?
Solved

Unable to see apache2's web site from outside firewall-although from within its there. Yet forwarding appears ok..

Posted on 2005-03-10
14
Medium Priority
?
471 Views
Last Modified: 2010-03-18
Hello experts,
>>> I have installed Mandrake Linux 10.1 including Apache2 .. My problem is that > From another machine on the same Local network I can bring up apache's default page browsing to its ip... Good - its working.

After configuring forwarding and NAT on that networks Firewall (Netmax5-serving several servers including new Apache server)from the outside world. I can not get to apache when using its assigned external ip address .. This should work..

To test if the forwarding is actually working >If I assign another machine (pc-IIS) the apache's internal i/p and swap their network cables-- It works.. I can open IIS web pages from outside. I am not the brightest but I have done this before on linux 9-9.2 with no real difficulty so what is wrong . I have rebuilt the whole thing twice now with no luck.

There are no traces of anything in httpd access or error logs. you can browse the world from the apache machines web client. No firewall is on on the Apache2 Linux machine - its security level currently set to poor..  I can ping apache's external i/p. I can ping from the firewall machine to the apache's internal i/p..

Any help much appreciated.
0
Comment
Question by:shlam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
14 Comments
 
LVL 4

Expert Comment

by:bobgunzel
ID: 13505007
Try turning ip_filter off:
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
0
 

Author Comment

by:shlam
ID: 13505309
Hi Bob , Unfortunately No joy. was already  0 . thanx anyway
keith
0
 
LVL 5

Expert Comment

by:jeopboy
ID: 13505741
Can you run tcpdump on the apache box while attempting access from the outside?  

That would confirm:
- that the packets are arriving at the server
- how the server is replying if the packets are there.

 
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 

Author Comment

by:shlam
ID: 13506146
Ok tried that... and got this ~
The machine from the outside is 217.169.36.131

AT the bottom I also accessed from a machine on same network (10.0.0.25)

listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
14:05:01.367213 IP 217.169.36.131.4632 > 10.0.0.25.http: S 775591967:775591967(0) win 16384 <mss 1460,nop,nop,sackOK>
14:05:01.369621 IP 10.0.0.25.32835 > zebedee.magic.sound-effects-library.com.domain:  60573+ PTR? 25.0.0.10.in-addr.arpa. (40)
14:05:01.370150 IP zebedee.magic.sound-effects-library.com.domain > 10.0.0.25.32835:  60573 NXDomain* 0/1/0 (130)
14:05:01.370503 IP 10.0.0.25.32835 > zebedee.magic.sound-effects-library.com.domain:  60574+ PTR? 131.36.169.217.in-addr.arpa. (45)
14:05:01.370714 IP zebedee.magic.sound-effects-library.com.domain > 10.0.0.25.32835:  60574 ServFail 0/0/0 (45)
14:05:02.051263 IP 10.0.0.28.netbios-ns > 10.0.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
14:05:02.801092 IP 10.0.0.28.netbios-ns > 10.0.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
14:05:03.551117 IP 10.0.0.28.netbios-ns > 10.0.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
14:05:04.310686 IP 217.169.36.131.4632 > 10.0.0.25.http: S 775591967:775591967(0) win 16384 <mss 1460,nop,nop,sackOK>
14:05:06.362613 arp who-has 10.0.0.25 tell zebedee.magic.sound-effects-library.com
14:05:06.362647 arp reply 10.0.0.25 is-at 00:03:47:08:49:40
14:05:10.345762 IP 217.169.36.131.4632 > 10.0.0.25.http: S 775591967:775591967(0) win 16384 <mss 1460,nop,nop,sackOK>
14:05:10.372152 IP 10.0.0.25.32837 > zebedee.magic.sound-effects-library.com.domain:  60574+ PTR? 131.36.169.217.in-addr.arpa. (45)
14:05:10.372527 IP zebedee.magic.sound-effects-library.com.domain > 10.0.0.25.32837:  60574 ServFail 0/0/0 (45)
14:05:15.371055 arp who-has zebedee.magic.sound-effects-library.com tell 10.0.0.25
14:05:15.371157 arp reply zebedee.magic.sound-effects-library.com is-at 00:b0:d0:79:2e:e9
14:05:19.373763 IP 10.0.0.25.32838 > zebedee.magic.sound-effects-library.com.domain:  60575+ PTR? 69.0.0.10.in-addr.arpa. (40)
14:05:19.374264 IP zebedee.magic.sound-effects-library.com.domain > 10.0.0.25.32838:  60575* 1/1/1 PTR[|domain]
14:05:19.374772 IP 10.0.0.25.32838 > zebedee.magic.sound-effects-library.com.domain:  60576+ PTR? 255.0.0.10.in-addr.arpa. (41)
14:05:19.375045 IP zebedee.magic.sound-effects-library.com.domain > 10.0.0.25.32838:  60576 NXDomain* 0/1/0 (131)
14:05:19.375233 IP 10.0.0.25.32838 > zebedee.magic.sound-effects-library.com.domain:  60577+ PTR? 28.0.0.10.in-addr.arpa. (40)
14:05:19.375484 IP zebedee.magic.sound-effects-library.com.domain > 10.0.0.25.32838:  60577 NXDomain* 0/1/0 (130)
14:05:29.210248 IP zebedee.magic.sound-effects-library.com.52999 > 10.0.0.25.http: S 2571827631:2571827631(0) win 5840 <mss 1460>
14:05:29.210319 IP 10.0.0.25.http > zebedee.magic.sound-effects-library.com.52999: S 1049582954:1049582954(0) ack 2571827632 win 5840 <mss 1460>
14:05:29.210444 IP zebedee.magic.sound-effects-library.com.52999 > 10.0.0.25.http: . ack 1 win 5840
14:05:29.210674 IP zebedee.magic.sound-effects-library.com.52999 > 10.0.0.25.http: P 1:410(409) ack 1 win 5840
14:05:29.210712 IP 10.0.0.25.http > zebedee.magic.sound-effects-library.com.52999: . ack 410 win 6432
14:05:29.214300 IP 10.0.0.25.http > zebedee.magic.sound-effects-library.com.52999: . 1:1461(1460) ack 410 win 6432
14:05:29.214328 IP 10.0.0.25.http > zebedee.magic.sound-effects-library.com.52999: P 1461:2632(1171) ack 410 win 6432
14:05:29.214702 IP zebedee.magic.sound-effects-library.com.52999 > 10.0.0.25.http: . ack 1461 win 8760
14:05:29.214752 IP 10.0.0.25.http > zebedee.magic.sound-effects-library.com.52999: P 2632:3241(609) ack 410 win 6432
14:05:29.214814 IP 10.0.0.25.http > zebedee.magic.sound-effects-library.com.52999: . 3241:4701(1460) ack 410 win 6432
14:05:29.215193 IP zebedee.magic.sound-effects-library.com.52999 > 10.0.0.25.http: . ack 2632 win 11680
14:05:29.215238 IP 10.0.0.25.http > zebedee.magic.sound-effects-library.com.52999: . 4701:6161(1460) ack 410 win 6432
14:05:29.215246 IP 10.0.0.25.http > zebedee.magic.sound-effects-library.com.52999: FP 6161:7316(1155) ack 410 win 6432
14:05:29.215214 IP zebedee.magic.sound-effects-library.com.52999 > 10.0.0.25.http: . ack 3241 win 14600
14:05:29.215234 IP zebedee.magic.sound-effects-library.com.52999 > 10.0.0.25.http: . ack 4701 win 17520
14:05:29.215596 IP zebedee.magic.sound-effects-library.com.52999 > 10.0.0.25.http: . ack 6161 win 20440
14:05:29.216591 IP zebedee.magic.sound-effects-library.com.52999 > 10.0.0.25.http: F 410:410(0) ack 7317 win 23360
14:05:29.216620 IP 10.0.0.25.http > zebedee.magic.sound-effects-library.com.52999: . ack 411 win 6432

40 packets captured
40 packets received by filter
0 packets dropped by kernel

I can see servFAIL in there
0
 

Author Comment

by:shlam
ID: 13506178
sorry the machine I used on the local network wasnt 10.0.0.25 it was 10.0.0.37...
0
 
LVL 5

Expert Comment

by:jeopboy
ID: 13506423
So the firewall is not the issue since the apache server never responds.

