a problem with apache

rrr-jr · 01-10-2006, 01:59 AM

I have a problem with apache. Nobody from outside the internet can't access my web server. I also have an internal network in which the webserver shares the internet connection to the other computers, but my webserver can't be accessed even if I run the script that shares the internet.
This is the script:

Code:

#!/bin/sh
# DHCP Internet and Connection Sharing Script - IPTables Secure Version
# Coded by Mayhem (C)2002

# Create a clean new IPTABLES ruleset
/sbin/iptables --flush
# Set up the Ports for the main servers: FTP, HTTP etc
/sbin/iptables -A INPUT -p tcp --dport 20 -j ACCEPT ## FTP - Data Transfer
/sbin/iptables -A INPUT -p udp --dport 20 -j ACCEPT ## FTP - Data Transfer
/sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT ## FTP - Connection
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT ## HTTP

# Net Sharing
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -j LOG --log-level 4 --log-prefix "ATTACK"

/sbin/iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j MASQUERADE

The apache server is configured to listen on the external ip.
Can anyone help me resolve this problem?

gilead · 01-10-2006, 02:03 AM

What is your OUTPUT ruleset doing? Although it looks like you're accepting connections on your port 80, are you allowing the return traffic out?

rrr-jr · 01-10-2006, 02:07 AM

How do I list what u have asked?
meantime ...

Code:

localhost rrr # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I just found out the on my local network the server works just fine.It doesnt work for external users.

gilead · 01-10-2006, 03:36 AM

It doesn't look like there are any rules preventing packets leaving the box. Is there a router between this box and the internet or does it connect directly?

rrr-jr · 01-10-2006, 04:14 PM

it connects directly on eth0.

gilead · 01-10-2006, 05:03 PM

So is your network layout something like this:

Code:

+--------+      +----------+   +-----+
|internet|--//--|web server|---| LAN |
+--------+      +----------+   +-----+

Your web server has 2 NICs and also acts as your firewall. Your LAN connects to the web server via a switch or router and the PCs on the LAN can see the web server, but hosts on the internet cannot see your web server. I'm assuming that people on the internet are trying to connect via IP address and that the problem has nothing to do with DNS.

However, the output of `iptables -L` doesn't match the rules you posted earlier. `iptables -L` is not showing any rules configured for the INPUT, OUTPUT or FORWARD chains. Also, the default policy for each of these chains is set to accept. So by definition all packets are being accepted and the problem could not be with the firewall.

Can you post your entire firewall script (leave out any public IP addresses)? If the problem is in the firewall it doesn't look like it's with the parts you've posted. The only thing I'd change with what I've seen is that you shouldn't need the line:

Code:

/sbin/iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j MASQUERADE

Because the other MASQUERADE line is doing it for you.

rrr-jr · 01-11-2006, 01:51 AM

Yes the layout looks alike. I'm using a switch to connect the webserver to the local LAN. My webserver has 2 network cards , one (eth0) connects directly to the internet through a cable modem and the other one (eth1) connects to the LAN with the switch.

That's my entire script, I have posted below. I know I haven't listed the rules after i ran the script because the external users can't access me even if I don't run the script.

Anyawy here are the rules after I run the script:

Code:

localhost rrr # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp-data
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            LOG level warning prefix `ATTACK'

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

If it isnt from the firewall script or my network configuration where can it be from?
I must say that users from the internet can access my ftp server without a problem.

gilead · 01-11-2006, 02:27 AM

OK, thanks for posting that. What it's saying is that traffic for your port 80 will be accepted. If I follow the input chain down, any packets that don't get accepted should be logged. You'd see the result of this in either /var/log/messages or /var/log/syslog.

The reason I don't think it's firewall related is that there's nothing in your rule-set that DROPs or REJECTs packets. Since the policy for each chain is ACCEPT, then no packets are being refused. Also, if FTP to your server works, http should since the only difference is the port - http (80).

If people are reaching your server but being rejected it will be in the web server logs. If you're running Apache as your web server you'll see stuff like this:

Code:

203.206.108.xxx - - [05/Jan/2006:14:41:00 +1000] "GET / HTTP/1.0" 403 202 "-" "-"

They're probably under /usr/local/apache2/logs but if they're not, try the following to find the Apache config file and get the log location from it:

Code:

find / -name 'httpd.conf' -exec grep -i 'access.*log' {} \;

A last thought - do you know that the URL being used to access your site externally is correct?

rrr-jr · 01-11-2006, 02:05 PM

ok ... I have looked in the logs last time but nothing good to know but today I see that the ip of the person who is trying to view my webserver is logged as ATTACK in /var/log/messages.

Code:

Jan 12 22:00:33 localhost ATTACKIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:11:09:5d:6a:18:08:00 SRC=<a friend ip> DST=255.255.255.255 LEN=92 TOS=0x00 PREC=0x00 TTL=128 ID=2788 PROTO=UDP SPT=7550 DPT=7550 LEN=72

How can i allow everybody to view my webserver?

gilead · 01-11-2006, 04:43 PM

It makes sense that the UDP packet heading for port 7550 in your post was logged. There are no rules in your set up that would have accepted it earlier. Can you ask your friend to try to telnet to your IP address and see what error here gets? The command would be:

Code:

telnet ip-address 80

Where ip-address is your ip address

Alternatively, go to a site like http://www.grc.com/default.htm and scroll down to "Shields up" or try http://scan.sygatetech.com/. These sites offer a free scanning service so you can check which ports are open to the internet.

rrr-jr · 01-11-2006, 05:00 PM

This was runned from a computer in the lan.

Code:

We are now determining if you have a firewall blocking UDP ports on IP: <my internet ip>
Note: this may take a while on highly secure systems... 

 
 
 
Testing . . . 
Testing . . . 
Testing . . . 

--------------------------------------------------------------------------------

We have determined that you have a firewall blocking UDP ports!
We are unable to scan any more UDP ports on IP: <my internet ip> . . .

I'll try running it from the server tomorrow, when i wake up

.

later ...
I tried from the server too and I have the same result ... what should I do?