Solved

port forwarding to 80 in Ubuntu

Posted on 2011-03-23
80
653 Views
Last Modified: 2012-05-11
Hello,

could you help me with network settings and port forwarding in Ubuntu, so that my apache webserver sites would
be accessible from outside (Internet)?

cat /etc/network/interfaces
auto lo
iface lo inet loopback

cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 212.101.0.10
nameserver 194.203.32.237

ifconfig
eth0      Link encap:Ethernet  HWaddr 00:c0:9f:71:09:ff  
          inet addr:192.168.1.101  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::2c0:9fff:fe71:9ff/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:11003 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13851 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5135995 (5.1 MB)  TX bytes:2884894 (2.8 MB)
          Interrupt:6

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:16 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1000 (1000.0 B)  TX bytes:1000 (1000.0 B)

The port 80 is forwarded in my router to 192.168.1.101

If you need some other outputs I will give you that information

thank you
0
Comment
Question by:xRalf
  • 38
  • 20
  • 8
  • +4
80 Comments
 
LVL 12

Expert Comment

by:mccracky
ID: 35202069
If the router is forwarding the port to your IP, it should work as long as apache is up and running.  
0
 
LVL 6

Author Comment

by:xRalf
ID: 35204845
In the browser
http://localhost/index.php
works perfectly

but
http://X.X.X.X/index.php
where X.X.X.X is my public IP address
does not work

Could I troubleshoot somehow (some Linux diagnostic tools) and find out where is the problem?
0
 
LVL 6

Author Comment

by:xRalf
ID: 35206044
Is there some way to trougleshoot this problem? in /etc/apache2/apache2.conf there is a line
ServerName localhost
Should I change it to my public IP?
0
 
LVL 12

Expert Comment

by:mccracky
ID: 35207479
If you are trying from the same machine, that is probably the problem.  you need to try from a machine outside the network.  Many routers won't redirect outgoing packets back through the port forwarding rules.
0
 
LVL 6

Author Comment

by:xRalf
ID: 35208841
I asked friend to test it from outside and it writes him "page not found"...
0
 
LVL 12

Expert Comment

by:mccracky
ID: 35209917
Is it a browser error or apache error that he gets?
0
 
LVL 6

Author Comment

by:xRalf
ID: 35213716
I asked another friend today and he said
"the page is loading very slowly and then it shows him
(following is my rough translation) Application Internet Explorer can't display this webpage.
You can try the following possibilities:
 Diagnostics with connection troubles
"
0
 
LVL 12

Expert Comment

by:mccracky
ID: 35216137
Does it work on the same network (trying to go the the local external LAN address of the box)?  Is there a local firewall active on the Ubuntu box?
0
 
LVL 6

Author Comment

by:xRalf
ID: 35216234
I have laptop and computer connected with router with local IP addresses 192.168.1.100 and 192.168.1.101.

The web server is on http://192.168.1.100/index.php. This local address work on both computers.

The global address does not work nowhere.
0
 
LVL 6

Author Comment

by:xRalf
ID: 35216258
Which local firewall do you think?

The ufw firewall is probably disabled.
$ sudo ufw status verbose
Status: inactive
0
 

Expert Comment

by:tomy123
ID: 35226015
Can you please give me the apache configuration settings? Need to chek the apache server configurations. What is the document root that you are using?
0
 
LVL 6

Author Comment

by:xRalf
ID: 35226156
This is  ports.conf

NameVirtualHost *:80
Listen 80

<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    Listen 443
</IfModule>

<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

And in attachment is /etc/apache/sites-available/default

default
0
 
LVL 12

Expert Comment

by:upanwar
ID: 35231054
Could you please show us output of :

netstat -natp | grep :80
0
 
LVL 6

Author Comment

by:xRalf
ID: 35231110
Do you need the whole output? There is only one line with LISTEN. It looks like something is wrong.

$ netstat -natp | grep :80
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -              
0
 
LVL 6

Author Comment

by:xRalf
ID: 35231124
$ sudo netstat -natp | grep :80 | grep LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1740/apache2    
0
 
LVL 12

Assisted Solution

by:upanwar
upanwar earned 39 total points
ID: 35231259
This output is saying that your apache server is listening on every inteface so I dont see any issue from system side.

