Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 13
Is it possible to set up a server that: - run apache and associated web site stuff accessible via the public - run Samba and have it accessible via an ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2006
    Posts
    7

    Samba, Web Server, Dual Homed (am I asking for it?)


    Is it possible to set up a server that:

    - run apache and associated web site stuff accessible via the public
    - run Samba and have it accessible via an internal network, primarily for transferring files from the linux box to a set of Windows machines
    - and do this on a dual homed machine?

    Or is this asking for it? Have always been cautioned that a dual homed server, especially into a windoze environment, is a train wreck waiting to happen. Are there enough checks and balances to protect the uploaded files via the internet/Apache side and still give access via a second NIC card via Samba to these files?

    Any opinions would be highly valued.

  2. #2
    Just Joined!
    Join Date
    Jun 2006
    Posts
    7

    Routing

    Ok, let me try this question.

    If I had two NIC cards, one facing the internet and answering as a web server (eth0), the second (eth1) on the internal network and answering to Samba services.... anyone know of a tutorial on how to do this? The routing and firewalling? Have been Googling around but have yet to find an answer.

    Help?

  3. #3
    Linux Enthusiast
    Join Date
    Dec 2004
    Posts
    637
    Multi-homed machines, either Windows and/or Linux is fine. What do you think routers and firewalls are? As for Apache and Samba on the same box and being publicly reachable, not a good idea. For home use, not so bad, for corporate use - find a new career.

  4. #4
    Just Joined!
    Join Date
    Jun 2006
    Posts
    7
    Tx for the response. Yes, I know what routers and firewalls are.

    You however didn't answer my question. I'll rephrase it for hopefully someone else who can offer help...

    Anyone know of a tutorial or how-to on setting up a dual-homed box, one answering as a web server onto the internet, the second nic serving Samba on a private network? Specifically the routing?


    Quote Originally Posted by gtmtnbiker98
    Multi-homed machines, either Windows and/or Linux is fine. What do you think routers and firewalls are? As for Apache and Samba on the same box and being publicly reachable, not a good idea. For home use, not so bad, for corporate use - find a new career.

  5. #5
    Just Joined!
    Join Date
    Aug 2006
    Posts
    4
    The routing shouldn't be an issue. In your apache (assumed) config, you can specify the IP you wish to bind to. This would be your external connection (internet side).

    The same kind of thing is in your smb.conf, in the hosts allow directive. Allow your internal ip range only.

    You will probably also want to firewall the connection from the internet side to the internal side, blocking all traffic except what's necessary (ex. port 80) *edit* Take a look for documentation on IPTABLES.. this will help out in this area.

    Hope this helps.

    @gtmtnbiker98
    For home use, not so bad, for corporate use - find a new career.
    There are instances where you might want this setup in a small business. For example, a CMS system with an internal mgmt side with a smb share to drop files and an apache web server on an external line to serve the content.

  6. #6
    Just Joined!
    Join Date
    Jun 2006
    Posts
    7
    Hello,

    And yes, your response is very helpful. I understand most of this. I will go into the apache .conf file to bind to the external IP, and have already created a hosts allow directive for the smb.conf file for the internet network. And have also created a firewall that blocks all but the needed ingress ports.

    Where I am stuck is on eth0 and eth1. Example follows:

    eth0 = 192.160.123.234 (external IP)
    eth1 = 192.168.10.104 (internal IP)

    When the interfaces come up, the gateway ends up defined for the eth1 interface. Am not getting how to set up these two interfaces in other words so packets that hit eth0 are answered back out, and Samba services work internally on the internal network. Will keep at it.... is my deficiency in networking and routing. Am just looking for apache to answer on as you say, port 80 in/out the external IP/eth0, and samba to answer on eth1.

    I appreciate your response to this.






    Quote Originally Posted by camh
    The routing shouldn't be an issue. In your apache (assumed) config, you can specify the IP you wish to bind to. This would be your external connection (internet side).

    The same kind of thing is in your smb.conf, in the hosts allow directive. Allow your internal ip range only.

    You will probably also want to firewall the connection from the internet side to the internal side, blocking all traffic except what's necessary (ex. port 80) *edit* Take a look for documentation on IPTABLES.. this will help out in this area.

    Hope this helps.

    @gtmtnbiker98


    There are instances where you might want this setup in a small business. For example, a CMS system with an internal mgmt side with a smb share to drop files and an apache web server on an external line to serve the content.

  7. #7
    Just Joined!
    Join Date
    Aug 2006
    Posts
    4
    Can you post your firewall rules?