The apache server is 10.0.0.25 and your local client/dns server is zebedee.magic.sound-effects-library.com or 10.0.0.37, right?

The servFAIL is on a reverse DNS lookup for the external IP address.

Since it does this before responding to the http request, I think the apache config is telling it to do reverse DNS (probably for logging purposes) and set to not respond if it can't resolve the IP to a name or to only allow access from certain domains.  


It's been a while since I've played with Apache configs, but look in your httpd.conf for mod_access directives or the HostnameLookups directive.  Try setting the HostnameLookups to off.
0
 

Author Comment

by:shlam
ID: 13506702
Absolutely.. client/dns/firewall/squid is on zebedee... 10.0.0.37 is just another machine on that network. Unfortunately though
HostnameLookups is already set to off... the default. I have hardly configured this machine so mostly everything will be at the default values apart from what I believe to be the obvious necessities to get it up. Maybe that is a clue as to my problem.
I was surprised to see the lack of reference to the machine 10.0.0.37 making a call to the apache server and getting a response in the tcpdump... nothing.   odd.
thanks for your help..
0
 
LVL 5

Expert Comment

by:jeopboy
ID: 13506844
So what's the IP of zebedee.magic.sound-effects-library.com ?  I assumed it was 10.0.0.37 because I saw http from zebedeee to 10.0.0.25.

If it's not the apache config, then maybe the server doesn't have the right default gateway?

What is your firewall's internal IP address and what is the output of netstat -rn command on the apache server?
0
 

Author Comment

by:shlam
ID: 13507191
zebedee on the inside is 10.0.0.69../..217.169.36.138 outside and I think you maybe right ... netstat -rn gives

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
217.169.36.128  0.0.0.0         255.255.255.240 U         0 0          0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U         0 0          0 eth1
0.0.0.0         217.169.36.129  0.0.0.0         UG        0 0          0 eth0

In the mandtake control panel I can see that the gateway for 10.0.0.25 (eth1) is 217.169.36.129  this I am sure should be 10.0.0.69. but it doesnt seem happy to let me change it there..
I got a good feeling that your going to know a way  !
thanx...
0
 
LVL 5

Expert Comment

by:jeopboy
ID: 13507444
unfortunately, I'm an old school unix guy so don't know as much about mandrake and how it is configured.  
If you want to go outside the GUI, from a prompt as root, you can run:

route add -net default gw 10.0.0.69 dev eth0

this should change the route but (I believe) only until you reboot.  For permanent changes, you should be able to edit the file:

etc/sysconfig/network

NETWORKING=yes
GATEWAY=10.0.0.69    # or the IP address of your gateway device - your default gateway
GATEWAYDEV=eth0        

BTW - Is that the netstat output from the mandrake box or from the firewall?  It looks like the firewall.

If you want, go ahead and post the netstat -rn on the mandrake box before your changes and we can double-check the settings.

0
 

Author Comment

by:shlam
ID: 13507820
That was from the Mandrake box... revised it is now..

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
217.169.36.128  0.0.0.0         255.255.255.240 U         0 0          0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U         0 0          0 eth1
0.0.0.0         10.0.0.69       0.0.0.0         UG        0 0          0 eth1

which I really thought would have it in the bag... but no.

I have rebooted too..(netstat was after reboot). I initially used eth0 to bring the updates thro at time of build, its unconnected now. I am thinking of flipping eth1 with eth0 - just a whim ~ perhaps not very logical.
0
 
LVL 5

Accepted Solution

by:
jeopboy earned 800 total points
ID: 13508035
if eth0 is disconnected, that is the problem.  The kernel still thinks it has a connection to the 217.169.36.128 subnet.

Can you completely remove the IP information and disable eth0 from the mandrake control panel?  That should do the trick.
0
 

Author Comment

by:shlam
ID: 13508127
Well I take my hat off to you.. that did indeed do the trick. Thankyou very much for all your help. Have a pint on me I am delighted this has been getting me for quite a while..
Thanx again..
0
 
LVL 5

Expert Comment

by:jeopboy
ID: 13508445
Glad to help and thanks for the virtual pint (and the EE p'ints) ;-)
0

Featured Post

Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question