Data Networking/Fall 2014/Shalini/WEBSERVER AND FIREWALL

WEB SERVER:
Any server basically stores the data and retrieves the same when required. Web server of an organization hosts the pages/information of that organization which can be accessible through internet. A client when requests a hostname/IP address of that organization, the web server fetches the data and replies the client with html page. Every Web server has an IP address and possibly a domain name. Since the requests may occur at any time, the server is made an always-on machine, which the client may communicate at any time.

Behaviour of the Protocol:
The Web content is accessed by the client using http (HyperText Transfer Protocol)/https protocol. Http is a client-server application layer protocol implemented at port 80 of the web server using the services of reliable TCP. The client initiates a three-way handshake TCP connection with the web server before requesting for the web page. Once the connection is established, the client requests for a particular webpage, given the path of the page, in the server. The server will then look for the specified path, fetches the html page and replies using TCP. The client may have persistent or non-persistent connection established with the server.

Configuration of WEB SERVER:
The configuration of Web server can be done using various softwares:

1. Apache2 HTTP server

2. NGINX

3. Windows web server

For a workstation to act as a web server, it has to meet some specifications and should be feasible and open source. Linux is one such open source platform, efficient to host the web server. As Windows Web Servers run do not run in Linux machine, it is not configured to serve the web pages. Apache provides more compatibility with many add-on modules, speed and flexibility in a small network as compared to Nginx. Hence, we have decided to configure and implement Apache2 server for the network.

Signaling:
The client after getting the DNS reply, initiates a TCP connection with the webserver IP provided. This connection involves a three-way handshake mechanism.

The client first sends SYN message for the browser requesting TCP establishment at port 80.

The web server responds with a SYN-ACK message acknowledging the TCP request and requests to open a port for the server to send data.

The client responds with ACK message accepting the requests and also sends the request for basic html page.



Steps to configure the web server in Ubuntu Linux terminal:
IP addressing: The web server is in the private network for which a DHCP server assigns a temporary IP addresses. But the server needs to have a permanent single IP address for the clients to access. So, the server can be assigned a static IP address, by going to network settings/edit connections/select the network/IPv4 settings/ method: manual and save the settings. However, we have configured DHCP server to assign a permanent address to the server, given the mac address of the server and hence no need to assign static IP addressing.

To configure and implement an Apache web server, the software of Apache server has to be installed.

But before installing the software, all the package updates available and supported by host Linux machine have to be installed.

To update all the available packages. sudo apt-get update To install the apache web server on host machine sudo apt-get install apache2 When the web server is installed, a default html page is created in the local host which can be accessed by other hosts in the network.

To configure the web pages of the organization, html pages are created and placed in the default fetch directory /var/www. The pages in this path are fetched by the server when a http request is generated to the server. sudo nano /var/www/html/index.html To implement the web server browse the localhost/IP address of the host from web browser of the server machine. Browser should be able to load the content of the configured web page of the server.

If the html pages which are to be accessed are located in /Directory path/, change the path from which the server fetches the contents. sudo nano /etc/apache2/sites-enabled/000-default.conf In this file, replace the default path from /var/www to /Directory path/, save the file.

Once the configuration is done, the webserver has to be started. sudo service start apache2 In case, if the server needs to be stopped sudo service stop apache2 The web server has to be restarted whenever configurations changes are made. sudo service restart apache2



Testing:
•	Before the configuring the webpage, open the browser and type “localhost/127.0.0.1/IP address of webserver” in the address bar. Default webpage of Apache server is displayed.

•	Create a HTML page for the organization and place it in /var/www path and type ‘localhost’ in the browser.

Configured webpage of organization is displayed.

•	If HTML page is created at a different directory and ‘localhost’ is entered in the browser

The webpage says “FORBIDDEN | cannot view the contents of the page”

•	If HTML page is created at different directory and the fetch path is specified in the /var/apache2/sites-enabled/000-default.conf

Configured webpage of organization is displayed.

