Table of Contents
This tutorial is a follow up for the Install IPFire Linux Firewall tutorial. Once we have IPFire running, we want to access some services provided by servers behind the firewall. This tutorial will demonstrate how to access a web server running on an internal server.
This tutorial assumes you have access to a running IPFire firewall configured to protect an internal network containing at least one server providing http service on port 80. Here is an example network layout in the DCD.
The IPFire Server in this example has a RED / Public IP address of
220.127.116.11 which also can be accessed via the hostname:
ip162-254-27-246.pbiaas.com. The GREEN / Private IP address is
172.16.1.1. The TestInt Server is attached to the GREEN network and has an internal IP address of
172.16.1.10. The TestInt Server is currently running
varnish as a web accelerator on port 80 in front of the
nginx web server running on port 8080. You will want to substitute the appropriate ip addresses and ports for your network / server configuration.
Add New Firewall Rule
To begin, log into the IPFire web interface. Remember that this runs on port 444 by default. If you have OpenVPN configured according to OpenVPN on IPFire for Road Warriors then you can access your firewall over the GREEN network at
https://172.16.1.1:444. In any case, please login and then navigate to Firewall->Firewall Rules.
Clicking the New rule button will take you to a blank Firewall Rules screen.
- In the Source section, select the radio button for Standard networks: and make sure the drop down menu shows Any.
- In the NAT section, check the box for Use Network Address Translation (NAT)
- In the Destination section, enter the IP address of your internal server in the Destination address (IP address or network): form field. In this tutorial, the value to enter is
- In the Protocol section, choose TCP from the drop down menu, and enter 80 for Destination Port:
- Under Additional Settings, you may wish to add a Remark: to help you remind you or someone else why this rule was added.
Press the Add button in the lower right section of the screen to add the new rule. We are presented with the new rule for review.
Go ahead and press the Apply changes button. Now we have the new rule in place on the firewall.
At this point we should be able to test by trying to connect to the public ip address using a browser pointed to
http://18.104.22.168 or the hostname
We could also test from an external server using
curl like this:
$ curl -v http://ip162-254-27-246.pbiaas.com/ * About to connect() to ip162-254-27-246.pbiaas.com port 80 (#0) * Trying 22.214.171.124... connected * Connected to ip162-254-27-246.pbiaas.com (126.96.36.199) port 80 (#0) > GET / HTTP/1.1 > Host: ip162-254-27-246.pbiaas.com > Accept: */* > < HTTP/1.1 200 OK < Server: nginx/1.6.3 < Date: Mon, 25 Jan 2016 22:15:21 GMT < Last-Modified: Sun, 04 Oct 2015 07:53:44 GMT < ETag: "5610db08-e74" < Content-Type: text/html < Content-Length: 3700 < X-Varnish: 32775 27 < Age: 30 < Via: 1.1 varnish-v4 < Connection: keep-alive < Accept-Ranges: bytes
Everything looks good with the http headers returned. We can see that we are connecting to the public ip address on port 80 and are getting content back from our internal server running
If you are running into issues, double-check that a local firewall running on the internal web server is not blocking the service/port that you are trying to access. In this case, for a CentOS 7 server, we could run:
[eknauer@centos ~]$ sudo firewall-cmd --zone=public --list-services dhcpv6-client ssh [eknauer@centos ~]$ sudo firewall-cmd --zone=public --list-ports 443/tcp 80/tcp
Similar IPFire port forwarding firewall rules can be put in place for services running on other ports. You may also refer to the IPFire Wiki for additional information on port forwarding with IPFire.