xRalf
asked on
port forwarding to 80 in Ubuntu
Hello,
could you help me with network settings and port forwarding in Ubuntu, so that my apache webserver sites would
be accessible from outside (Internet)?
cat /etc/network/interfaces
auto lo
iface lo inet loopback
cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 212.101.0.10
nameserver 194.203.32.237
ifconfig
eth0 Link encap:Ethernet HWaddr 00:c0:9f:71:09:ff
inet addr:192.168.1.101 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::2c0:9fff:fe71:9ff/64
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11003 errors:0 dropped:0 overruns:0 frame:0
TX packets:13851 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5135995 (5.1 MB) TX bytes:2884894 (2.8 MB)
Interrupt:6
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:16 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1000 (1000.0 B) TX bytes:1000 (1000.0 B)
The port 80 is forwarded in my router to 192.168.1.101
If you need some other outputs I will give you that information
thank you
could you help me with network settings and port forwarding in Ubuntu, so that my apache webserver sites would
be accessible from outside (Internet)?
cat /etc/network/interfaces
auto lo
iface lo inet loopback
cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 212.101.0.10
nameserver 194.203.32.237
ifconfig
eth0 Link encap:Ethernet HWaddr 00:c0:9f:71:09:ff
inet addr:192.168.1.101 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::2c0:9fff:fe71:9ff/64
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11003 errors:0 dropped:0 overruns:0 frame:0
TX packets:13851 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5135995 (5.1 MB) TX bytes:2884894 (2.8 MB)
Interrupt:6
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:16 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1000 (1000.0 B) TX bytes:1000 (1000.0 B)
The port 80 is forwarded in my router to 192.168.1.101
If you need some other outputs I will give you that information
thank you
mccracky
If the router is forwarding the port to your IP, it should work as long as apache is up and running.
ASKER
In the browser
http://localhost/index.php
works perfectly
but
http://X.X.X.X/index.php
where X.X.X.X is my public IP address
does not work
Could I troubleshoot somehow (some Linux diagnostic tools) and find out where is the problem?
http://localhost/index.php
works perfectly
but
http://X.X.X.X/index.php
where X.X.X.X is my public IP address
does not work
Could I troubleshoot somehow (some Linux diagnostic tools) and find out where is the problem?
ASKER
Is there some way to trougleshoot this problem? in /etc/apache2/apache2.conf there is a line
ServerName localhost
Should I change it to my public IP?
ServerName localhost
Should I change it to my public IP?
If you are trying from the same machine, that is probably the problem. you need to try from a machine outside the network. Many routers won't redirect outgoing packets back through the port forwarding rules.
ASKER
I asked friend to test it from outside and it writes him "page not found"...
Is it a browser error or apache error that he gets?
ASKER
I asked another friend today and he said
"the page is loading very slowly and then it shows him
(following is my rough translation) Application Internet Explorer can't display this webpage.
You can try the following possibilities:
Diagnostics with connection troubles
"
"the page is loading very slowly and then it shows him
(following is my rough translation) Application Internet Explorer can't display this webpage.
You can try the following possibilities:
Diagnostics with connection troubles
"
Does it work on the same network (trying to go the the local external LAN address of the box)? Is there a local firewall active on the Ubuntu box?
ASKER
I have laptop and computer connected with router with local IP addresses 192.168.1.100 and 192.168.1.101.
The web server is on http://192.168.1.100/index.php. This local address work on both computers.
The global address does not work nowhere.
The web server is on http://192.168.1.100/index.php. This local address work on both computers.
The global address does not work nowhere.
ASKER
Which local firewall do you think?
The ufw firewall is probably disabled.
$ sudo ufw status verbose
Status: inactive
The ufw firewall is probably disabled.
$ sudo ufw status verbose
Status: inactive
Can you please give me the apache configuration settings? Need to chek the apache server configurations. What is the document root that you are using?
ASKER
This is ports.conf
NameVirtualHost *:80
Listen 80
<IfModule mod_ssl.c>
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-availab
# to <VirtualHost *:443>
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
And in attachment is /etc/apache/sites-availabl
default
NameVirtualHost *:80
Listen 80
<IfModule mod_ssl.c>
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-availab
# to <VirtualHost *:443>
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
And in attachment is /etc/apache/sites-availabl
default
Could you please show us output of :
netstat -natp | grep :80
netstat -natp | grep :80
ASKER
Do you need the whole output? There is only one line with LISTEN. It looks like something is wrong.
