Securing home web server

Dfects · Tue May 21, 2013 7:44 pm

Hiya guys,

I'm hoping someone might be kind enough to help me. I'm running my mikrotik router at home in a simple soho setup. Its currently running with lan ip 192.168.1.1/24 dhcp range 192.168.1.50-192.168.1.254 with some static leases before 50. Ports 2-5 bridged with wifi, ether1 connected to my ISP's modem.

What I'd like to do now is run my raspberry pi as a small web server for my personal site, but i'm a little lost on how to best configure it so its secure and preferably isolated. I've tried setting up a DMZ on ether5 as per http://wiki.mikrotik.com/wiki/How_to_co ... ome_router but I must be doing something wrong as even with a static ip machines connected to ether5 can't resolve anything.

I assume it should be pretty simple to set up, could someone provide me some simple instructions or guidance?

Thanks,

Ste

CelticComms · Tue May 21, 2013 8:08 pm

If you want a DMZ then you would make Ether 5 independent (i.e. not bridged or slaved to other ports), give it an IP address on a new subnet, possibly a DHCP server (or static config on server) and establish basic IP connectivity router <> server on that subnet. Then address the existing rules as regards which traffic is allowed to flow where (forwarding chain of IP Firewall) and finally DST NAT your chosen inbound port from ISP to the server's private address.

I know - a lot to take in. If you start down that path you can post your config to get more specific feedback.

Dfects · Wed May 22, 2013 12:40 am

Right I think I've got somewhere.

ether5 is no longer a slave, its on its own. It has an address of 10.2.15.1:

[admin@router] > ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                
 0   ;;; default configuration
     192.168.1.1/24     192.168.1.0     wlan1                                    
 1 D 77.**.**.**/24     77.**.**.0      ether1-gateway                           
 2   10.2.15.1/24       10.2.15.0       ether5

DHCP setup for 10.2.15.0/24 network

[admin@router] > ip dhcp-server network print 
 # ADDRESS            GATEWAY         DNS-SERVER      WINS-SERVER     DOMAIN     
 0 10.2.15.0/24       10.2.15.1      
 1 192.168.1.0/24     192.168.1.1    
 2 ;;; default configuration
   192.168.88.0/24    192.168.88.1    192.168.88.1

The server now gets a static lease for 10.2.15.10 and it has connectivity. I've set up the following nat:

[admin@router] > ip firewall nat print       
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=srcnat action=masquerade to-addresses=0.0.0.0 
     out-interface=ether1-gateway 

 1   chain=srcnat action=src-nat to-addresses=77.**.**.** 
     out-interface=ether1-gateway 

 2   chain=dstnat action=dst-nat to-addresses=10.2.15.10 protocol=tcp 
     dst-address=77.**.**.** dst-port=80,443

I now have two problems. The first is the nat is using my external ip, which could change at some point. Is it possible to set up a nat rule to allow access without specifying the ip directly?

Secondly, I can't seem to fully shut off access from the server to my network. ping is now disabled, and the samba share seems to be stopped but I can still access a mongoose webserver on port 8080 inside the 192.168 subnet. I have a drop all from ether5 on input chain, surely that should stop it?

Rules below:

[admin@router] > ip firewall filter print     
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=input action=drop in-interface=ether5 

 1   ;;; #DMZ1 - DROP INVALID INPUT
     chain=input action=drop connection-state=invalid 

 2   ;;; DROP INVALID CONNECTIONS
     chain=forward action=drop connection-state=invalid 

 3   ;;; #DMZ6 - Drop ICMP from ether5
     chain=input action=drop in-interface=ether5 

 4   ;;; ALLOW ICMP
     chain=input action=accept protocol=icmp 

 5   ;;; ALLOW ESTABLISHED
     chain=input action=accept connection-state=established 

 6   ;;; ALLOW RELATED
     chain=input action=accept connection-state=related 

 7   ;;; allow established connections
     chain=forward action=accept connection-state=established 

 8   ;;; allow related connections
     chain=forward action=accept connection-state=related 

 9   ;;; #DMZ2 - ALLOW INSIDE CONNECTIONS
     chain=input action=accept in-interface=bridge-local 

10   ;;; UPNP 1900 UDP
     chain=input action=accept protocol=udp dst-address-list=239.255.255.250 
     dst-port=1900 

11   ;;; UPNP 2828 TCP
     chain=input action=accept protocol=tcp dst-port=2828 

12   ;;; allow TCP
     chain=forward action=accept protocol=tcp 

13   ;;; allow ping
     chain=forward action=accept protocol=icmp 

14   ;;; allow udp
     chain=forward action=accept protocol=udp 

15   ;;; #DMZ4 - Allow outgoing forward
     chain=forward action=accept in-interface=bridge-local 

