Data Networking/Fall 2014/Shalini/WEBSERVER & FIREWALL

WEB SERVER
Any server basically stores the data and retrieves the same when required. Webserver of an organization hosts the pages/information of that organization which can be accessible through internet. A client when requests a hostname/IP address of that organization, the webserver fetches the data and replies the client with html page. Every Web server has an IP address and possibly a domain name. Since the requests may occur at any time, the server is made an always-on machine, which the client may communicate at any time.

Behaviour of the Protocol:
The Web content is accessed by the client using http (HyperText Transfer Protocol)/https protocol. Http is a client-server application layer protocol implemented at port 80 of the webserver using the services of reliable TCP. The client initiates a three-way handshake TCP connection with the webserver before requesting for the web page. Once the connection is established, the client requests for a particular webpage, given the path of the page, in the server. The server will then look for the specified path, fetches the html page and replies using TCP. The client may have persistent or non-persistent connection established with the server.

Configuration of WEBSERVER:
The configuration of Webserver can be done using various softwares: For a workstation to act as a webserver, it has to meet some specifications and should be feasible and open source. Linux is one such open source platform, efficient to host the webserver. As Windows Web Servers run do not run in Linux machine, it is not configured to serve the web pages. Apache provides more compatibility with many add-on modules, speed and flexibility in a small network as compared to Nginx. Hence, we have decided to configure and implement Apache2 server for the network.
 * Apache2 HTTP server
 * NGINX
 * Windows web server

Signaling:
The client after getting the DNS reply, initiates a TCP connection with the webserver IP provided. This connection involves a three-way handshake mechanism. The client first sends a SYN message for the browser requesting a TCP establishment at port 80. The webserver responds with a SYN-ACK message acknowledging the TCP request and requests to open a port for the server to send data. The client responds with ACK message accepting the requests and also sends the request for basic html page.

Steps to configure the webserver in Ubuntu Linux terminal:
IP addressing: The webserver is in the private network for which a DHCP server assigns a temporary IP addresses. But the server needs to have a permanent single IP address for the clients to access. So, the server can be assigned a static IP address, by going to network settings/edit connections/select the network/IPv4 settings/ method: manual and save the settings. However, we have configured DHCP server to assign a permanent address to the server, given the mac address of the server and hence no need to assign static IP addressing.

To configure and implement an apache webserver, the software of apache server has to be installed. But before installing the software, all the package updates available and supported by host Linux machine have to be installed. To update all the available packages.

sudo apt-get update

To install the apache webserver on host machine sudo apt-get install apache2

When the web server is installed, a default html page is created in the local host which can be accessed by other hosts in the network.

To configure the web pages of the organization, html pages are created and placed in the default fetch directory /var/www. The pages in this path are fetched by the server when a http request is generated to the server.

sudo nano /var/www/html/index.html

To implement the webserver browse the localhost/IP address of the host from web browser of the server machine. Browser should be able to load the content of the configured web page of the server.

If the html pages which are to be accessed are located in /Directory path/, change the path from which the server fetches the contents.

sudo nano /etc/apache2/sites-enabled/000-default.conf

In this file, replace the default path from /var/www to /Directory path/, save the file. Once the configuration is done, the webserver has to be started.

sudo service start apache2

In case, if the server needs to be stopped

sudo service stop apache2

The webserver has to be restarted whenever configurations changes are made.

sudo service restart apache2

Testing:
Default webpage of Apache server is displayed. Configured webpage of organization is displayed. The webpage says “FORBIDDEN | cannot view the contents of the page” Configured webpage of organization is displayed.
 * Before the configuring the webpage, open the browser and type “localhost/127.0.0.1/IP address of webserver” in the address bar.
 * Create a HTML page for the organization and place it in /var/www path and type ‘localhost’ in the browser.
 * If HTML page is created at a different directory and ‘localhost’ is entered in the browser
 * If HTML page is created at different directory and the fetch path is specified in the /var/apache2/sites-enabled/000-default.conf

FIREWALL
Firewall provides security for any network (private network) from other networks or unintended client. The functionality of the firewall is to block and filter packets to pass into the network. The firewall can for a network or even a particular server with lots of databases or confidential information which is being protected from unauthorized clients in/outside the network. By configuring commands on any Linux terminal machine (web server/ DNS server/ DHCP server) a set of rules are applied so that it will drop certain packets and allow the rest.

