1 00:00:00,05 --> 00:00:02,08 - [Instructor] Let's try to connect to the web server 2 00:00:02,08 --> 00:00:05,07 on the Ubuntu host in the DMZ 3 00:00:05,07 --> 00:00:10,01 from the Windows host through the Ubuntu-Router host, 4 00:00:10,01 --> 00:00:12,07 we'll be using the IP address 5 00:00:12,07 --> 00:00:14,07 of the external network interface 6 00:00:14,07 --> 00:00:19,09 of the Ubuntu-Router host to get to the web server. 7 00:00:19,09 --> 00:00:24,09 Let's go to the Windows host and open a web browser, 8 00:00:24,09 --> 00:00:28,07 type the external IP of the Ubuntu-Router host, 9 00:00:28,07 --> 00:00:35,09 which is 10.0.0.6. 10 00:00:35,09 --> 00:00:39,00 Press Enter. 11 00:00:39,00 --> 00:00:40,06 You're unable to connect 12 00:00:40,06 --> 00:00:43,06 since port-forwarding is not yet enabled, 13 00:00:43,06 --> 00:00:47,06 that's why you're getting this error message. 14 00:00:47,06 --> 00:00:50,05 Let's now go back to our Ubuntu-Router host 15 00:00:50,05 --> 00:00:52,02 and change the firewall rules 16 00:00:52,02 --> 00:00:54,02 to enable port-forwarding. 17 00:00:54,02 --> 00:00:58,00 Let's edit our firewall script. 18 00:00:58,00 --> 00:01:03,06 Type cd Documents, press Enter, 19 00:01:03,06 --> 00:01:06,00 type ls. 20 00:01:06,00 --> 00:01:11,04 Do you see our file script, myfw.sh? 21 00:01:11,04 --> 00:01:13,03 Let's edit the script, 22 00:01:13,03 --> 00:01:19,06 type nano myfw.sh, 23 00:01:19,06 --> 00:01:22,05 press Enter. 24 00:01:22,05 --> 00:01:24,08 These are the firewall rules we used 25 00:01:24,08 --> 00:01:29,01 to set up our Ubuntu-Router host initially. 26 00:01:29,01 --> 00:01:32,00 Let's add a couple of more rules 27 00:01:32,00 --> 00:01:34,02 to enable port-forwarding. 28 00:01:34,02 --> 00:01:55,03 Type iptables -t nat -A PREROUTING -p, 29 00:01:55,03 --> 00:01:59,00 standing for protocol, 30 00:01:59,00 --> 00:02:11,07 tcp -i -eth0 -d. 31 00:02:11,07 --> 00:02:27,02 - d stands for destination and the destination is 10.0.0.6 32 00:02:27,02 --> 00:02:32,08 - -dport 80, 33 00:02:32,08 --> 00:02:38,04 dport here stands for destination port, 34 00:02:38,04 --> 00:02:55,01 - j DNAT --to 10.0.1.5. 35 00:02:55,01 --> 00:02:57,01 Since the line is too long 36 00:02:57,01 --> 00:03:01,07 we have this dollar sign hiding the rest of the line. 37 00:03:01,07 --> 00:03:06,00 What this rule does is changing the destination IP 38 00:03:06,00 --> 00:03:12,07 of an incoming packet to 10.0.1.5. 39 00:03:12,07 --> 00:03:16,05 If the packet is coming through the external interface 40 00:03:16,05 --> 00:03:21,04 which is eth0 of our Ubuntu-Router host 41 00:03:21,04 --> 00:03:25,01 and if its destination port is 80, 42 00:03:25,01 --> 00:03:32,01 the command -t nat to 10.0.1.5 43 00:03:32,01 --> 00:03:35,01 is changing the destination IP 44 00:03:35,01 --> 00:03:46,02 of the packet from 10.0.0.6 to 10.0.1.5. 45 00:03:46,02 --> 00:03:51,04 The next rule is iptables 46 00:03:51,04 --> 00:04:16,03 - A FORWARD -p tcp -i eth0 -o eth1 47 00:04:16,03 --> 00:04:29,00 - -dport 80 -m state --state 48 00:04:29,00 --> 00:04:45,02 NEW,ESTABLISHED,RELATED -j ACCEPT. 49 00:04:45,02 --> 00:04:48,02 This line means that we allow forwarding the packets 50 00:04:48,02 --> 00:04:51,08 from the input interface which is eth0, 51 00:04:51,08 --> 00:04:55,06 to the output interface which is eth1. 52 00:04:55,06 --> 00:04:58,05 If the package destination port is 80, 53 00:04:58,05 --> 00:05:01,09 and if the packet contains a new connection request 54 00:05:01,09 --> 00:05:06,01 or is part of an existing connection. 55 00:05:06,01 --> 00:05:08,09 Now let's go ahead and save the script 56 00:05:08,09 --> 00:05:12,04 by pressing Control and X. 57 00:05:12,04 --> 00:05:16,00 Type Y, press Enter. 58 00:05:16,00 --> 00:05:26,09 Run the script by typing sudo myfw.sh, 59 00:05:26,09 --> 00:05:28,00 press Enter.