Firewalling with a web server and users through the same network port
 

I would like to use a single internet connection for web users and to run a web server. I know how to set up masquerading, and I know how to direct http ports to a webserver, but how can I do both? Somehow I need an unassociated web message (which would normally be rejected by masq) to be sent to the webserver. I other words an external user sees the webserver and internal users browse the web oblivious to that external user.
I get a bad feeling regarding security, but would any solution be any worse than just running a webserver?

Regards

Paul

Hello, ShedDriver & welcome to LQ.

For most people, the solution is to use the router supplied by Your ISP and that looks after that messing. You don't really say anything we could use to help you

• How is the internet connected?
• What distribution are you running?
• Is your (or any) box on 24/7/365?
• Have you searched the web and the LQ site for walk-throughs on doing this?

They are just some of the things you don't say. Have a search for a walk-through on your distribution and post the link, and answers to the above. We'll give a 'thumbs up' or 'thumbs down' to it. Then you can post when you hit trouble.

If no pc is always on, you may wast to buy some little cheap SBC to do the web server, and leave that on 24/7. Power usage can be quite small.

Some clarification.
 

Erm yes, the linux box is going to be on 24/7, with a webserver I guess people don't expect it to be there only in office hours. Firewalling using nftables, I guess not too many options there. System is Debian-like, but I can't imagine that affects anything.
The router provides port direction, but that is the puzzle. Sending all incoming http packets to the webserver isn't going to do what I want in regards to internal users browsing the web. I any case I would prefer to keep a close watch on my firewall, rather than trusting the router.

What you want is called Port-Forwarding. You can do both Masquerading and Port-Forwarding at the same time. All that is handled in your router.

I don't care how you're connected to the internet and I don't care which distribution you are running.
Your web server should have a static IP address on your internal network. It only needs to be on when you want outside people to access it.

A good book that covers the firewall rules need to implement this is "Designing and Implementing Linux Firewalls and QoS using netfilter, iproute2, NAT and l7-filter" by Packt Publishing. Good explanations and interesting case studies. Well worth the price, IMO.