$ netstat -natp | grep :80
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
$ netstat -natp | grep :80
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
ASKER
$ sudo netstat -natp | grep :80 | grep LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1740/apache2
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1740/apache2
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Have you checked whether you can access the site from you own local LAN?
ASKER
>> telnet <Your Ubuntu Box's Public IP> 80
writes him (my translation to english)
Connecting to <my_public_ip> ... Unable to connect to host computer on port 80... The connection failed.
>> Have you checked whether you can access the site from you own local LAN?
Yes. I wrote in in commenct http://#35216234
writes him (my translation to english)
Connecting to <my_public_ip> ... Unable to connect to host computer on port 80... The connection failed.
>> Have you checked whether you can access the site from you own local LAN?
Yes. I wrote in in commenct http://#35216234
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can use this tool from your desktop as well. Please check whether your IP is reachable or not.
http://network-tools.com/
http://network-tools.com/
ASKER
mccracky was right. I made a stupid typographic mistake. The port should be forwarded to 192.168.1.100.
But it doesn't work after commands
sudo /etc/init.d/networking restart
sudo /etc/init.d/apache2 restart
To upanwar: I tried ping and it pings me without problems.
But it doesn't work after commands
sudo /etc/init.d/networking restart
sudo /etc/init.d/apache2 restart
To upanwar: I tried ping and it pings me without problems.
Does your ISP filter incoming port 80 on "home" accounts? Does your router allow port redirection (incoming port 1234 -> 192.168.1.100:80) ? If so I would try that.
ASKER
> Does your ISP filter incoming port 80 on "home" accounts?
I think that he doesn't because I had apache on Windows and it worked.
> Does your router allow port redirection?
No.
I think that he doesn't because I had apache on Windows and it worked.
> Does your router allow port redirection?
No.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Did you setup the routing to the internet correctly?
(netstat -rn )
(netstat -rn )
Did you setup the routing to the internet correctly?
(netstat -rn )
(netstat -rn )
ASKER
to wyliecoyoteuk
is it secure?
"
Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.
Are you sure you want to continue sending this information?
"
netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0
I haven't setup routing, I let it default. Should I set up it in some way?
is it secure?
"
Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.
Are you sure you want to continue sending this information?
"
netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0
I haven't setup routing, I let it default. Should I set up it in some way?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for long analysis of the problem.
I have only Xubuntu on my laptop now. I had Windows 7 months ago. I'm using Firefox, not IE.
>> Through the proceed button you give grc.com permission to portscan your ip address.
How many people use this service to scan their ports? And what should I click to achive this?
$ sudo iptables -t filter -L -nv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
$ sudo iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
$ sudo iptables -t mangle -L -nv
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2: Apache config is in comment http://#35226156
I have only Xubuntu on my laptop now. I had Windows 7 months ago. I'm using Firefox, not IE.
>> Through the proceed button you give grc.com permission to portscan your ip address.
How many people use this service to scan their ports? And what should I click to achive this?
$ sudo iptables -t filter -L -nv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
$ sudo iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
$ sudo iptables -t mangle -L -nv
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2: Apache config is in comment http://#35226156
Ok no firewall on ubuntu.
And Apache does look fine to me too.
What does grc.com report (firefox has more or less he same safety instructions as IE).
Can you run:
tcpdump -ni eth0 port 80
on your server while doing tests with external access? (grc.com and your firend doing access).
BW grc.com will also show your external IP address as part of the test, check if that matches your expectations.
It does really look like the modem doesn't deliver data to the system but this will verify it.
And Apache does look fine to me too.
What does grc.com report (firefox has more or less he same safety instructions as IE).
Can you run:
tcpdump -ni eth0 port 80
on your server while doing tests with external access? (grc.com and your firend doing access).
BW grc.com will also show your external IP address as part of the test, check if that matches your expectations.
It does really look like the modem doesn't deliver data to the system but this will verify it.
ASKER
tcpdump -ni eth0 port 80
The output is "infinite", impossible to copy-paste here.
When I click proceed in grc.com I can see the output
"Greetings!
Without your knowledge or explicit permission, the Windows networking technology which connects your computer to the Internet may be offering some or all of your computer's data to the entire world at this very moment!"
