Access Control Issue

clarket · 06-16-2006, 06:18 AM

Hi All,

I've installed RHEL 4 and I've installed apache 2. I'm having problems accessing it from outside the local domain.

All the clients on the local network get served with pages from apache. I've commented out the restrictions in hosts.allow and hosts.deny and checked that they arent blocking anything. I've also flushed iptables and stopped the service from running. Still nothing though.

Doing a netstat shows me that port 80 is open and is listening.

I also have tomcat running on port 8080 and thats visable from outside the local domain (so DNS is working). So I'm sure its a configuration problem. Also, we do not have any restrictions on the network.

I've also set SELinux to permissive in case it was stopping the pages from being served.

Any help would be much appreciated.

Thanks,

Tony.

win32sux · 06-18-2006, 02:59 AM

Quote:

Originally Posted by clarket

Hi All,

I've installed RHEL 4 and I've installed apache 2. I'm having problems accessing it from outside the local domain.

All the clients on the local network get served with pages from apache. I've commented out the restrictions in hosts.allow and hosts.deny and checked that they arent blocking anything. I've also flushed iptables and stopped the service from running. Still nothing though.

Doing a netstat shows me that port 80 is open and is listening.

I also have tomcat running on port 8080 and thats visable from outside the local domain (so DNS is working). So I'm sure its a configuration problem. Also, we do not have any restrictions on the network.

I've also set SELinux to permissive in case it was stopping the pages from being served.

Any help would be much appreciated.

Thanks,

Tony.

when you say "outside the local domain" do you mean via the Internet??

if so, are you sure your ISP isn't blocking TCP port 80??

clarket · 06-19-2006, 03:33 AM

Yes, I mean from the internet. I'm pretty sure that port 80 is not blocked as there are other web servers in the same VLAN that are using port 80.

clarket · 06-19-2006, 03:44 AM

I tried starting Apache on port 90 and I still wasnt getting Access, so I started it on port 9090 and I can view the web pages on this port. I think I vaguely remeber linux having tighter control over the first 1024 ports, could it be something to do with this? ICMP packets are blocked on the network so ping, traceroute (tracert) will not give me any info.

Thanks,

T.

win32sux · 06-19-2006, 07:11 AM

Quote:

Originally Posted by clarket

I tried starting Apache on port 90 and I still wasnt getting Access, so I started it on port 9090 and I can view the web pages on this port. I think I vaguely remeber linux having tighter control over the first 1024 ports, could it be something to do with this? ICMP packets are blocked on the network so ping, traceroute (tracert) will not give me any info.

make it listen on 80 and then post the output of these:

Code:

netstat -an | grep "LISTEN "

Code:

iptables -L -n -v

yes, ports up to 1024 are privilaged, which means only root can listen on them... so what daemons usually do is they start as root to bind to the privilaged port but then immediately switch to a non-root user for greater security...

perhaps you are starting apache as a non-root user instead of root??

it's just a thought...

clarket · 06-19-2006, 08:46 AM

This is the output from the commands.

netstat -an | grep "LISTEN "
tcp 0 0 0.0.0.0:32769 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5801 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5802 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5901 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5902 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:6001 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:6002 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 ::ffff:127.0.0.1:8005 :::* LISTEN
tcp 0 0 :::80 :::* LISTEN
tcp 0 0 :::8080 :::* LISTEN
tcp 0 0 :::6001 :::* LISTEN
tcp 0 0 :::6002 :::* LISTEN
tcp 0 0 :::22 :::* LISTEN
tcp 0 0 :::8443 :::* LISTEN
iptables -L -n -v

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
82 7024 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,21,8080
0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 95 packets, 10676 bytes)
pkts bytes target prot opt in out source destination

Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

I've also did a ps -ef | grep apache, and this is what i get.

root 10096 1 0 14:38 ? 00:00:00 /usr/local/apache/bin/httpd -k start
daemon 10097 10096 0 14:38 ? 00:00:01 /usr/local/apache/bin/httpd -k start
daemon 10098 10096 0 14:38 ? 00:00:00 /usr/local/apache/bin/httpd -k start
daemon 10099 10096 0 14:38 ? 00:00:00 /usr/local/apache/bin/httpd -k start
daemon 10100 10096 0 14:38 ? 00:00:00 /usr/local/apache/bin/httpd -k start
daemon 10101 10096 0 14:38 ? 00:00:01 /usr/local/apache/bin/httpd -k start
daemon 10104 10096 0 14:38 ? 00:00:00 /usr/local/apache/bin/httpd -k start
daemon 10113 10096 0 14:38 ? 00:00:00 /usr/local/apache/bin/httpd -k start

Thanks for the help so far by the way.

win32sux · 06-19-2006, 12:42 PM

Quote:

Originally Posted by clarket

tcp 0 0 :::80 :::* LISTEN

hmmm... do you know why this doesn't appear with a 0.0.0.0:80 address like the other things?? personally i'm not sure what the reason is...