Could you ask any of your friend to run the below given command on his system.

telnet <Your Ubuntu Box's Public IP> 80

Please confirm what is he getting.
0
 
LVL 12

Expert Comment

by:mccracky
ID: 35232641
Have you checked whether you can access the site from you own local LAN?
0
 
LVL 6

Author Comment

by:xRalf
ID: 35233204
>> telnet <Your Ubuntu Box's Public IP> 80

writes him (my translation to english)
Connecting to <my_public_ip> ... Unable to connect to host computer on port 80... The connection failed.

>> Have you checked whether you can access the site from you own local LAN?

Yes. I wrote in in commenct http://#35216234
0
 
LVL 12

Accepted Solution

by:
mccracky earned 39 total points
ID: 35234072
Unless this is a typographic mistake your problem is here:

"The port 80 is forwarded in my router to 192.168.1.101"

and

"The web server is on http://192.168.1.100/index.php."

The router is forwarding the port to the wrong computer.
0
 
LVL 12

Expert Comment

by:upanwar
ID: 35234265
You can use this tool from your desktop as well. Please check whether your IP is reachable or not.

http://network-tools.com/
0
 
LVL 6

Author Comment

by:xRalf
ID: 35234481
mccracky was right. I made a stupid typographic mistake. The port should be forwarded to 192.168.1.100.

But it doesn't work after commands
sudo /etc/init.d/networking restart
sudo /etc/init.d/apache2 restart

To upanwar: I tried ping and it pings me without problems.
0
 
LVL 12

Expert Comment

by:mccracky
ID: 35235226
Does your ISP filter incoming port 80 on "home" accounts?  Does your router allow port redirection (incoming port 1234 -> 192.168.1.100:80) ?  If so I would try that.
0
 
LVL 6

Author Comment

by:xRalf
ID: 35235299
> Does your ISP filter incoming port 80 on "home" accounts?

I think that he doesn't because I had apache on Windows and it worked.

> Does your router allow port redirection?

No.
0
 
LVL 21

Assisted Solution

by:wyliecoyoteuk
wyliecoyoteuk earned 39 total points
ID: 35265203
Are you sure that port 80 is  open?
try a port scan from Sheilds UP!

https://www.grc.com/x/ne.dll?bh0bkyd2
this site will test your ports to see if they are open.
0
 
LVL 39

Expert Comment

by:noci
ID: 35265729
Did you setup the routing to the internet correctly?
(netstat -rn )
0
 
LVL 39

Expert Comment

by:noci
ID: 35265730
Did you setup the routing to the internet correctly?
(netstat -rn )
0
 
LVL 6

Author Comment

by:xRalf
ID: 35274747
to wyliecoyoteuk

is it secure?
"
Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.

Are you sure you want to continue sending this information?
"

netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
0.0.0.0         192.168.1.254   0.0.0.0         UG        0 0          0 eth0

I haven't setup routing, I let it default. Should I set up it in some way?
0
 
LVL 39

Assisted Solution

by:noci
noci earned 307 total points
ID: 35275645
Recapitulating:

 192.168.1.254 is the address of your modem.
 192.168.1.100 is the address of your server and it is connected in the same LAN as the modem
[Switch/Hub/Direct...].
On the modem there is a port-forward for port 80 to the the address 192.168.1.100 port 80.

@Windows + Apache:
The system is reachable for local & remote resources (forwarding works, firewall accepts packets).
@Ubuntu + Apache:
Any system in 192.168.1.0/24 and on localhost (@server) can access the apache server
(so there are no problems in reaching the apache server from local resources).
a) From the inside using your own public address (x.x.x.x) doesn't work
b) From outside the network a friend cannot access (x.x.x.x).
c) Ping to x.x.x.x works. (from networktools.com)
d)You get a security message when using shields up

a: This heaviliy depends on the modem involved, i whould expect to see this fail in the majority of cases. Most modems can't handle u-turns.
c: So your modem lives as the ping pacckets doesn't get natted.
d: To start grc.com is asks for some info using a form. Your browser issues this message to ask if upoading the form is safe... If you read the page it will tell you why. Through the proceed button you give grc.com permission to portscan your ip address.
in this case the warning is premature, but how would IE know. (it's default poicy of IE).
b: OK, the issue at hand...