The output is "infinite", impossible to copy-paste here.
When I click proceed in grc.com I can see the output
"Greetings!
Without your knowledge or explicit permission, the Windows networking technology which connects your computer to the Internet may be offering some or all of your computer's data to the entire world at this very moment!"
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
$ sudo tcpdump -ni eth0 dst port 80 and dst host 192.168.1.100
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
It seems that nothing is happening.
grc.com says that my port 80 is OPEN.
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
It seems that nothing is happening.
grc.com says that my port 80 is OPEN.
Grc.com is a well respected site, it is used by many people to test their security.
The warnings are their to advise.
But it is the best security check that you can make easily.
The warnings are their to advise.
But it is the best security check that you can make easily.
ASKER
I have no idea what could be wrong, port 80 is open.
I noticed that in my apache configuration I have
/var/www and /var/www/ (only a little inconsitency), is this OK?
I noticed that in my apache configuration I have
/var/www and /var/www/ (only a little inconsitency), is this OK?
Hi!
I think your problem is in your router. Or recheck your config in the router? Can you switch to another one?
Regards, Tobias
I think your problem is in your router. Or recheck your config in the router? Can you switch to another one?
Regards, Tobias
ASKER
I have only one router. But note this comment.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK, I'm sending the screenshot.
I have to say, that I have problem with amule connection too.
port-forwarding.png
I have to say, that I have problem with amule connection too.
port-forwarding.png
ok. The port forwarding looks alright. What router model do you have? I don't recognise that GUI.
Have you configured any items under "Port Filtering", "IP Filtering", "MAC Filtering" or "DMZ" that might block the access from internet to your LAN?
Another way to test if it's the router that's blocking is to turn off your Ubuntu server and then to put another computer with web services on the same IP (192.168.1.100) and see if it works. You mentioned you had a Windows web server? Maybe you can test with that?
Regards, Tobias
Have you configured any items under "Port Filtering", "IP Filtering", "MAC Filtering" or "DMZ" that might block the access from internet to your LAN?
Another way to test if it's the router that's blocking is to turn off your Ubuntu server and then to put another computer with web services on the same IP (192.168.1.100) and see if it works. You mentioned you had a Windows web server? Maybe you can test with that?
Regards, Tobias
ASKER
What router model do you have?
I have only this manual. I can't recognize what router it is.
Have you configured any items under "Port Filtering", "IP Filtering", "MAC Filtering" or "DMZ" that might block the access from internet to your LAN?
No I haven't.
>> Windows
I don't have Windows anymore.
tcpdump not shoing lines means data isn't arriving on your PC.
Did you run the tcpdump WHILE testing with grc.com?
As the port is reported open by grc.com the data does go somewhere...
Did you run the tcpdump WHILE testing with grc.com?
As the port is reported open by grc.com the data does go somewhere...
ASKER
OK, that's good idea. I haven't tried it while testing grc.com
Now, I noticed something strange when I wanted to test it. eth0 disappeared somewhere
$ ifconfig
Now, I noticed something strange when I wanted to test it. eth0 disappeared somewhere
$ ifconfig
eth1 Link encap:Ethernet HWaddr 00:0e:35:b0:a7:88
inet6 addr: fe80::20e:35ff:feb0:a788/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:5 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:84 (84.0 B)
Interrupt:10 Base address:0xa000 Memory:d0208000-d0208fff
eth1_rename Link encap:Ethernet HWaddr 00:c0:9f:71:09:ff
inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::2c0:9fff:fe71:9ff/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:274010 errors:0 dropped:0 overruns:0 frame:0
TX packets:235159 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:339256057 (339.2 MB) TX bytes:26114601 (26.1 MB)
Interrupt:6
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1127 errors:0 dropped:0 overruns:0 frame:0
TX packets:1127 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:135613 (135.6 KB) TX bytes:135613 (135.6 KB)SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
After restart I have eth0 again.
