Data Networking/Fall 2014/Shalini/WEBSERVER AND FIREWALL
WEB SERVER:
editAny server basically stores the data and retrieves the same when required. Web server of an organization hosts the pages/information of that organization which can be accessible through internet. A client when requests a hostname/IP address of that organization, the web server fetches the data and replies the client with html page. Every Web server has an IP address and possibly a domain name. Since the requests may occur at any time, the server is made an always-on machine, which the client may communicate at any time.
Behaviour of the Protocol:
editThe Web content is accessed by the client using http (HyperText Transfer Protocol)/https protocol. Http is a client-server application layer protocol implemented at port 80 of the web server using the services of reliable TCP (RFC 2616). The client initiates a three-way handshake TCP connection with the web server before requesting for the web page. Once the connection is established, the client requests for a particular webpage, given the path of the page, in the server. The server will then look for the specified path, fetches the html page and replies using TCP. The client may have persistent or non-persistent connection established with the server.
Configuration of WEB SERVER:
editThe configuration of Web server can be done using various softwares:
1. Apache2 HTTP server
2. NGINX
3. Windows web server
For a workstation to act as a web server, it has to meet some specifications and should be feasible and open source. Linux is one such open source platform, efficient to host the web server. As Windows Web Servers run do not run in Linux machine, it is not configured to serve the web pages. Apache provides more compatibility with many add-on modules, speed and flexibility in a small network as compared to Nginx. Hence, we have decided to configure and implement Apache2 server for the network.
Signaling:
editThe client after getting the DNS reply, initiates a TCP connection with the webserver IP provided. This connection involves a three-way handshake mechanism.
The client first sends SYN message for the browser requesting TCP establishment at port 80.
The web server responds with a SYN-ACK message acknowledging the TCP request and requests to open a port for the server to send data.
The client responds with ACK message accepting the requests and also sends the request for basic html page.
Steps to configure the web server in Ubuntu Linux terminal:
editIP addressing: The web server is in the private network for which a DHCP server assigns a temporary IP addresses. But the server needs to have a permanent single IP address for the clients to access. So, the server can be assigned a static IP address, by going to network settings/edit connections/select the network/IPv4 settings/ method: manual and save the settings. However, we have configured DHCP server to assign a permanent address to the server, given the mac address of the server and hence no need to assign static IP addressing.
To configure and implement an Apache web server, the software of Apache server has to be installed.
But before installing the software, all the package updates available and supported by host Linux machine have to be installed.
To update all the available packages.
sudo apt-get update
To install the apache web server on host machine
sudo apt-get install apache2
When the web server is installed, a default html page is created in the local host which can be accessed by other hosts in the network.
To configure the web pages of the organization, html pages are created and placed in the default fetch directory /var/www. The pages in this path are fetched by the server when a http request is generated to the server.
sudo nano /var/www/html/index.html
To implement the web server browse the localhost/IP address of the host from web browser of the server machine. Browser should be able to load the content of the configured web page of the server.
If the html pages which are to be accessed are located in /Directory path/, change the path from which the server fetches the contents.
sudo nano /etc/apache2/sites-enabled/000-default.conf
In this file, replace the default path from /var/www to /Directory path/, save the file.
Once the configuration is done, the webserver has to be started.
sudo service start apache2
In case, if the server needs to be stopped
sudo service stop apache2
The web server has to be restarted whenever configurations changes are made.
sudo service restart apache2
Testing:
edit• Before the configuring the webpage, open the browser and type “localhost/127.0.0.1/IP address of webserver” in the address bar. Default webpage of Apache server is displayed.
• Create a HTML page for the organization and place it in /var/www path and type ‘localhost’ in the browser.
Configured webpage of organization is displayed.
• If HTML page is created at a different directory and ‘localhost’ is entered in the browser
The webpage says “FORBIDDEN | cannot view the contents of the page”
• If HTML page is created at different directory and the fetch path is specified in the /var/apache2/sites-enabled/000-default.conf
Configured webpage of organization is displayed.