Assuming that d) doesn't show a major malfunction... (if you can try portscanning using it through you original Windows/Apache setup that would be nice...).
That leaves a few possibiities:
1) iptables settings prevents access from anything outside the local net
2) apache config doing the same.
1: Can you show:
iptables -t filter -L -nv
iptables -t nat -L -nv
iptables -t mangle -L -nv
2: can you verify the apache config?
it shoud allow access from any one.
0
 
LVL 6

Author Comment

by:xRalf
ID: 35275825
Thank you for long analysis of the problem.

I have only Xubuntu on my laptop now. I had Windows 7 months ago. I'm using Firefox, not IE.

>> Through the proceed button you give grc.com permission to portscan your ip address.

How many people use this service to scan their ports? And what should I click to achive this?

$ sudo iptables -t filter -L -nv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        


$ sudo iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

$ sudo iptables -t mangle -L -nv
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination      

2: Apache config is in comment http://#35226156
0
 
LVL 39

Expert Comment

by:noci
ID: 35276105
Ok no firewall on ubuntu.
And Apache does look fine to me too.

What does grc.com report (firefox has more or less he same safety instructions as IE).

Can you run:
 tcpdump -ni eth0 port 80
on your server while doing tests with external access? (grc.com and your firend doing access).
BW grc.com will also show your external IP address as part of the test, check if that matches your expectations.
It does really look like the modem doesn't deliver data to the system but this will verify it.
0
 
LVL 6

Author Comment

by:xRalf
ID: 35276185
tcpdump -ni eth0 port 80

The output is "infinite", impossible to copy-paste here.

When I click proceed in grc.com I can see the output

"Greetings!

Without your knowledge or explicit permission, the Windows networking technology which connects your computer to the Internet may be offering some or all of your computer's data to the entire world at this very moment!"

0
 
LVL 39

Assisted Solution

by:noci
noci earned 307 total points
ID: 35280366
That means there is a lot of traffic on port 80?
maybe the tcpdump should be: to limit it to incommin traffic only.

   tcpdump -ni eth0 dst port 80  and dst host 192.168.1.100

You can verify it's working if you see connection attempts (Syn Packets, marked with a single S (F=Final, P=Push, .=regular)).
Also from localhost or from other systems in the 192.168.1.0/24 network.
[BTW the tcpdump command does need to run on the appache server].

grc.com is a site that first  issues BIG BIG WARNING signs....
It's not as bad as it sounds at first.   (or maybe it is... )
My systems Fail big at his tests... but I do run a web/mail/shell service on my own infrastructure.. so...
After proceed you need to choose a test (grey selection menu / box at the bottom) And test either for specific port 80 (faster)
or do a scan for commonly used ports or a full scan until port 1056.
0
 
LVL 6

Author Comment

by:xRalf
ID: 35282696
$ sudo tcpdump -ni eth0 dst port 80 and dst host 192.168.1.100
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

It seems that nothing is happening.


grc.com says that my port 80 is OPEN.
0
 
LVL 21

Expert Comment

by:wyliecoyoteuk
ID: 35284252
Grc.com is a well respected site, it is used by many people to test their security.
The warnings are their to advise.
But it is the best security check that you can make easily.
0
 
LVL 6

Author Comment

by:xRalf
ID: 35284427
I have no idea what could be wrong, port 80 is open.

I noticed that in my apache configuration I have
/var/www and /var/www/ (only a little inconsitency), is this OK?
0
 
LVL 18

Expert Comment

by:TobiasHolm
ID: 35292187
Hi!

I think your problem is in your router. Or recheck your config in the router? Can you switch to another one?

Regards, Tobias
0
 
LVL 6

Author Comment

by:xRalf
ID: 35292264
I have only one router. But note this comment.
0
 
LVL 18

Assisted Solution

by:TobiasHolm
TobiasHolm earned 76 total points
ID: 35292535
Do you have a web-GUI in your router? Can you take a screenshot and show it here with the port forwarding? In some routers you can configure both "port forwarding" and "virtual servers" and if this is the case I'd suggest you'd use "virtual servers" instead in your router.

Regards, Tobias
0
 
LVL 6

Author Comment

by:xRalf
ID: 35292702
OK, I'm sending the screenshot.

I have to say, that I have problem with amule connection too.
port-forwarding.png
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 18

Expert Comment

by:TobiasHolm
ID: 35292984
ok. The port forwarding looks alright. What router model do you have? I don't recognise that GUI.

Have you configured any items under "Port Filtering", "IP Filtering", "MAC Filtering" or "DMZ" that might block the access from internet to your LAN?

