Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a problem with apache. Nobody from outside the internet can't access my web server. I also have an internal network in which the webserver shares the internet connection to the other computers, but my webserver can't be accessed even if I run the script that shares the internet.
This is the script:
Code:
#!/bin/sh
# DHCP Internet and Connection Sharing Script - IPTables Secure Version
# Coded by Mayhem (C)2002
# Create a clean new IPTABLES ruleset
/sbin/iptables --flush
# Set up the Ports for the main servers: FTP, HTTP etc
/sbin/iptables -A INPUT -p tcp --dport 20 -j ACCEPT ## FTP - Data Transfer
/sbin/iptables -A INPUT -p udp --dport 20 -j ACCEPT ## FTP - Data Transfer
/sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT ## FTP - Connection
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT ## HTTP
# Net Sharing
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -j LOG --log-level 4 --log-prefix "ATTACK"
/sbin/iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j MASQUERADE
The apache server is configured to listen on the external ip.
Can anyone help me resolve this problem?
It doesn't look like there are any rules preventing packets leaving the box. Is there a router between this box and the internet or does it connect directly?
+--------+ +----------+ +-----+
|internet|--//--|web server|---| LAN |
+--------+ +----------+ +-----+
Your web server has 2 NICs and also acts as your firewall. Your LAN connects to the web server via a switch or router and the PCs on the LAN can see the web server, but hosts on the internet cannot see your web server. I'm assuming that people on the internet are trying to connect via IP address and that the problem has nothing to do with DNS.
However, the output of `iptables -L` doesn't match the rules you posted earlier. `iptables -L` is not showing any rules configured for the INPUT, OUTPUT or FORWARD chains. Also, the default policy for each of these chains is set to accept. So by definition all packets are being accepted and the problem could not be with the firewall.
Can you post your entire firewall script (leave out any public IP addresses)? If the problem is in the firewall it doesn't look like it's with the parts you've posted. The only thing I'd change with what I've seen is that you shouldn't need the line:
Code:
/sbin/iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j MASQUERADE
Because the other MASQUERADE line is doing it for you.
Yes the layout looks alike. I'm using a switch to connect the webserver to the local LAN. My webserver has 2 network cards , one (eth0) connects directly to the internet through a cable modem and the other one (eth1) connects to the LAN with the switch.
That's my entire script, I have posted below. I know I haven't listed the rules after i ran the script because the external users can't access me even if I don't run the script.
If it isnt from the firewall script or my network configuration where can it be from?
I must say that users from the internet can access my ftp server without a problem.
OK, thanks for posting that. What it's saying is that traffic for your port 80 will be accepted. If I follow the input chain down, any packets that don't get accepted should be logged. You'd see the result of this in either /var/log/messages or /var/log/syslog.
The reason I don't think it's firewall related is that there's nothing in your rule-set that DROPs or REJECTs packets. Since the policy for each chain is ACCEPT, then no packets are being refused. Also, if FTP to your server works, http should since the only difference is the port - http (80).
If people are reaching your server but being rejected it will be in the web server logs. If you're running Apache as your web server you'll see stuff like this:
ok ... I have looked in the logs last time but nothing good to know but today I see that the ip of the person who is trying to view my webserver is logged as ATTACK in /var/log/messages.
It makes sense that the UDP packet heading for port 7550 in your post was logged. There are no rules in your set up that would have accepted it earlier. Can you ask your friend to try to telnet to your IP address and see what error here gets? The command would be:
Code:
telnet ip-address 80
Where ip-address is your ip address
Alternatively, go to a site like http://www.grc.com/default.htm and scroll down to "Shields up" or try http://scan.sygatetech.com/. These sites offer a free scanning service so you can check which ports are open to the internet.
We are now determining if you have a firewall blocking UDP ports on IP: <my internet ip>
Note: this may take a while on highly secure systems...
Testing . . .
Testing . . .
Testing . . .
--------------------------------------------------------------------------------
We have determined that you have a firewall blocking UDP ports!
We are unable to scan any more UDP ports on IP: <my internet ip> . . .
I'll try running it from the server tomorrow, when i wake up .
later ...
I tried from the server too and I have the same result ... what should I do?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.