$ sudo tcpdump -ni eth0 dst port 80 and dst host 192.168.1.100
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
13:26:55.130577 IP 4.79.142.206.63435 > 192.168.1.100.80: Flags [S], seq 36523772, win 8192, options [mss 1460], length 0
13:26:55.312100 IP 4.79.142.206.63435 > 192.168.1.100.80: Flags [R.], seq 36523773, ack 1562643064, win 8192, length 0
13:26:58.510408 IP 4.79.142.206.63435 > 192.168.1.100.80: Flags [R.], seq 0, ack 1, win 8192, length 0
13:27:04.509878 IP 4.79.142.206.63435 > 192.168.1.100.80: Flags [R.], seq 0, ack 1, win 8192, length 0ASKER
relevant lines from lshw
ifconfig
Seems to be correct, isn't it?
*-network:0
description: Ethernet interface
product: BCM4401 100Base-T
vendor: Broadcom Corporation
physical id: 2
bus info: pci@0000:02:02.0
logical name: eth0
version: 01
serial: 00:c0:9f:71:09:ff
size: 100MB/s
capacity: 100MB/s
width: 32 bits
clock: 33MHz
capabilities: pm bus_master cap_list rom ethernet physical mii 10bt 10bt-fd 100bt 100bt-fd autonegotiation
configuration: autonegotiation=on broadcast=yes driver=b44 driverversion=2.0 duplex=full ip=192.168.1.100 latency=64 link=yes multicast=yes port=twisted pair speed=100MB/s
resources: irq:6 memory:d0204000-d0205fff memory:84000000-84003fff(prefetchable)
*-network:1
description: Wireless interface
product: PRO/Wireless 2200BG [Calexico2] Network Connection
vendor: Intel Corporation
physical id: 4
bus info: pci@0000:02:04.0
logical name: eth1
version: 05
serial: 00:0e:35:b0:a7:88
width: 32 bits
clock: 33MHz
capabilities: pm bus_master cap_list ethernet physical wireless
configuration: broadcast=yes driver=ipw2200 driverversion=1.2.2kmprq firmware=ABG:9.0.5.27 (Dec 12 2007) latency=64 link=no maxlatency=24 mingnt=3 multicast=yes wireless=unassociated
resources: irq:10 memory:d0208000-d0208fffifconfig
eth0 Link encap:Ethernet HWaddr 00:c0:9f:71:09:ff
inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::2c0:9fff:fe71:9ff/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4426 errors:0 dropped:0 overruns:0 frame:0
TX packets:5040 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3521811 (3.5 MB) TX bytes:1003724 (1.0 MB)
Interrupt:6
eth1 Link encap:Ethernet HWaddr 00:0e:35:b0:a7:88
inet6 addr: fe80::20e:35ff:feb0:a788/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:5 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:84 (84.0 B)
Interrupt:10 Base address:0xa000 Memory:d0208000-d0208fff
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:368 errors:0 dropped:0 overruns:0 frame:0
TX packets:368 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:47315 (47.3 KB) TX bytes:47315 (47.3 KB)Seems to be correct, isn't it?
ASKER
btw. what means the shortcut NIC?
NIC = Network Interface Card
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
>>Can you get someone to connect to the OUTSIDE of your modem with a browser en get a screen shot of what they get WHILE you are running tcpdump?
I don't have that possibility now, maybe later. So, if I understand it good, he will connect to my router (with my name and password) and I will make a screenshot of tcpump in the moment he is in my router?
I don't have that possibility now, maybe later. So, if I understand it good, he will connect to my router (with my name and password) and I will make a screenshot of tcpump in the moment he is in my router?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No he doesn't connect to the router self but should access your Apache server.
So No NEED to tell someone you password... The PUBLIC address of the router should be used.
If you don't know your public address use grc.com again it will tell you what address it is going to use
the other person can never use 192.168.1.100 or any 192.168.1.xxx address.
If someone connects to your outside address on port 80 (http) (like grc did) it should end up on your server.
So No NEED to tell someone you password... The PUBLIC address of the router should be used.
If you don't know your public address use grc.com again it will tell you what address it is going to use
the other person can never use 192.168.1.100 or any 192.168.1.xxx address.
If someone connects to your outside address on port 80 (http) (like grc did) it should end up on your server.
ASKER
>>Did you unplug / replug the cable a few times in quick succession, or remove/add an interface to a virtual machine you are running this in, if it is a VM ???
No, I didn't.
I can see public address of the router in the router. It begins with 77. But I can't open it in the browser.
No, I didn't.
I can see public address of the router in the router. It begins with 77. But I can't open it in the browser.
The reason a rename of a device fails is that a name already exists somehow.