  8. #8
    Just Joined!
    Join Date
    Jun 2006
    Posts
    7

    hello

    Quote Originally Posted by camh
    Can you post your firewall rules?
    Yes, I will post the iptables, ifconfig and routing results. I use apf which has worked well, hence the long list. Just can't seem to get past the routing issue.

    Thank you again for your help on this.

    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- 192.168.77.0/24 anywhere
    ACCEPT all -- 192.168.0.0/24 anywhere
    DROP tcp -- anywhere anywhere tcp dpt:ftp
    DROP udp -- anywhere anywhere udp dpt:ftp
    DROP tcp -- anywhere anywhere tcp dpt:ssh
    DROP udp -- anywhere anywhere udp dpt:ssh
    DROP tcp -- anywhere anywhere tcp dpt:telnet
    DROP udp -- anywhere anywhere udp dpt:telnet
    DROP tcp -- anywhere anywhere tcp dpts:epmap:netbios-ssn
    DROP udp -- anywhere anywhere udp dpts:epmap:netbios-ssn
    DROP tcp -- anywhere anywhere tcp dpt:sunrpc
    DROP udp -- anywhere anywhere udp dpt:sunrpc
    DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds
    DROP udp -- anywhere anywhere udp dpt:microsoft-ds
    DROP tcp -- anywhere anywhere tcp dpt:login
    DROP udp -- anywhere anywhere udp dpt:who
    DROP tcp -- anywhere anywhere tcp dpt:efs
    DROP udp -- anywhere anywhere udp dpt:router
    DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds
    DROP udp -- anywhere anywhere udp dpt:microsoft-ds
    DROP tcp -- anywhere anywhere tcp dpt:ms-sql-s
    DROP udp -- anywhere anywhere udp dpt:ms-sql-s
    DROP tcp -- anywhere anywhere tcp dpt:ms-sql-m
    DROP udp -- anywhere anywhere udp dpt:ms-sql-m
    DROP tcp -- anywhere anywhere tcp dpt:search-agent
    DROP udp -- anywhere anywhere udp dpt:search-agent
    IN_SANITY tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE

    ACCEPT tcp -- anywhere anywhere tcp dpt:domain
    ACCEPT tcp -- anywhere anywhere tcp dpt:http
    ACCEPT tcp -- anywhere anywhere tcp dpt:https
    ACCEPT tcp -- anywhere anywhere tcp dpt:51828
    ACCEPT tcp -- anywhere anywhere tcp dpt:51829
    ACCEPT udp -- anywhere anywhere udp dpt:domain
    ACCEPT icmp -- anywhere anywhere icmp destination-unreachable limit: avg 30/sec burst 5
    ACCEPT icmp -- anywhere anywhere icmp redirect limit: avg 30/sec burst 5
    ACCEPT icmp -- anywhere anywhere icmp time-exceeded limit: avg 30/sec burst 5
    ACCEPT icmp -- anywhere anywhere icmp echo-reply limit: avg 30/sec
    burst 5
    ACCEPT icmp -- anywhere anywhere icmp type 30 limit: avg 30/sec burst 5
    ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 30/sec burst 5
    DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
    ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT udp -- resolver.qwest.net anywhere udp spt:domain dpts:1023:65535
    ACCEPT tcp -- resolver1.qwest.net anywhere tcp spt:domain dpts:1023:65535
    DROP tcp -- anywhere anywhere tcp spt:domain dpts:1023:65535
    DROP udp -- anywhere anywhere udp spt:domain dpts:1023:65535
    ACCEPT udp -- resolver.qwest.net anywhere udp spt:domain dpts:1023:65535
    ACCEPT tcp -- resolver2.qwest.net anywhere tcp spt:domain dpts:1023:65535
    ACCEPT tcp -- anywhere anywhere tcp spts:1023:65535 dpt:ftp state
    RELATED,ESTABLISHED
    ACCEPT tcp -- anywhere anywhere multiport dports ftp,ftp-data state RELATED,ESTABLISHED
    ACCEPT udp -- anywhere anywhere multiport dports ftp,ftp-data state RELATED,ESTABLISHED
    ACCEPT tcp -- anywhere anywhere tcp spt:ssh dpts:login:65535 state RELATED,ESTABLISHED
    ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ssh flags:FIN,SYN,RST,ACK/SYN state RELATED,ESTABLISHED
    ACCEPT udp -- anywhere anywhere udp dpt:ssh state ESTABLISHED
    ACCEPT udp -- anywhere anywhere state NEW udp dpts:traceroute:33534
    DROP tcp -- anywhere anywhere
    DROP udp -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere 192.168.77.0/24
    ACCEPT all -- anywhere 192.168.0.0/24
    DROP tcp -- anywhere anywhere tcp dpt:ftp
    DROP udp -- anywhere anywhere udp dpt:ftp
    DROP tcp -- anywhere anywhere tcp dpt:ssh
    DROP udp -- anywhere anywhere udp dpt:ssh
    DROP tcp -- anywhere anywhere tcp dpt:telnet
    DROP udp -- anywhere anywhere udp dpt:telnet