16   ;;; #DMZ5 - Allow DMZ out
     chain=forward action=accept in-interface=ether5 
     out-interface=ether1-gateway 

17   ;;; #DMZ6 - Allow incoming to server
     chain=forward action=accept protocol=tcp dst-address=10.2.15.10 
     dst-port=80,433 

18   ;;; default configuration
     chain=input action=drop in-interface=ether1-gateway 

19   ;;; drop everything else
     chain=forward action=drop 

20   ;;; #DMZ3 - Drop any remaining input
     chain=input action=drop

CelticComms · Wed May 22, 2013 2:05 am

One possible way around the dynamic IP is to simply use the in-interface rather than the destination address on the DST NAT rule. That doesn't meet all security policies - up to you to judge risk.

As regards inter-network controls:

The input chain refers to traffic to the router.
The output chain refers to traffic from the router.
The forward chain refers to forwarded traffic between non-router sources/destinations.

So you should be checking your forward chain by the sounds of it.

Dfects · Wed May 22, 2013 10:04 pm

Thanks for the reply

Not sure why I didn't think of using the in interface of my outside connection, that does the trick!

I'm not sure on the chains though. Both machines are inside the network, neither are outside.

- The desktop machine running the mongoose server is on 192.168.1.12:8080, connection via wlan1 which is bridged to ether2.
- The raspberry pi is on ether5, not a slave of anything on 10.2.15.10. Same router.

I'm trying to get it so that the bridge for ether2/wlan can see 10.2.15.10, but not the other way around.

If I do:

chain=forward action=drop in-interface=ether5

the pi can no longer access the internet, which is definitely not what I want

If I do this:

chain=input action=drop in-interface=ether5

It seems to work for most things including ping and my samba share on 192.168.1.12 but I can still strangely access the mongoose server on 192.168.1.12:8080

Whats the best way to stop the 10.2.15.0 subnet from accessing 192.168.1.0, but still allow traffic the other way (if possible)

CelticComms · Wed May 22, 2013 10:30 pm

Look at your forward chain:

12   ;;; allow TCP
     chain=forward action=accept protocol=tcp 


14   ;;; allow udp
     chain=forward action=accept protocol=udp

These rules allow all forwarding of TCP (regardless of state) & UDP.

Dfects · Thu May 23, 2013 1:34 pm

Wow, I didn't even notice those. I added those based on one of a basic setup guides a few months back. I've configured a lot of routers before but only home level ones and a fair few dd-wrt routers as bridges etc. I have to admit this Mikrotik one is a little too advanced for my networking knowledge, but its rock solid in a way other routers i've used haven't been.

Thanks again for your responses and patience, wish I could buy you a beer to say thanks

Think its all running as I intended now. Will be firewalling the pi itself too to make double sure.

CelticComms · Thu May 23, 2013 3:35 pm

Glad it is making more sense now. Still trying to figure how to change the Karma points into beer....

el berto · Fri Jun 07, 2013 12:37 pm

As regards inter-network controls:

The input chain refers to traffic to the router.
The output chain refers to traffic from the router.
The forward chain refers to forwarded traffic between non-router sources/destinations.

I have a doubt: using NAT rules should I use "input" chain or "forward"?

CelticComms · Fri Jun 07, 2013 12:45 pm

I have a doubt: using NAT rules should I use "input" chain or "forward"?

The NAT rules themselves use the dst nat or src nat chains.

el berto · Fri Jun 07, 2013 1:06 pm

I meant about firewall.
Let's suppose my public IP would be 2.2.2.2 on ethet1, then I have 192.168.1.0/24 network on ether2.
I would make NAT to allow telnet on 192.168.1.2 so:

2.2.2.2:555 -> NAT -> 192.168.1.2:23

I wanna do this only from public IP address 2.2.2.1, so in my firewall rules, should I work on input chain or forward?

CelticComms · Fri Jun 07, 2013 2:29 pm

I meant about firewall.
Let's suppose my public IP would be 2.2.2.2 on ethet1, then I have 192.168.1.0/24 network on ether2.
I would make NAT to allow telnet on 192.168.1.2 so:

2.2.2.2:555 -> NAT -> 192.168.1.2:23

I wanna do this only from public IP address 2.2.2.1, so in my firewall rules, should I work on input chain or forward?

Forward chain - and you use the 192.168.1.2 address as the destination because DST NAT occurs before the forward chain.

Securing home web server

Securing home web server

Re: Securing home web server

Re: Securing home web server

Re: Securing home web server

Re: Securing home web server

Re: Securing home web server

Re: Securing home web server

Re: Securing home web server

Re: Securing home web server

Re: Securing home web server

Re: Securing home web server

Re: Securing home web server

Who is online