Well not a realy big deal though.
That you cannot open your own site from the inside using it's external address really needs some support in a modem from the nat & firewall rules there. So don't expect that to work from the inside on the most modems.
Well not a realy big deal though.
That you cannot open your own site from the inside using it's external address really needs some support in a modem from the nat & firewall rules there. So don't expect that to work from the inside on the most modems.
ASKER
noci,
but that is the main problem. Nobody can't access my public apache address.
That's written in this comment.
but that is the main problem. Nobody can't access my public apache address.
That's written in this comment.
And why should nobody be able to access your public address?
anybody with a browser can enter the 77..... address you mentioned.
GRC.COM did!!!!
The 192.168.1.100 address is a private address, of which several million networks in the world do exist.. (BTW. NAT should die, IPv6 is desperately needed so NAT issues die out fort forwarding is only need because of NAT).
What is needed is some proof of reachability & disect where the problem is.
That's why I asked for the curl output... together with a tcpdump taken at the SAME time.
(Curl to get the real raw output received from the webserver, not the "pretty" mangled stuff a browser screendump shows).
There is a LOT that can go wrong, only if ALL stuff works together then you get a result.
So far it is failing or not at either a modem or a server or ISP or....
The request from grc IS reaching your server, but ALSO resets are seen (from whome are those resets???) GRC?, ISP? MODEM? there should be NO resets in a normal session.
GRC is a hardly a regular services, as it only tests partial setup of a link.
A linux/unix too that can mimic this is nmap.
anybody with a browser can enter the 77..... address you mentioned.
GRC.COM did!!!!
The 192.168.1.100 address is a private address, of which several million networks in the world do exist.. (BTW. NAT should die, IPv6 is desperately needed so NAT issues die out fort forwarding is only need because of NAT).
What is needed is some proof of reachability & disect where the problem is.
That's why I asked for the curl output... together with a tcpdump taken at the SAME time.
(Curl to get the real raw output received from the webserver, not the "pretty" mangled stuff a browser screendump shows).
There is a LOT that can go wrong, only if ALL stuff works together then you get a result.
So far it is failing or not at either a modem or a server or ISP or....
The request from grc IS reaching your server, but ALSO resets are seen (from whome are those resets???) GRC?, ISP? MODEM? there should be NO resets in a normal session.
GRC is a hardly a regular services, as it only tests partial setup of a link.
A linux/unix too that can mimic this is nmap.
ASKER
OK, no I understand.
1) I will run
$ sudo tcpdump -ni eth0 dst port 80 and dst host 192.168.1.100
2) I will ask my friend to enter
curl -v http://YOUR.IP.ADD.RESS/
The problem may be that everybody is using Windows without curl.
btw. I know about theoretical netoworking (NAT, ipv6 etc.), but practical things are sometimes problem for me.
1) I will run
$ sudo tcpdump -ni eth0 dst port 80 and dst host 192.168.1.100
2) I will ask my friend to enter
curl -v http://YOUR.IP.ADD.RESS/
The problem may be that everybody is using Windows without curl.
btw. I know about theoretical netoworking (NAT, ipv6 etc.), but practical things are sometimes problem for me.
ASKER
no = now
curl is also available for windows, it runs on a lot of various platforms.
Can you try to setup another computer as a webserver with the same IP as your Ubuntu server? Just for testing your routers NAT setup.
Regards, Tobias
Regards, Tobias
ASKER
Finally I made an experiment from comment http://#35304585 with friend.
