URG/URG
FUDP udp -f anywhere anywhere
PZ udp -- anywhere anywhere udp dpt:0
PZ tcp -- anywhere anywhere tcp dpt:0

ACCEPT tcp -- anywhere anywhere tcp dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp dpts:1023:65535 state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiport dports ftp,ftp-data state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere multiport dports ftp,ftp-data state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state NEW udp dpts:traceroute:33534
ACCEPT all -- anywhere anywhere

Chain FUDP (2 references)
target prot opt source destination
DROP all -- anywhere anywhere

Chain GTA (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere


Ifconfig:

eth0 Link encap:Ethernet HWaddr 00:E0:18:5F:C9:05
inet addr:192.1xx.1xx.201 Bcast:192.1xx.1xx.255 Mask:255.255.255.0
inet6 addr: fe80::2e0:18ff:fe5f:c905/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:80114 errors:10 dropped:0 overruns:0 frame:10
TX packets:12563 errors:0 dropped:0 overruns:0 carrier:0
collisions:3 txqueuelen:1000
RX bytes:6494082 (6.1 MiB) TX bytes:1271771 (1.2 MiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8069 errors:0 dropped:0 overruns:0 frame:0
TX packets:8069 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:7521827 (7.1 MiB) TX bytes:7521827 (7.1 MiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8069 errors:0 dropped:0 overruns:0 frame:0
TX packets:8069 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:7521827 (7.1 MiB) TX bytes:7521827 (7.1 MiB)


Routing:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.1xx.1xx.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
default 192.1xx.1xx.254 0.0.0.0 UG 0 0 0 eth0

[Roxoff]

Just to add some more advice, along the lines of gtmtnbiker98 above, if you're going to do this, it's probably not the safest way to run your public web server.

If you absolutely have to do this, get a seperate firewall box (an old PC with one of the firewall distro's, e.g. smoothwall, is good) and sit it physically between your web-server/samba-server box and the internet; forward only port 80 from outside to your web machine, that way you will protect your machine from those who would attempt to deprive you of it. It also frees you up from having to muck about with complex firewall rules.

[drhiii]

Thankx for your response. Yes, I understand the challenges of running in this way. I do have a firewall in front of this yes. Had thought about using a router and setting this as a DMZ machine, but establishing a firewall in front of it yes, you are correct.

Again, thanks for your response on this. I did finally get it working through assigning some static routes, but am not 100% certain it is right.

Just to add some more advice, along the lines of gtmtnbiker98 above, if you're going to do this, it's probably not the safest way to run your public web server.

If you absolutely have to do this, get a seperate firewall box (an old PC with one of the firewall distro's, e.g. smoothwall, is good) and sit it physically between your web-server/samba-server box and the internet; forward only port 80 from outside to your web machine, that way you will protect your machine from those who would attempt to deprive you of it. It also frees you up from having to muck about with complex firewall rules.