Another way to test if it's the router that's blocking is to turn off your Ubuntu server and then to put another computer with web services on the same IP (192.168.1.100) and see if it works. You mentioned you had a Windows web server? Maybe you can test with that?

Regards, Tobias
0
 
LVL 6

Author Comment

by:xRalf
ID: 35293088
What router model do you have?

I have only this manual. I can't recognize what router it is.

Have you configured any items under "Port Filtering", "IP Filtering", "MAC Filtering" or "DMZ" that might block the access from internet to your LAN?

No I haven't.

>> Windows

I don't have Windows anymore.
0
 
LVL 39

Expert Comment

by:noci
ID: 35293846
tcpdump not shoing lines means data isn't arriving on your PC.
Did you run the tcpdump WHILE testing with grc.com?

As the port is reported open by grc.com the data does go somewhere...

0
 
LVL 6

Author Comment

by:xRalf
ID: 35293908
OK, that's good idea. I haven't tried it while testing grc.com

Now, I noticed something strange when I wanted to test it. eth0 disappeared somewhere

$ ifconfig
eth1      Link encap:Ethernet  HWaddr 00:0e:35:b0:a7:88  
          inet6 addr: fe80::20e:35ff:feb0:a788/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1 errors:0 dropped:5 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:84 (84.0 B)
          Interrupt:10 Base address:0xa000 Memory:d0208000-d0208fff 

eth1_rename Link encap:Ethernet  HWaddr 00:c0:9f:71:09:ff  
          inet addr:192.168.1.100  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::2c0:9fff:fe71:9ff/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:274010 errors:0 dropped:0 overruns:0 frame:0
          TX packets:235159 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:339256057 (339.2 MB)  TX bytes:26114601 (26.1 MB)
          Interrupt:6 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1127 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1127 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:135613 (135.6 KB)  TX bytes:135613 (135.6 KB)

Open in new window

0
 
LVL 18

Assisted Solution

by:TobiasHolm
TobiasHolm earned 76 total points
ID: 35294705
>eth1_rename

Might be a bug. Try a reboot of your computer.
Ref: http://ubuntuforums.org/showthread.php?p=9357231

>I have laptop and computer connected with router with local IP addresses 192.168.1.100 and 192.168.1.101.

Do you have two NIC's in the laptop? One wired and one wireless? Run "sudo lshw" and check your "logical name" for the wired NIC. Then make sure you have port forwarded the right IP in your router.

Regards, Tobias
0
 
LVL 6

Author Comment

by:xRalf
ID: 35294901
After restart I have eth0 again.

$ sudo tcpdump -ni eth0 dst port 80 and dst host 192.168.1.100
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
13:26:55.130577 IP 4.79.142.206.63435 > 192.168.1.100.80: Flags [S], seq 36523772, win 8192, options [mss 1460], length 0
13:26:55.312100 IP 4.79.142.206.63435 > 192.168.1.100.80: Flags [R.], seq 36523773, ack 1562643064, win 8192, length 0
13:26:58.510408 IP 4.79.142.206.63435 > 192.168.1.100.80: Flags [R.], seq 0, ack 1, win 8192, length 0
13:27:04.509878 IP 4.79.142.206.63435 > 192.168.1.100.80: Flags [R.], seq 0, ack 1, win 8192, length 0

Open in new window

0
 
LVL 6

Author Comment

by:xRalf
ID: 35295008
relevant lines from lshw
 *-network:0
                description: Ethernet interface
                product: BCM4401 100Base-T
                vendor: Broadcom Corporation
                physical id: 2
                bus info: pci@0000:02:02.0
                logical name: eth0
                version: 01
                serial: 00:c0:9f:71:09:ff
                size: 100MB/s
                capacity: 100MB/s
                width: 32 bits
                clock: 33MHz
                capabilities: pm bus_master cap_list rom ethernet physical mii 10bt 10bt-fd 100bt 100bt-fd autonegotiation
                configuration: autonegotiation=on broadcast=yes driver=b44 driverversion=2.0 duplex=full ip=192.168.1.100 latency=64 link=yes multicast=yes port=twisted pair speed=100MB/s
                resources: irq:6 memory:d0204000-d0205fff memory:84000000-84003fff(prefetchable)
           *-network:1
                description: Wireless interface
                product: PRO/Wireless 2200BG [Calexico2] Network Connection
                vendor: Intel Corporation
                physical id: 4
                bus info: pci@0000:02:04.0
                logical name: eth1
                version: 05
                serial: 00:0e:35:b0:a7:88
                width: 32 bits
                clock: 33MHz
                capabilities: pm bus_master cap_list ethernet physical wireless
                configuration: broadcast=yes driver=ipw2200 driverversion=1.2.2kmprq firmware=ABG:9.0.5.27 (Dec 12 2007) latency=64 link=no maxlatency=24 mingnt=3 multicast=yes wireless=unassociated
                resources: irq:10 memory:d0208000-d0208fff