and this is the output of $ sudo tcpdump -ni eth0 dst port 80 and dst host 192.168.1.100
and this is the output of $ sudo tcpdump -ni eth0 dst port 80 and dst host 192.168.1.100
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
21:53:31.916591 IP friends_ip.49678 > 192.168.1.100.80: Flags [S], seq 3754209015, win 8192, options [mss 1460,nop,nop,sackOK], length 0
21:53:32.012195 IP friends_ip.49678 > 192.168.1.100.80: Flags [.], ack 233938444, win 17520, length 0
21:53:32.015786 IP friends_ip.49678 > 192.168.1.100.80: Flags [P.], seq 0:134, ack 1, win 17520, length 134
21:53:33.191703 IP friends_ip.49678 > 192.168.1.100.80: Flags [.], ack 2921, win 17520, length 0
21:53:33.312352 IP friends_ip.49678 > 192.168.1.100.80: Flags [.], ack 5841, win 17520, length 0
21:53:33.331079 IP friends_ip.49678 > 192.168.1.100.80: Flags [.], ack 8761, win 16060, length 0
21:53:33.332483 IP friends_ip.49678 > 192.168.1.100.80: Flags [.], ack 8761, win 17520, length 0
21:53:33.432381 IP friends_ip.49678 > 192.168.1.100.80: Flags [.], ack 11681, win 17520, length 0
21:53:33.461778 IP friends_ip.49678 > 192.168.1.100.80: Flags [.], ack 14601, win 17520, length 0
21:53:33.532495 IP friends_ip.49678 > 192.168.1.100.80: Flags [.], ack 16720, win 17520, length 0
21:53:33.564994 IP friends_ip.49678 > 192.168.1.100.80: Flags [F.], seq 134, ack 16725, win 17515, length 0
21:53:33.683536 IP friends_ip.49678 > 192.168.1.100.80: Flags [.], ack 16726, win 17515, length 0
I'm assuming you ran that on the web server itself, right?
If so, it looks like the packets are getting to the box, but we can't see the replies with that tcpdump line.
Try running the same with the following tcpdump line:
sudo tcpdump -ni eth0 port 80 and host 192.168.1.100
If so, it looks like the packets are getting to the box, but we can't see the replies with that tcpdump line.
Try running the same with the following tcpdump line:
sudo tcpdump -ni eth0 port 80 and host 192.168.1.100
So the queries DO reach your server, and there is "Normal" transfer (SackOK is the completion of the setup.)
There is a request , received with PUSH option.
followed by some response for which ACK's are received,
Finaly there is a FIN packet.
134 bytes have been sent from curl -> web server
16725 bytes are sent from server -> curl.
So this is NOT a NAT issue. Next possibility your Apache server doesn't react correctly to the request.
Now the question is what did your friend receive....
Does the output of:
curl -v http://YOUR.IP.ADD.RESS/
Contain the expected data?
There is a request , received with PUSH option.
followed by some response for which ACK's are received,
Finaly there is a FIN packet.
134 bytes have been sent from curl -> web server
16725 bytes are sent from server -> curl.
So this is NOT a NAT issue. Next possibility your Apache server doesn't react correctly to the request.
Now the question is what did your friend receive....
Does the output of:
curl -v http://YOUR.IP.ADD.RESS/
Contain the expected data?
ASKER
to mccranky: No, it was ran by my friend (the only one who was able to install curl on Windows) about 100 km from me.
I don't have possibility to write him, he's busy.
to noci: It was quick. I started tcpdump (with params) and he started curl (with parames). He said in a few seconds (It started and it finished). I said, OK, I've got the data, is friends_ip your IP? He said yes. So we said goodbay, he's busy at work (deadlines), so I don't want to lessen his time.
I don't have possibility to write him, he's busy.
to noci: It was quick. I started tcpdump (with params) and he started curl (with parames). He said in a few seconds (It started and it finished). I said, OK, I've got the data, is friends_ip your IP? He said yes. So we said goodbay, he's busy at work (deadlines), so I don't want to lessen his time.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I haven't got a domain, only IP address.
Apache configuration is in comment http://#35226156 . If you need more config files I will paste them here.
Apache configuration is in comment http://#35226156 . If you need more config files I will paste them here.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
These are the relevant lines from /var/log/apache2/access.lo
>> that's just a problem in the routing engine in the modem
About half a year ago I had installed Windows XP with apache and it worked.
friends_ip - - [18/Apr/2011:21:52:18 +0200] "GET / HTTP/1.1" 200 16719 "-" "curl/7.21.4 (i386-pc-win32) libcurl/7.21.4 OpenSSL/0.9.8r zlib/1.2.5"
friends_ip - - [18/Apr/2011:21:53:32 +0200] "GET / HTTP/1.1" 200 16724 "-" "curl/7.21.4 (i386-pc-win32) libcurl/7.21.4 OpenSSL/0.9.8r zlib/1.2.5">> that's just a problem in the routing engine in the modem
About half a year ago I had installed Windows XP with apache and it worked.
This works too. w.r.t. NAT as your friend got access.
According the the above logs the query was successfull (200) and 2 enquiries have been done. The response size 16719 bytes first and 16724 later on.