FIREWALL
Firewall provides security for any network (private network) from other networks or unintended client. The functionality of the firewall is to block and filter packets to pass into the network. The firewall can for a network or even a particular server with lots of databases or confidential information which is being protected from unauthorized clients in/outside the network.

By configuring commands on any Linux terminal machine (web server/ DNS server/ DHCP server) a set of rules are applied so that it will drop certain packets and allow the rest.

Packages used:
IPTABLES and ufw packages are used to modify the set of rules to restrict/allow the packets.

Steps to configure Firewall:
IPTABLES is the set of rules configured in a Linux machine terminal, it has some built-in chains.

INPUT chain – For packets coming to the machine.

OUTPUT chain –For packets generated inside and going out of the machine.

FORWARD chain – For packets routed through the local host.

IP tables is an application program that allows to configure the firewall providing accept and reject rules. These rules can be added once the iptables are installed.

To install IP tables and ufw (uncomplicated firewall) sudo apt-get update sudo apt-get install iptables sudo apt-get install ufw Telnet listens on the default port 23 of host and the host can login to other host.

To enable telnet remote login between hosts in a network sudo apt-get telnetd Ssh is a secured remote login between hosts which listen on default port 22.

To enable ssh login between hosts in a network sudo apt-get openssh-server

Rules configured on Web server:
•	The icmp requests on the webserver are blocked. sudo iptables –A INPUT –p icmp –j REJECT

This command appends (-A) a rule to reject the icmp packets coming into the server (INPUT chain). •	Telnet requests on the webserver are blocked. sudo iptables –A INPUT –p tcp --dport 23 –j REJECT This command appends rule to reject the telnet requests at destination port 23 coming into the server.

•	Allow access only to a particular IPs sudo ufw allow from 192.168.3.0 This command will allow only the hosts in 192.168.3.0 network to access the server.

•	 Block all HTTP Requests from a particular client sudo iptables -A INPUT -p tcp –s 192.168.3.70 --dport 80 –j REJECT This command drops all requests coming to HTTP port from a particular IP 192.168.3.70

Rules configured in DNS server:
To allow DNS request in DNS server. sudo iptables -A INPUT -p udp ---sport 53 -j ACCEPT This will allow the DNS UDP reguest to come into the server at source port 53 sudo iptables -A OUTPUT -p udp --dport 53 -j ACCEPT This will allow the DNS UDP reply packets to go out of the server to destination port 53.

Rules configured in DHCP server:
To allow DHCP request in DHCP server sudo iptables -A INPUT -p udp --sport 67:68 --dport 67:68 -j REJECT This allows DHCP request and response at ports 67 and 68 of DHCP server.

Rules that can be configured in a particular client:

UFW rules are developed to ease firewall configuration.

To block access to webserver using Ufw: ufw reject out http

Saving the configuration of IP tables:
sudo su  iptables-save > /etc/iptables.rules sudo nano /etc/network/if-pre-up.d/iptables

In this file write:

#!/bin/sh

Iptables-restore < /etc/iptables.rules

exit 0 sudo nano /etc/network/if-post-down.d/iptables In this file write:

#!/bin/sh

iptables-save -c > /etc/iptables.rules

if [ -f /etc/iptables.rules ]; then

iptables-restore < /etc/iptables.rules

fi

exit 0

Give permission to the scripts: sudo chmod +x /etc/network/if-post-down.d/iptables sudo chmod +x /etc/network/if-pre-up.d/iptables

Testing:
To list all the rules configured in the firewall sudo iptables –L This will show all rules configured in input, output and forward chain of IP tables along with rules in ufw.

To flush/remove the rules in iptables sudo iptables -F To check the status of ufw sudo status ufw If this command results in status inactive, enable the firewall using the following command sudo ufw enable Similarly it can be disabled using, sudo ufw disable After configuring the firewall rules make sure to restart the web server.

Before configuring clients in the network are able to ping, telnet and access the web page from web server.

After configuring the firewall, no client is able to ping, telnet the web server. The client with IP address 192168.3.70 is not able to access the web page.