Packages used:
IPTABLES and ufw packages are used to modify the set of rules to restrict/allow the packets.

Steps to configure Firewall:
IPTABLES is the set of rules configured in a Linux machine terminal, it has some built-in chains.

INPUT chain – For packets coming to the machine.

OUTPUT chain –For packets generated inside and going out of the machine.

FORWARD chain – For packets routed through the local host.

IP tables is an application program that allows to configure the firewall providing accept and reject rules. These rules can be added once the iptables are installed.

To install IP tables and ufw (uncomplicated firewall)

sudo apt-get update sudo apt-get install iptables sudo apt-get install ufw

Telnet listens on the default port 23 of host and the host can login to other host.

To enable telnet remote login between hosts in a network

sudo apt-get telnetd Ssh is a secured remote login between hosts which listen on default port 22.

To enable ssh login between hosts in a network

sudo apt-get openssh-server

Rules configured on Web server:
•	The icmp requests on the webserver are blocked. sudo iptables –A INPUT –p icmp –j REJECT This command appends (-A) a rule to reject the icmp packets coming into the server (INPUT chain).

•	Telnet requests on the webserver are blocked. sudo iptables –A INPUT –p tcp --dport 23 –j REJECT This command appends rule to reject the telnet requests at destination port 23 coming into the server.

•	Allow access only to a particular IPs sudo ufw allow from 192.168.3.0 This command will allow only the hosts in 192.168.3.0 network to access the server.

•	 Block all HTTP Requests from a particular client sudo iptables -A INPUT -p tcp –s 192.168.3.70 --dport 80 –j REJECT This command drops all requests coming to HTTP port from a particular IP 192.168.3.70

Rules configured in DNS server:
To allow DNS request in DNS server.

sudo iptables -A INPUT -p udp ---sport 53 -j ACCEPT

This will allow the DNS UDP reguest to come into the server at source port 53

sudo iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

This will allow the DNS UDP reply packets to go out of the server to destination port 53

Rules configured in DHCP server:

To allow DHCP request in DHCP server

sudo iptables -A INPUT -p udp --sport 67:68 --dport 67:68 -j REJECT

This allows DHCP request and response at ports 67 and 68 of DHCP server.

Rules that can be configured in a particular client:
UFW rules are developed to ease firewall configuration.

To block access to webserver using Ufw:

ufw reject out http

Saving the configuration of IP tables:

sudo su  iptables-save > /etc/iptables.rules sudo nano /etc/network/if-pre-up.d/iptables #!/bin/sh

Iptables-restore < /etc/iptables.rules

exit 0

sudo nano /etc/network/if-post-down.d/iptables #!/bin/sh

iptables-save -c > /etc/iptables.rules if [ -f /etc/iptables.rules ]; then

iptables-restore < /etc/iptables.rules

fi

exit 0

Give permission to the scripts:

sudo chmod +x /etc/network/if-post-down.d/iptables sudo chmod +x /etc/network/if-pre-up.d/iptables

TESTING:
To list all the rules configured in the firewall

sudo iptables –L

This will show all rules configured in input, output and forward chain of IP tables along with rules in ufw.

To flush/remove the rules in iptables

Sudo iptables -F

To check the status of ufw

sudo status ufw

If this command results in status inactive, enable the firewall using the following command

Sudo ufw enable

Similarly it can be disabled using,

sudo ufw disable

After configuring the firewall rules make sure to restart the webserver.

Before configuring clients in the network are able to ping, telnet and access the web page from webserver

After configuring the firewall, no client is able to ping, telnet the webserver. The client with IP address 192168.3.70 is not able to access the web page.