Help - Search - Members - Calendar
Full Version: Lan Cannot Connect To My Apache Web Server
Linuxhelp > Support > Technical Support
rhonneil
Hi Gurus out there could you pls help me with my problem. Iam running a newly installed Apache-2.x. My problem was everytime my LAN client want to access my Apache they are being refused to make connections. But when I turn off my firewall clients can freely access webpages.

Im quite sure the problem was with my firewall rule. Could anyone pls help me what rule should allow my LAN to access my apache server?

My other services like Squid Proxy, Ftp and other services are running ok and my clients can freely access those services without any problem. Also, I use this as Gateway to my LAN.

my LAN IP:
192.168.0.0/16

Here's my Apache configs

eth1 192.168.0.1--Apache is running on port 80
eth0 203.x.x.1

here my firewall rules for Apache

# ----------------------------------------------------------------------------
# LOOPBACK
# ----------------------------------------------------------------------------
#
# Unlimited traffic on the loopback interface.
iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
# ----------------------------------------------------------------------------

# Unlimited traffic within the local network.
# All internal machines have access to the firewall machine.
iptables -A INPUT -i $LOCAL_INTERFACE_1 -s $INTRANET -j ACCEPT
iptables -A OUTPUT -o $LOCAL_INTERFACE_1 -d $INTRANET -j ACCEPT


# ------------------------------------------------------------------
# HTTP client (80)
# ------------------------------------------------------------------

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn
--source-port 80
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp
-s $IPADDR --source-port $UNPRIVPORTS
--destination-port 80 -j ACCEPT

# ------------------------------------------------------------------
# HTTPS client (443)
# ------------------------------------------------------------------

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn
--source-port 443
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp
-s $IPADDR --source-port $UNPRIVPORTS
--destination-port 443 -j ACCEPT


As you can see, I have unlimited access to my APACHE Server for my LAN.

Any suggestions?

TIA,

rhonneil
Joey
iptables -A input -i eth1 -s 192.168.0.0/16 -d 192.168.0.1 -p tcp --dport 80 -j ACCEPT
rhonneil
QUOTE (Joey @ Nov 5 2003, 12:17 PM)
iptables -A input -i eth1 -s 192.168.0.0/16 -d 192.168.0.1 -p tcp --dport 80 -j ACCEPT

I tried the rule you suggest, however iptables -L provides the following result:

drop all -- alster-gwy02.provider.net anywhere
:
:
:
ACCEPT icmp - - alster -gwy02.provider.net anywhere icmp echo request
ACCEPT icmp - - alster -gwy02.provider.net anywhere icmp fragmentation needed
ACCEPT icmp - - alster -gwy02.provider.net anywhere icmp source-quench
ACCEPT icmp - - alster -gwy02.provider.net anywhere icmp parameter-problem

No problems arrived from restarting firewall. But still having the problem.

#telnet 192.168.0.1 80
telnet: connect to address 192.168.0.1: Connection refused

thanks,

rhonneil
hughesjr
Are you sure that the apache is listening on port 80 at 192.168.0.1 and not on 203.x.x.1 (do netstat -an | grep 80 | grep LISTEN and look at the IP address in column 3...does it say 192.168.0.1:80? Also, I am assuming that you are using the same server as the IP MASQUARDE server (with a prerouting configuration) ... your IP MASQ rules may be happening first, then your firewall rules ...so the IP address trying to connect to your http server might be 203.x.x.1 not 192.168.0.x.

If that is the case, use an IPMASQ rule that only routes networks other than 192.168.0.0/16....
rhonneil
QUOTE (hughesjr @ Nov 6 2003, 07:17 AM)
Are you sure that the apache is listening on port 80 at 192.168.0.1 and not on 203.x.x.1 (do netstat -an | grep 80 | grep LISTEN and look at the IP address in column 3...does it say 192.168.0.1:80?  Also, I am assuming that you are using the same server as the IP MASQUARDE server (with a prerouting configuration) ... your IP MASQ rules may be happening first, then your firewall rules ...so the IP address trying to connect to your http server might be 203.x.x.1 not 192.168.0.x.

If that is the case, use an IPMASQ rule that only routes networks other than 192.168.0.0/16....

Hi there,

I made some progress with my problem. I made the following rule which allows my LAN to access my apache:

iptables -A INPUT -i $LOCAL_INTERFACE_1 -p tcp --destination-port 80 -j ACCEPT
iptables -A OUTPUT -o $LOCAL_INTERFACE_1 -p tcp --source-port 80 --destination-port $UNPRIVPORTS -j ACCEPT

And modify the proxy changing port 80 to 8080
# ------------------------------------------------------------------
# TRANSPARENT PROXY client
# ------------------------------------------------------------------

iptables -t nat -A PREROUTING -i $LOCAL_INTERFACE_1 -p tcp
--destination-port 8080 -j REDIRECT --to-port 3128

Now, my remaining problem is that whenever I access my webpages from the internet I get refused connection.
Pls see my firewall rule, hope you could make recommendations.

# ------------------------------------------------------------------
# HTTP client (80)
# ------------------------------------------------------------------

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn
--source-port 80
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp
-s $IPADDR --source-port $UNPRIVPORTS
--destination-port 80 -j ACCEPT

# ------------------------------------------------------------------
# HTTPS client (443)
# ------------------------------------------------------------------

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn
--source-port 443
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp
-s $IPADDR --source-port $UNPRIVPORTS
--destination-port 443 -j ACCEPT

# ------------------------------------------------------------------
# WWW-CACHE client
# ------------------------------------------------------------------

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn
--source-port 3128
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp
-s $IPADDR --source-port $UNPRIVPORTS
--destination-port 3128 -j ACCEPT

Thanks a million for your help.

rhonneil
hughesjr
I think you've got the source and destination ports swapped ... when connecting to the webserver from offsite, it is the destination port that is going to be 80 or 443 ... and the source port that is going to be a random port. Your rules have the source port set at 80 and 443....

So I think:

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn --source-port 80 -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

Should be:

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn --source-port $UNPRIVPORTS -d $IPADDR --destination-port 80 -j ACCEPT

and

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn --source-port $UNPRIVPORTS -d $IPADDR --destination-port 443 -j ACCEPT
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2017 Invision Power Services, Inc.