Open in new window


ifconfig
eth0      Link encap:Ethernet  HWaddr 00:c0:9f:71:09:ff  
          inet addr:192.168.1.100  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::2c0:9fff:fe71:9ff/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4426 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5040 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3521811 (3.5 MB)  TX bytes:1003724 (1.0 MB)
          Interrupt:6 

eth1      Link encap:Ethernet  HWaddr 00:0e:35:b0:a7:88  
          inet6 addr: fe80::20e:35ff:feb0:a788/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1 errors:0 dropped:5 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:84 (84.0 B)
          Interrupt:10 Base address:0xa000 Memory:d0208000-d0208fff 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:368 errors:0 dropped:0 overruns:0 frame:0
          TX packets:368 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:47315 (47.3 KB)  TX bytes:47315 (47.3 KB)

Open in new window


Seems to be correct, isn't it?
0
 
LVL 6

Author Comment

by:xRalf
ID: 35295015
btw. what means the shortcut NIC?
0
 
LVL 18

Expert Comment

by:TobiasHolm
ID: 35295661
NIC = Network Interface Card
0
 
LVL 6

Author Comment

by:xRalf
ID: 35295771
And what good are comments this and this?
0
 
LVL 39

Assisted Solution

by:noci
noci earned 307 total points
ID: 35296221
As tcpdump shows packets from grc.com
 4.79.142.206   the forwarding does work w.r.t. modem...
The strange thing is the reset afterwards   .... [R] frames.  That should have been SA (Syn Ack / & Ack afterward).

Now the next test:
Can you get someone to connect to the OUTSIDE of your modem with a browser en get a screen shot of what they get WHILE
you are running tcpdump? If that output also has RESET then the source of those resets need to be determined.
If there are no resets then output should be shown.

curl -v http://YOUR.IP.ADD.RESS/    output is preferred.
(curl is a commandline request tool http://curl.haxx.se )

Curl doesn't interpret & translate error code and or output shown as a browser does (to hide a user from UGLY error messages...).
0
 
LVL 6

Author Comment

by:xRalf
ID: 35296784
>>Can you get someone to connect to the OUTSIDE of your modem with a browser en get a screen shot of what they get WHILE you are running tcpdump?

I don't have that possibility now, maybe later. So, if I understand it good, he will connect to my router (with my name and password) and I will make a screenshot of tcpump in the moment he is in my router?
0
 
LVL 39

Assisted Solution

by:noci
noci earned 307 total points
ID: 35296846
BTW.

The name of an interface doesn't matter a lot while auto configure is used.
(like in the setup of interfaces...)

It DOES matter if you want to name in interface in commands.
tcpdump would have worked if eth1_rename would have been used. (which is a strange name which seems to imply a udev rename command failed)

(Did you unplug / replug the cable a few times in quick succession, or remove/add an interface to a virtual machine you are running this in, if it is a VM ???)
0
 
LVL 39

Expert Comment

by:noci
ID: 35296908
No he doesn't connect to the router self but should access your Apache server.
So No NEED to tell someone you password...  The PUBLIC address of the router should be used.
If you don't know your public address use grc.com again it will tell you what address it is going to use
the other person can never use 192.168.1.100 or any 192.168.1.xxx address.

If someone connects to your outside address on port 80 (http) (like grc did) it should end up on your server.

0
 
LVL 6

Author Comment

by:xRalf
ID: 35298663
>>Did you unplug / replug the cable a few times in quick succession, or remove/add an interface to a virtual machine you are running this in, if it is a VM ???

No, I didn't.

I can see public address of the router in the router. It begins with 77. But I can't open it in the browser.
0
 
LVL 39

Expert Comment

by:noci
ID: 35299396
The reason a rename of a device fails is that a name already exists somehow.
Well not a realy big deal though.