Quote:

root 10096 1 0 14:38 ? 00:00:00 /usr/local/apache/bin/httpd -k start
daemon 10097 10096 0 14:38 ? 00:00:01 /usr/local/apache/bin/httpd -k start
daemon 10098 10096 0 14:38 ? 00:00:00 /usr/local/apache/bin/httpd -k start
daemon 10099 10096 0 14:38 ? 00:00:00 /usr/local/apache/bin/httpd -k start
daemon 10100 10096 0 14:38 ? 00:00:00 /usr/local/apache/bin/httpd -k start
daemon 10101 10096 0 14:38 ? 00:00:01 /usr/local/apache/bin/httpd -k start
daemon 10104 10096 0 14:38 ? 00:00:00 /usr/local/apache/bin/httpd -k start
daemon 10113 10096 0 14:38 ? 00:00:00 /usr/local/apache/bin/httpd -k start

this seems good to me... the parent process is owned by root, while the children are owned by a non-root user...

i'm not sure what could be causing your issue... let's try with a fresh set of iptables rules so that we can at least rule-out a firewall issue:

Code:

#!/bin/sh

IPT="/sbin/iptables"

WAN_IFACE="eth0"

echo "0" > /proc/sys/net/ipv4/ip_forward

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -i lo -j ACCEPT

$IPT -A INPUT -p TCP -i $WAN_IFACE --dport 80 \
-m state --state NEW -j ACCEPT

$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "

if it's still not working after running the above script, then i don't really have any good ideas (maybe someone else does)... although considering it works fine on non-privilaged ports it does indeed sound like a permissions issue... perhaps something with inetd??

also, are you 100% sure that the port 80 shown on netstat is indeed apache and not something else?? on second thought, that's unlikely, as you'd get an error from apache saying it couldn't bind to the port cuz the port was busy or something...

let me know how it goes with the fresh iptables rules...

BTW, are you using IPv6??

clarket · 06-20-2006, 06:56 AM

I ran that script and it ran fine, but I still wasnt getting access to the webserver from the internet. Even if i completely turn iptables off. I still dont get served any webpages from the internet. Is there a command that I can run to make sure apache is starting off as root. I tried
'su root -c "/usr/local/apache/bin/apachectl start"' and it seemed to start apache as root.

Would it be possible to have apache running on port 9090 (or some other port that is not privelidged) and then use iptables to forward the packet to this port?

Thats the only work around that I can think of at the moment.

Has anyone else got any idea's about whats happening here?

Thanks,

Tony.

win32sux · 06-20-2006, 02:34 PM

Quote:

Originally Posted by clarket

I ran that script and it ran fine, but I still wasnt getting access to the webserver from the internet. Even if i completely turn iptables off. I still dont get served any webpages from the internet. Is there a command that I can run to make sure apache is starting off as root. I tried
'su root -c "/usr/local/apache/bin/apachectl start"' and it seemed to start apache as root.

the ps output you posted shows that the parent process is indeed owned by root...

Quote:

Would it be possible to have apache running on port 9090 (or some other port that is not privelidged) and then use iptables to forward the packet to this port?

Thats the only work around that I can think of at the moment.

i'm not sure... i was thinking about the REDIRECT target (typcially used for transparent proxies), but i think it only works in the PREROUTING chain...

win32sux · 06-20-2006, 02:40 PM

Quote:

Originally Posted by clarket

I've also set SELinux to permissive in case it was stopping the pages from being served.

maybe you should try taking this a step further, by temporarily disabling selinux entirely...

just a thought...

intel_ro · 06-21-2006, 08:47 AM

i don't understand if your webserver is on other machine .. if is on the other machine .. u need use iptable -t nat -A PROTSROUING for redirct tcp connectio, and the machine must have real ip if is private ip u must have redirect pot on the router or the isp !

clarket · 06-21-2006, 10:30 AM

The server does have a real IP Address. We have all our servers/web servers in the same VLAN and all the other servers in the VLAN are accessable from the internet, which means port 80 cannot be blocked.

I have disabled SELinux completely and I'm still getting the same. I'm not sure whats going on here.

Thanks,

T.

intel_ro · 06-21-2006, 10:37 AM

try 2 use
netstat -anp to see the owner of the port
and user telnet <ip> 80 to see if the apache respond at your reequests

clarket · 06-22-2006, 05:20 AM

this is what i get from the netstat -anp command

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 :::80 :::* LISTEN 16290/httpd

When I telnet on port 80 from the internet I get the message "could not open connection to host on port 80, connection failed".

When I telnet from port 80 from the same domain apache responds.

Should there be 127.0.0.1 in the Local address above (in the ouput from netstat -anp)?

Thanks,

t.

intel_ro · 06-22-2006, 05:51 AM

let's say from local machine is u have response .. try links 127.0.0.1 to see if someting is hapening then if all is op try to use iptables -F INPUT and iptables -F OUTPUT with this 2 roule erased u shuld conect even from internet .. but the bisrt thing u must know u can open a page from local machine

[root@router ~]# telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to router.topallnet.ro (127.0.0.1).
Escape character is '^]'.