    OUT_SANITY tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG
    OUT_SANITY tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
    OUT_SANITY tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
    OUT_SANITY tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
    OUT_SANITY tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
    OUT_SANITY tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH
    OUT_SANITY tcp -- anywhere anywhere tcp flags:ACK,URG/URG
    FUDP udp -f anywhere anywhere
    PZ udp -- anywhere anywhere udp dpt:0
    PZ tcp -- anywhere anywhere tcp dpt:0

    ACCEPT tcp -- anywhere anywhere tcp dpts:1024:65535 state RELATED,ESTABLISHED
    ACCEPT udp -- anywhere anywhere udp dpts:1024:65535 state RELATED,ESTABLISHED
    ACCEPT tcp -- anywhere anywhere tcp spt:ftp dpts:1023:65535 state
    RELATED,ESTABLISHED
    ACCEPT tcp -- anywhere anywhere multiport dports ftp,ftp-data state RELATED,ESTABLISHED
    ACCEPT udp -- anywhere anywhere multiport dports ftp,ftp-data state RELATED,ESTABLISHED
    ACCEPT udp -- anywhere anywhere state NEW udp dpts:traceroute:33534
    ACCEPT all -- anywhere anywhere

    Chain FUDP (2 references)
    target prot opt source destination
    DROP all -- anywhere anywhere

    Chain GTA (0 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere


    Ifconfig:

    eth0 Link encap:Ethernet HWaddr 00:E0:18:5F:C9:05
    inet addr:192.1xx.1xx.201 Bcast:192.1xx.1xx.255 Mask:255.255.255.0
    inet6 addr: fe80::2e0:18ff:fe5f:c905/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:80114 errors:10 dropped:0 overruns:0 frame:10
    TX packets:12563 errors:0 dropped:0 overruns:0 carrier:0
    collisions:3 txqueuelen:1000
    RX bytes:6494082 (6.1 MiB) TX bytes:1271771 (1.2 MiB)

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    inet6 addr: ::1/128 Scope:Host
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:8069 errors:0 dropped:0 overruns:0 frame:0
    TX packets:8069 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:7521827 (7.1 MiB) TX bytes:7521827 (7.1 MiB)

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    inet6 addr: ::1/128 Scope:Host
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:8069 errors:0 dropped:0 overruns:0 frame:0
    TX packets:8069 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:7521827 (7.1 MiB) TX bytes:7521827 (7.1 MiB)


    Routing:

    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    192.1xx.1xx.0 * 255.255.255.0 U 0 0 0 eth0
    169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
    default 192.1xx.1xx.254 0.0.0.0 UG 0 0 0 eth0

  9. #9
    Super Moderator Roxoff's Avatar
    Join Date
    Aug 2005
    Location
    Nottingham, England
    Posts
    3,845
    Just to add some more advice, along the lines of gtmtnbiker98 above, if you're going to do this, it's probably not the safest way to run your public web server.

    If you absolutely have to do this, get a seperate firewall box (an old PC with one of the firewall distro's, e.g. smoothwall, is good) and sit it physically between your web-server/samba-server box and the internet; forward only port 80 from outside to your web machine, that way you will protect your machine from those who would attempt to deprive you of it. It also frees you up from having to muck about with complex firewall rules.
    Linux user #126863 - see http://linuxcounter.net/

  10. #10
    Just Joined!
    Join Date
    Jun 2006
    Posts
    7
    Thankx for your response. Yes, I understand the challenges of running in this way. I do have a firewall in front of this yes. Had thought about using a router and setting this as a DMZ machine, but establishing a firewall in front of it yes, you are correct.

    Again, thanks for your response on this. I did finally get it working through assigning some static routes, but am not 100% certain it is right.


    Quote Originally Posted by Roxoff
    Just to add some more advice, along the lines of gtmtnbiker98 above, if you're going to do this, it's probably not the safest way to run your public web server.

    If you absolutely have to do this, get a seperate firewall box (an old PC with one of the firewall distro's, e.g. smoothwall, is good) and sit it physically between your web-server/samba-server box and the internet; forward only port 80 from outside to your web machine, that way you will protect your machine from those who would attempt to deprive you of it. It also frees you up from having to muck about with complex firewall rules.

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •