Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
 
Reply to this topicStart new topic
> Lan Cannot Connect To My Apache Web Server
rhonneil
post Nov 5 2003, 05:35 AM
Post #1


Whats this Lie-nix Thing?
*

Group: Members
Posts: 4
Joined: 5-November 03
Member No.: 1,754



Hi Gurus out there could you pls help me with my problem. Iam running a newly installed Apache-2.x. My problem was everytime my LAN client want to access my Apache they are being refused to make connections. But when I turn off my firewall clients can freely access webpages.

Im quite sure the problem was with my firewall rule. Could anyone pls help me what rule should allow my LAN to access my apache server?

My other services like Squid Proxy, Ftp and other services are running ok and my clients can freely access those services without any problem. Also, I use this as Gateway to my LAN.

my LAN IP:
192.168.0.0/16

Here's my Apache configs

eth1 192.168.0.1--Apache is running on port 80
eth0 203.x.x.1

here my firewall rules for Apache

# ----------------------------------------------------------------------------
# LOOPBACK
# ----------------------------------------------------------------------------
#
# Unlimited traffic on the loopback interface.
iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
# ----------------------------------------------------------------------------

# Unlimited traffic within the local network.
# All internal machines have access to the firewall machine.
iptables -A INPUT -i $LOCAL_INTERFACE_1 -s $INTRANET -j ACCEPT
iptables -A OUTPUT -o $LOCAL_INTERFACE_1 -d $INTRANET -j ACCEPT


# ------------------------------------------------------------------
# HTTP client (80)
# ------------------------------------------------------------------

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn
--source-port 80
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp
-s $IPADDR --source-port $UNPRIVPORTS
--destination-port 80 -j ACCEPT

# ------------------------------------------------------------------
# HTTPS client (443)
# ------------------------------------------------------------------

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn
--source-port 443
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp
-s $IPADDR --source-port $UNPRIVPORTS
--destination-port 443 -j ACCEPT


As you can see, I have unlimited access to my APACHE Server for my LAN.

Any suggestions?

TIA,

rhonneil
Go to the top of the page
 
+Quote Post
Joey
post Nov 5 2003, 12:17 PM
Post #2


LinuxHelp Admin
*******

Group: Admin
Posts: 1,096
Joined: 18-September 02
Member No.: 1



iptables -A input -i eth1 -s 192.168.0.0/16 -d 192.168.0.1 -p tcp --dport 80 -j ACCEPT
Go to the top of the page
 
+Quote Post
rhonneil
post Nov 5 2003, 09:11 PM
Post #3


Whats this Lie-nix Thing?
*

Group: Members
Posts: 4
Joined: 5-November 03
Member No.: 1,754



QUOTE (Joey @ Nov 5 2003, 12:17 PM)
iptables -A input -i eth1 -s 192.168.0.0/16 -d 192.168.0.1 -p tcp --dport 80 -j ACCEPT

I tried the rule you suggest, however iptables -L provides the following result:

drop all -- alster-gwy02.provider.net anywhere
:
:
:
ACCEPT icmp - - alster -gwy02.provider.net anywhere icmp echo request
ACCEPT icmp - - alster -gwy02.provider.net anywhere icmp fragmentation needed
ACCEPT icmp - - alster -gwy02.provider.net anywhere icmp source-quench
ACCEPT icmp - - alster -gwy02.provider.net anywhere icmp parameter-problem

No problems arrived from restarting firewall. But still having the problem.

#telnet 192.168.0.1 80
telnet: connect to address 192.168.0.1: Connection refused

thanks,

rhonneil
Go to the top of the page
 
+Quote Post
hughesjr
post Nov 6 2003, 07:17 AM
Post #4


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



Are you sure that the apache is listening on port 80 at 192.168.0.1 and not on 203.x.x.1 (do netstat -an | grep 80 | grep LISTEN and look at the IP address in column 3...does it say 192.168.0.1:80? Also, I am assuming that you are using the same server as the IP MASQUARDE server (with a prerouting configuration) ... your IP MASQ rules may be happening first, then your firewall rules ...so the IP address trying to connect to your http server might be 203.x.x.1 not 192.168.0.x.

If that is the case, use an IPMASQ rule that only routes networks other than 192.168.0.0/16....


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post
rhonneil
post Nov 6 2003, 07:37 PM
Post #5


Whats this Lie-nix Thing?
*

Group: Members
Posts: 4
Joined: 5-November 03
Member No.: 1,754



QUOTE (hughesjr @ Nov 6 2003, 07:17 AM)
Are you sure that the apache is listening on port 80 at 192.168.0.1 and not on 203.x.x.1 (do netstat -an | grep 80 | grep LISTEN and look at the IP address in column 3...does it say 192.168.0.1:80?  Also, I am assuming that you are using the same server as the IP MASQUARDE server (with a prerouting configuration) ... your IP MASQ rules may be happening first, then your firewall rules ...so the IP address trying to connect to your http server might be 203.x.x.1 not 192.168.0.x.

If that is the case, use an IPMASQ rule that only routes networks other than 192.168.0.0/16....

Hi there,

I made some progress with my problem. I made the following rule which allows my LAN to access my apache:

iptables -A INPUT -i $LOCAL_INTERFACE_1 -p tcp --destination-port 80 -j ACCEPT
iptables -A OUTPUT -o $LOCAL_INTERFACE_1 -p tcp --source-port 80 --destination-port $UNPRIVPORTS -j ACCEPT

And modify the proxy changing port 80 to 8080
# ------------------------------------------------------------------
# TRANSPARENT PROXY client
# ------------------------------------------------------------------

iptables -t nat -A PREROUTING -i $LOCAL_INTERFACE_1 -p tcp
--destination-port 8080 -j REDIRECT --to-port 3128

Now, my remaining problem is that whenever I access my webpages from the internet I get refused connection.
Pls see my firewall rule, hope you could make recommendations.

# ------------------------------------------------------------------
# HTTP client (80)
# ------------------------------------------------------------------

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn
--source-port 80
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp
-s $IPADDR --source-port $UNPRIVPORTS
--destination-port 80 -j ACCEPT

# ------------------------------------------------------------------
# HTTPS client (443)
# ------------------------------------------------------------------

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn
--source-port 443
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp
-s $IPADDR --source-port $UNPRIVPORTS
--destination-port 443 -j ACCEPT

# ------------------------------------------------------------------
# WWW-CACHE client
# ------------------------------------------------------------------

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn
--source-port 3128
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp
-s $IPADDR --source-port $UNPRIVPORTS
--destination-port 3128 -j ACCEPT

Thanks a million for your help.

rhonneil
Go to the top of the page
 
+Quote Post
hughesjr
post Nov 7 2003, 06:25 AM
Post #6


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



I think you've got the source and destination ports swapped ... when connecting to the webserver from offsite, it is the destination port that is going to be 80 or 443 ... and the source port that is going to be a random port. Your rules have the source port set at 80 and 443....

So I think:

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn --source-port 80 -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

Should be:

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn --source-port $UNPRIVPORTS -d $IPADDR --destination-port 80 -j ACCEPT

and

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn --source-port $UNPRIVPORTS -d $IPADDR --destination-port 443 -j ACCEPT


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 16th December 2017 - 01:52 PM