That you cannot open your own site from the inside using it's external address really needs some support in a modem from the nat & firewall rules there. So don't expect that to work from the inside on the most modems.

0
 
LVL 6

Author Comment

by:xRalf
ID: 35300478
noci,

but that is the main problem. Nobody can't access my public apache address.
That's written in this comment.
0
 
LVL 39

Expert Comment

by:noci
ID: 35301889
And why should nobody be able to access your public address?
anybody with a browser can enter the 77..... address you mentioned.
GRC.COM did!!!!
The 192.168.1.100 address is a private address, of which several million networks in the world do exist.. (BTW. NAT should die, IPv6 is desperately needed so NAT issues die out fort forwarding is only need because of NAT).

What is needed is some proof of reachability & disect where the problem is.
That's why I asked for the curl output... together with a tcpdump taken at the SAME time.
(Curl to get the real raw output received from the webserver, not the "pretty" mangled stuff a browser screendump shows).

There is a LOT that can go wrong, only if ALL stuff works together then you get a result.
So far it is failing or not at either a modem or a server or ISP or....

The request from grc IS reaching your server, but ALSO resets are seen (from whome are those resets???) GRC?, ISP? MODEM? there should be NO resets in a normal session.
GRC is a hardly a regular services, as it only tests partial setup of a link.

A linux/unix too that can mimic this is nmap.
0
 
LVL 6

Author Comment

by:xRalf
ID: 35304585
OK, no I understand.


1) I will run
   $ sudo tcpdump -ni eth0 dst port 80 and dst host 192.168.1.100
2) I will ask my friend to enter
curl -v http://YOUR.IP.ADD.RESS/

The problem may be that everybody is using Windows without curl.

btw. I know about theoretical netoworking (NAT, ipv6 etc.), but practical things are sometimes problem for me.
0
 
LVL 6

Author Comment

by:xRalf
ID: 35304587
no = now
0
 
LVL 39

Expert Comment

by:noci
ID: 35304758
curl is also available for windows, it runs on a lot of various platforms.
0
 
LVL 18

Expert Comment

by:TobiasHolm
ID: 35323269
Can you try to setup another computer as a webserver with the same IP as your Ubuntu server? Just for testing your routers NAT setup.

Regards, Tobias
0
 
LVL 6

Author Comment

by:xRalf
ID: 35419144
Finally I made an experiment from comment http://#35304585 with friend.
and this is the output of $ sudo tcpdump -ni eth0 dst port 80 and dst host 192.168.1.100

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
21:53:31.916591 IP friends_ip.49678 > 192.168.1.100.80: Flags [S], seq 3754209015, win 8192, options [mss 1460,nop,nop,sackOK], length 0
21:53:32.012195 IP friends_ip.49678 > 192.168.1.100.80: Flags [.], ack 233938444, win 17520, length 0
21:53:32.015786 IP friends_ip.49678 > 192.168.1.100.80: Flags [P.], seq 0:134, ack 1, win 17520, length 134
21:53:33.191703 IP friends_ip.49678 > 192.168.1.100.80: Flags [.], ack 2921, win 17520, length 0
21:53:33.312352 IP friends_ip.49678 > 192.168.1.100.80: Flags [.], ack 5841, win 17520, length 0
21:53:33.331079 IP friends_ip.49678 > 192.168.1.100.80: Flags [.], ack 8761, win 16060, length 0
21:53:33.332483 IP friends_ip.49678 > 192.168.1.100.80: Flags [.], ack 8761, win 17520, length 0
21:53:33.432381 IP friends_ip.49678 > 192.168.1.100.80: Flags [.], ack 11681, win 17520, length 0
21:53:33.461778 IP friends_ip.49678 > 192.168.1.100.80: Flags [.], ack 14601, win 17520, length 0
21:53:33.532495 IP friends_ip.49678 > 192.168.1.100.80: Flags [.], ack 16720, win 17520, length 0
21:53:33.564994 IP friends_ip.49678 > 192.168.1.100.80: Flags [F.], seq 134, ack 16725, win 17515, length 0
21:53:33.683536 IP friends_ip.49678 > 192.168.1.100.80: Flags [.], ack 16726, win 17515, length 0

Open in new window

0
 
LVL 12

Expert Comment

by:mccracky
ID: 35420356
I'm assuming you ran that on the web server itself, right?