So components work now (straight outside access works, apache delivers).
Maybe you can do some of the earlier testing (tcpdump on your server) while trying to access your apache from the inside network using the outside address. Lets see what comes from that. (Maybe look at your own PC using wireshark or tcpdump too)
According the the above logs the query was successfull (200) and 2 enquiries have been done. The response size 16719 bytes first and 16724 later on.
So components work now (straight outside access works, apache delivers).
Maybe you can do some of the earlier testing (tcpdump on your server) while trying to access your apache from the inside network using the outside address. Lets see what comes from that. (Maybe look at your own PC using wireshark or tcpdump too)
ASKER
OK, I tried it.
In /var/log/apache2/access.lo
$ sudo tcpdump -ni eth0 dst port 80 and dst host 192.168.1.100
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
11:18:37.605276 IP 192.168.1.100.55267 > 192.168.1.100.80: Flags [S], seq 2143458710, win 5840, options [mss 1460,sackOK,TS val 557543 ecr 0,nop,wscale 6], length 0
11:18:40.601220 IP 192.168.1.100.55267 > 192.168.1.100.80: Flags [S], seq 2143458710, win 5840, options [mss 1460,sackOK,TS val 558293 ecr 0,nop,wscale 6], length 0
11:18:46.601221 IP 192.168.1.100.55267 > 192.168.1.100.80: Flags [S], seq 2143458710, win 5840, options [mss 1460,sackOK,TS val 559793 ecr 0,nop,wscale 6], length 0In /var/log/apache2/access.lo
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Can I change the current setup to work it?
Only if you have different networks (say 192.168.1.0/24 and 192.168.2.0/24 with your internet router sitting in the middle)
If you can access your server from the 2nd network it can work.
I know that there are modems/routers that have a DMZ interface or wireless access that have different address there is can work ( a bit depending on how nat & internal traffic is handled).
But what is the problem with accessing it using the 192.168.1.100 address?
Using the public address doesn't really test your outside link as that is never touched when sending packets to you router from the inside.
Before hitting the interface it gets moved back in (like the lo network interface does).
If you want to test the external link your have to ping to a well known IP address outside of your network.
f.e. running this on your computer:
( ping -c1 google.com >/dev/null && echo OK ) || echo BAD
Will show OK or BAD depending on line state.
(You actualy test two things here DNS resolving does work & google responds to a ping, and there is little chance google doesn't respond to ping because of some outage.).
If you can access your server from the 2nd network it can work.
I know that there are modems/routers that have a DMZ interface or wireless access that have different address there is can work ( a bit depending on how nat & internal traffic is handled).
But what is the problem with accessing it using the 192.168.1.100 address?
Using the public address doesn't really test your outside link as that is never touched when sending packets to you router from the inside.
Before hitting the interface it gets moved back in (like the lo network interface does).
If you want to test the external link your have to ping to a well known IP address outside of your network.
f.e. running this on your computer:
( ping -c1 google.com >/dev/null && echo OK ) || echo BAD
Will show OK or BAD depending on line state.
(You actualy test two things here DNS resolving does work & google responds to a ping, and there is little chance google doesn't respond to ping because of some outage.).
ASKER
>> But what is the problem with accessing it using the 192.168.1.100 address?
Because I want that visitors can visit my web server with their browsers. I'm creating web pages for some people
and I'd like to enable them possibility to watch for the result and browser through the web. I'd like to do it without use
of VNC, sending screenshots etc.
Because I want that visitors can visit my web server with their browsers. I'm creating web pages for some people
and I'd like to enable them possibility to watch for the result and browser through the web. I'd like to do it without use
of VNC, sending screenshots etc.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
>> Visitors (like your friend) CAN reach your website using the public address.
You're right. They already can! That's great because it wasn't possible before I asked.
I guess that the problem was here too http://#35234072 .
And thank you for complete explanation here http://#35431574
Thank you everybody for help. In the end it was my stupid mistake, but this sequence of
comments can be helpful for troubleshooting.
You're right. They already can! That's great because it wasn't possible before I asked.
I guess that the problem was here too http://#35234072 .
And thank you for complete explanation here http://#35431574
Thank you everybody for help. In the end it was my stupid mistake, but this sequence of
comments can be helpful for troubleshooting.
agreed