In our last column we introduced the E-Smith SME Server, a dedicated Linux firewall/gateway distribution. This time we will look at configuring E-Smith SME Server to allow services on your network to be accessible from the public Internet. (CD images of E-Smith SME Server can be downloaded from www.e-smith.org.)
The Web interface
The advanced features of the E-Smith firewall can be configured from a Web interface. If you have configured your computer to use the DHCP service provided by E-Smith, you can connect to the Web interface by typing http://hostname/server-manager into a browser; replace hostname with the name given to the server during installation. You can also access the Web interface in text mode by selecting item 5 from the main menu of the E-Smith console.
A dedicated firewall solution such as E-Smith is a great way to block your network from the outside world, but what if you have some servers on your network which you want to be accessible from the public Internet? Port forwarding is a technique that redirects a port from your E-Smith firewall to a port on another machine on your network, thus making the service on the machine behind the firewall accessible from the Internet.
For example, if you have a Web server running on a machine with the IP 192.168.0.25 and this machine is connected to your E-Smith firewall, if a user connects to port 80 (the standard Web server port) on your firewall, E-Smith will magically redirect this request to 192.168.0.25 port 80 and adjust the response from your Web server to make it appear as if it came from the E-Smith firewall. To the user browsing your Web server, this is completely transparent.
Port forwarding can be configured from the main menu of the Web interface to your E-Smith server. To add a forward you will need to know the IP address of the server to which you wish to forward and the port on which the service you wish to make available runs. Click the Add button to add a forward and enter this information in the form. Once added, you will be able to test the port forward by attempting to connect to your firewall on the specified port from the Internet.
A great way to test a port forward quickly is to use the telnet tool under both Linux and Windows. To test a port forward with telnet, type the following at a prompt:
telnet [ip_of_firewall] [port]
If the port is being forwarded, you will see telnet connect; if not, you will eventually receive a connection refused or connection timed out error. It is worth noting that any servers made available to the Internet via port forwarding should be properly secured before a port forward is added.
VPNs with PPTP
A more secure way to grant access to servers located behind your firewall is to use a VPN. This is a bridge between two private networks, for example your home network and your office network, over a third network, in most cases the Internet. Once connected to the VPN from home, you are able to access the office network as if your computer were physically located on the office network.
Current beta versions of E-Smith SME Server 6.0 support PPTP-based VPNs. The final release version of E-Smith SME Server 6.0 (at the time of writing, beta 3 is available) will, hopefully, support much more secure IPSEC-based VPNs.
PPTP connections can be enabled under the Remote Access menu in the Web interface. Set the first entry in this menu to 1 to allow a single user to connect to your VPN at a time. Keep this number as low as possible to prevent unauthorised users connecting to your VPN. Each user of your VPN will require a username and password, which can be added under the Users menu in the Web interface. When a new user is added, set the Allow VPN Access option to Yes if they require VPN access. Do not grant access to your VPN to users who do not need it. In order to connect to your VPN server from another Linux computer you will need to install PPTP Client, which has been included on this month’s cover CD. Extensive documentation on using PPTP Client is available at http://pptpclient.sourceforge.net.
To connect to your VPN server with Windows, add a new network connection and select the VPN connection type. You will need to supply the firewall IP, your username and password to connect. For more information on connecting to a VPN under Windows XP, see Microsoft Technet (http://support.microsoft.com/default.aspx?scid=fh;EN-US;KBJUMP) article 314076. Windows 2000 users should consult Microsoft Technet article 308208.