If so, it looks like the packets are getting to the box, but we can't see the replies with that tcpdump line.  

Try running the same with the following tcpdump line:

sudo tcpdump -ni eth0 port 80 and host 192.168.1.100
0
 
LVL 39

Expert Comment

by:noci
ID: 35420392
So the queries DO reach your server, and there is "Normal" transfer (SackOK is the completion of the setup.)
There is a request , received with PUSH option.
followed by some response for which ACK's are received,
Finaly there is a FIN packet.
134 bytes have been sent from curl -> web server
16725 bytes are sent from server -> curl.

So this is NOT a NAT issue. Next possibility your Apache server doesn't react correctly to the request.
Now the question is what did your friend receive....
Does the output of:
     curl -v http://YOUR.IP.ADD.RESS/
Contain the expected data?
0
 
LVL 6

Author Comment

by:xRalf
ID: 35421885
to mccranky: No, it was ran by my friend (the only one who was able to install curl on Windows) about 100 km from me.
I don't have possibility to write him, he's busy.

to noci: It was quick. I started tcpdump (with params) and he started curl (with parames). He said in a few seconds (It started and it finished). I said, OK, I've got the data, is friends_ip your IP? He said yes. So we said goodbay, he's busy at work (deadlines), so I don't want to lessen his time.
0
 
LVL 39

Assisted Solution

by:noci
noci earned 307 total points
ID: 35422166
Ok no problem.
External systems CAN (& do ) reach your server ==> not a NAT problem ...

Now how do you expect that your system is addressed w.r.t. naming...

f.e. if you reach your site using http://mysite.net/
then the mysite.net needs to resolve to your External Ip address for the whole world and mysite.net needs to resolve to your internal IP address for your local site.

For configuration of hosts within apache you need to use the Internal address (or just 0.0.0.0 ) to listen on.
Most probably your friend(s) can also reach your site using a browser if not the error message is needed.
(if possible let your friend mail the curl output to you, you can edit unwanted info (like real names, real ip addresses) and check if you see error messages.
If not we have to assume he will see the same as we do...(big assumption!!!!)
0
 
LVL 6

Author Comment

by:xRalf
ID: 35422197
I haven't got a domain, only IP address.

Apache configuration is in comment http://#35226156 . If you need more config files I will paste them here.


0
 
LVL 39

Assisted Solution

by:noci
noci earned 307 total points
ID: 35428032
Ok,
You should be able to see in the /var/log/apache2/access.log (or error.log)
what the result of the query was by your friend was.

My guess is that it just works but you cannot test with your outside address, that's just a problem in the routing engine in the modem, but it should not matter for other peoples connections.

BTW, there is NO difference between a call from outside or inside because any outside call will get translated to the inside address.
0
 
LVL 6

Author Comment

by:xRalf
ID: 35431359
These are the relevant lines from /var/log/apache2/access.log
friends_ip - - [18/Apr/2011:21:52:18 +0200] "GET / HTTP/1.1" 200 16719 "-" "curl/7.21.4 (i386-pc-win32) libcurl/7.21.4 OpenSSL/0.9.8r zlib/1.2.5"
friends_ip - - [18/Apr/2011:21:53:32 +0200] "GET / HTTP/1.1" 200 16724 "-" "curl/7.21.4 (i386-pc-win32) libcurl/7.21.4 OpenSSL/0.9.8r zlib/1.2.5"

Open in new window


>> that's just a problem in the routing engine in the modem
About half a year ago I had installed Windows XP with apache and it worked.
0
 
LVL 39

Expert Comment

by:noci
ID: 35431446
This works too. w.r.t. NAT as your friend got access.
According the the above logs the query was successfull (200) and 2 enquiries have been done. The response size 16719 bytes first and 16724 later on.
So components work now (straight outside access works, apache delivers).


