Configure Port Forwarding on IPFire to Access a Web Server

Table of Contents

Introduction

This tutorial is a follow up for the Install IPFire Linux Firewall tutorial. Once we have IPFire running, we want to access some services provided by servers behind the firewall. This tutorial will demonstrate how to access a web server running on an internal server.

Requirements

This tutorial assumes you have access to a running IPFire firewall configured to protect an internal network containing at least one server providing http service on port 80. Here is an example network layout in the DCD.

IPFire Port Forward DCD Layout

The IPFire Server in this example has a RED / Public IP address of 162.254.27.246 which also can be accessed via the hostname: ip162-254-27-246.pbiaas.com. The GREEN / Private IP address is 172.16.1.1. The TestInt Server is attached to the GREEN network and has an internal IP address of 172.16.1.10. The TestInt Server is currently running varnish as a web accelerator on port 80 in front of the nginx web server running on port 8080. You will want to substitute the appropriate ip addresses and ports for your network / server configuration.

Add New Firewall Rule

To begin, log into the IPFire web interface. Remember that this runs on port 444 by default. If you have OpenVPN configured according to OpenVPN on IPFire for Road Warriors then you can access your firewall over the GREEN network at https://172.16.1.1:444. In any case, please login and then navigate to Firewall->Firewall Rules.

IPFire Port Forward New Rule

Clicking the New rule button will take you to a blank Firewall Rules screen.

IPFire Port Forward Empty Rule

  • In the Source section, select the radio button for Standard networks: and make sure the drop down menu shows Any.
  • In the NAT section, check the box for Use Network Address Translation (NAT)
  • In the Destination section, enter the IP address of your internal server in the Destination address (IP address or network): form field. In this tutorial, the value to enter is 172.16.1.10
  • In the Protocol section, choose TCP from the drop down menu, and enter 80 for Destination Port:
  • Under Additional Settings, you may wish to add a Remark: to help you remind you or someone else why this rule was added.

IPFire Port Forward New Rule Complete

Press the Add button in the lower right section of the screen to add the new rule. We are presented with the new rule for review.

IPFire Port Forward New Rule Before Apply

Go ahead and press the Apply changes button. Now we have the new rule in place on the firewall.

IPFire Port Forward New Rule Applied

Test

At this point we should be able to test by trying to connect to the public ip address using a browser pointed to http://162.254.27.246 or the hostname http://ip162-254-27-246.pbiaas.com.

IPFire Port Forward Browser Test

We could also test from an external server using curl like this:

$ curl -v http://ip162-254-27-246.pbiaas.com/
* About to connect() to ip162-254-27-246.pbiaas.com port 80 (#0)
*   Trying 162.254.27.246... connected
* Connected to ip162-254-27-246.pbiaas.com (162.254.27.246) port 80 (#0)
> GET / HTTP/1.1
> Host: ip162-254-27-246.pbiaas.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.6.3
< Date: Mon, 25 Jan 2016 22:15:21 GMT
< Last-Modified: Sun, 04 Oct 2015 07:53:44 GMT
< ETag: "5610db08-e74"
< Content-Type: text/html
< Content-Length: 3700
< X-Varnish: 32775 27
< Age: 30
< Via: 1.1 varnish-v4
< Connection: keep-alive
< Accept-Ranges: bytes

Everything looks good with the http headers returned. We can see that we are connecting to the public ip address on port 80 and are getting content back from our internal server running varnish and nginx.

Conclusion

If you are running into issues, double-check that a local firewall running on the internal web server is not blocking the service/port that you are trying to access. In this case, for a CentOS 7 server, we could run:

[eknauer@centos ~]$ sudo firewall-cmd --zone=public --list-services
dhcpv6-client ssh

[eknauer@centos ~]$ sudo firewall-cmd --zone=public --list-ports
443/tcp 80/tcp

Similar IPFire port forwarding firewall rules can be put in place for services running on other ports. You may also refer to the IPFire Wiki for additional information on port forwarding with IPFire.