FIREWALL
editFirewall provides security for any network (private network) from other networks or unintended client. The functionality of the firewall is to block and filter packets to pass into the network. The firewall can for a network or even a particular server with lots of databases or confidential information which is being protected from unauthorized clients in/outside the network.
By configuring commands on any Linux terminal machine (web server/ DNS server/ DHCP server) a set of rules are applied so that it will drop certain packets and allow the rest.
Packages used:
editIPTABLES and ufw packages are used to modify the set of rules to restrict/allow the packets.
Steps to configure Firewall:
editIPTABLES is the set of rules configured in a Linux machine terminal, it has some built-in chains.
INPUT chain – For packets coming to the machine.
OUTPUT chain –For packets generated inside and going out of the machine.
FORWARD chain – For packets routed through the local host.
IP tables is an application program that allows to configure the firewall providing accept and reject rules. These rules can be added once the iptables are installed.
To install IP tables and ufw (uncomplicated firewall)
sudo apt-get update sudo apt-get install iptables sudo apt-get install ufw
Telnet listens on the default port 23 of host and the host can login to other host.
To enable telnet remote login between hosts in a network
sudo apt-get telnetd
Ssh is a secured remote login between hosts which listen on default port 22.
To enable ssh login between hosts in a network
sudo apt-get openssh-server
Rules configured on Web server:
edit• The icmp requests on the webserver are blocked.
sudo iptables –A INPUT –p icmp –j REJECT
This command appends (-A) a rule to reject the icmp packets coming into the server (INPUT chain). • Telnet requests on the webserver are blocked.
sudo iptables –A INPUT –p tcp --dport 23 –j REJECT
This command appends rule to reject the telnet requests at destination port 23 coming into the server.
• Allow access only to a particular IPs
sudo ufw allow from 192.168.3.0
This command will allow only the hosts in 192.168.3.0 network to access the server.
• Block all HTTP Requests from a particular client
sudo iptables -A INPUT -p tcp –s 192.168.3.70 --dport 80 –j REJECT
This command drops all requests coming to HTTP port from a particular IP 192.168.3.70
Rules configured in DNS server:
editTo allow DNS request in DNS server.
sudo iptables -A INPUT -p udp ---sport 53 -j ACCEPT
This will allow the DNS UDP reguest to come into the server at source port 53
sudo iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
This will allow the DNS UDP reply packets to go out of the server to destination port 53.
Rules configured in DHCP server:
editTo allow DHCP request in DHCP server
sudo iptables -A INPUT -p udp --sport 67:68 --dport 67:68 -j REJECT
This allows DHCP request and response at ports 67 and 68 of DHCP server.
Rules that can be configured in a particular client:
UFW rules are developed to ease firewall configuration.
To block access to webserver using Ufw:
ufw reject out http
Saving the configuration of IP tables:
editsudo su iptables-save > /etc/iptables.rules sudo nano /etc/network/if-pre-up.d/iptables
In this file write:
#!/bin/sh
Iptables-restore < /etc/iptables.rules
exit 0
sudo nano /etc/network/if-post-down.d/iptables
In this file write:
#!/bin/sh
iptables-save -c > /etc/iptables.rules
if [ -f /etc/iptables.rules ]; then
iptables-restore < /etc/iptables.rules
fi
exit 0
Give permission to the scripts:
sudo chmod +x /etc/network/if-post-down.d/iptables sudo chmod +x /etc/network/if-pre-up.d/iptables
Testing:
editTo list all the rules configured in the firewall
sudo iptables –L
This will show all rules configured in input, output and forward chain of IP tables along with rules in ufw.
To flush/remove the rules in iptables
sudo iptables -F
To check the status of ufw
sudo status ufw
If this command results in status inactive, enable the firewall using the following command
sudo ufw enable
Similarly it can be disabled using,
sudo ufw disable
After configuring the firewall rules make sure to restart the web server.
Before configuring clients in the network are able to ping, telnet and access the web page from web server.
After configuring the firewall, no client is able to ping, telnet the web server. The client with IP address 192168.3.70 is not able to access the web page.