Maybe you can do some of the earlier testing (tcpdump on your server) while trying to access your apache from the inside network using the outside address. Lets see what comes from that. (Maybe look at your own PC using wireshark or tcpdump too)
0
 
LVL 6

Author Comment

by:xRalf
ID: 35431498
OK, I tried it.
$ sudo tcpdump -ni eth0 dst port 80 and dst host 192.168.1.100
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
	11:18:37.605276 IP 192.168.1.100.55267 > 192.168.1.100.80: Flags [S], seq 2143458710, win 5840, options [mss 1460,sackOK,TS val 557543 ecr 0,nop,wscale 6], length 0
11:18:40.601220 IP 192.168.1.100.55267 > 192.168.1.100.80: Flags [S], seq 2143458710, win 5840, options [mss 1460,sackOK,TS val 558293 ecr 0,nop,wscale 6], length 0
11:18:46.601221 IP 192.168.1.100.55267 > 192.168.1.100.80: Flags [S], seq 2143458710, win 5840, options [mss 1460,sackOK,TS val 559793 ecr 0,nop,wscale 6], length 0

Open in new window


In /var/log/apache2/access.log there is nothing added from today.
0
 
LVL 39

Assisted Solution

by:noci
noci earned 307 total points
ID: 35431574
ok...
This is wat happens:

you open a link on 192.168.1.100 to http://yo.ur.ip.adr   which gets natted to 192.168.1.100:80 a tiny bit more detail

your browser opens this on say port Y after nat this is

So a link is created with:      192.168.1.100:Y -> yo.ur.ip.adr:80
This is natted to:                  192.168.1.100:55267 -> 192.168.100:80
The answer should be send to:   192.168.1.100:80 -> 192.168.1.100:55267 (which is on the same computer, so it never reaches the modem to be natted back) to the yo.ur.ip.addr:80 -> 192.168.1.100:Y

It might have worked in the past if the access station (system with browser) was in a different network from 192.168.1.0/24 (say  a wireless segment with 192.168.2.0/24) and all access + nat went through the modem.

The browserlink is waiting for an ack from yo.ur.ip.adr:80 therefore this link will NEVER start.  Unless the modem als does a source-nat to it's inside address and that will be difficult to impossible to do.
Because the link never completes there are no log entries.

In short: it will never work in the current setup.
You can access the 192.168.1.100 localy from the browser.
0
 
LVL 6

Author Comment

by:xRalf
ID: 35431626
Can I change the current setup to work it?
0
 
LVL 39

Expert Comment

by:noci
ID: 35431687
Only if you have different networks (say 192.168.1.0/24 and 192.168.2.0/24 with your internet router sitting in the middle)
If you can access your server from the 2nd network it can work.  
I know that there are modems/routers that have a DMZ interface or wireless access that have different address there is can work (  a bit depending on how nat & internal traffic is handled).

But what is the problem with accessing it using the 192.168.1.100 address?

Using the public address doesn't really test your outside link as that is never touched when sending packets to you router from the inside.
Before hitting  the interface it gets moved back in (like the lo network interface does).
If you want to test the external link your have to ping to a well known IP address outside of your network.
f.e. running this on your computer:
( ping -c1 google.com >/dev/null && echo OK ) || echo BAD

Will show OK or BAD depending on line state.

(You actualy test two things here DNS resolving does work & google responds to a ping, and there is little chance google doesn't respond to ping because of some outage.).
0
 
LVL 6

Author Comment

by:xRalf
ID: 35431851
>> But what is the problem with accessing it using the 192.168.1.100 address?

Because I want that visitors can visit my web server with their browsers. I'm creating web pages for some people
and I'd like to enable them possibility to watch for the result and browser through the web. I'd like to do it without use
of VNC, sending screenshots etc.
0
 
LVL 39

Assisted Solution

by:noci
noci earned 307 total points
ID: 35431897
* Visitors (like your friend) CAN reach your website using the public address.
* You can reach your website using the internal address (192.168.1.100)

As long as all access is done through port 80 no problem.
If you need https as well then you also need to portforward port 443.
(and you need an SSL certificate and a domain name too then).
0
 
LVL 6

Author Comment

by:xRalf
ID: 35431971
>> Visitors (like your friend) CAN reach your website using the public address.

You're right. They already can! That's great because it wasn't possible before I asked.
I guess that the problem was here too http://#35234072 .
And thank you for complete explanation here http://#35431574

Thank you everybody for help. In the end it was my stupid mistake, but this sequence of
comments can be helpful for troubleshooting.
0
 
LVL 39

Expert Comment

by:noci
ID: 35431992
agreed
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
MOVING OFFICE / SERVER 22 74
LINUX, CPANEL & WHM 5 22
Linux Scripting 3 56
a free alternative to cpanel? 1 38
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now