Can someone please tell me how to stop iptables? When I try to stop it I get:

[root@ptpsrv1 iptables]# /etc/rc.d/init.d/iptables stop
Flushing all chains: [ OK ]
Removing user defined chains: [ OK ]
Resetting built-in chains to the default ACCEPT policy: [ OK ]

But to me this reads as if it's setting defaults?? Basically the problem I am having the following problem.

My network is 192.168.X.X. On the firewall there is a DMZ for 10.10.X.X. The web server is on this DMZ. For some reason my web page is accessible from the outside, but not from the inside. I have tried both from the 192.168.X.X network as well as another machine on the DMZ. From this other workstation on the DMZ I can't even pull up my web page by using http://10.10.X.X. I have worked with our network guys on our firewall settings but they are convinced the problem is on my box. Our firewall settings have not changed - the only changed factor here is I reinstalled Linux and went with the latest version.

My assumption is that iptables is the culprit (a newbie guess). What else could possibly be blocking this traffic?

Thanks in advance.

If your IP table is flush and still you can access your web outside... Are you sure about this unless your using a public IP on your DMZ it may pass thru...

Try to sniff the packets came from inside it will lead you to the problem...

And also review your rules in your firewall...

ryancoolest - thanks for replying.

I'm not sure I follow (total newbie). I see the requests from the internal IP addresses on my access_log, but nothing in the error log. I would assume if the traffic is being blocked by iptables then I would at the very least get a "Forbidden message". I really think it's our firewall, but our network guys say absolutely not and I don't know enough about it to convince them otherwise.

Is there any logs or anything (other than apache logs) on my server that I could possible check for entries of this traffic being refused? How do I sniff the packets?

Thanks.

Your network guys is correct since you issue the above command and successful on flushing all the chains, your FW is open to all... anyway do you hava a DNS internal and external? you might check your DNS maybe you miss something on config...

use sniffer ... on windows and tcpdump on unix to see if there's a traffic coming in and out.

after running
#/etc/rc.d/init.d/iptables stop or # service iptables stop

then run

#iptables -L
if all chains are empty then ur firewall is off

(might wanna try checking to see if ur running ip_filter too)

Hi, perhaps you didn't flush the default policy. When you write:

# iptables -L

it lists the rules and default policies for each chain. The policy comes in brackets beside the chain name. If here appears (DROP), or (REJECT) you could have problems. Try with:

# iptables -P policy_name ACCEPT

to allow traffic for that chain. i.e.:

# iptables -P FORWARD ACCEPT


...and let see.

Thanks everyone for the replies... this had to get put on the backburner for a couple of days, but desperately need to get this working.

ryancoolest - I had pinging disabled on my server, but I enabled it just for testing and I am able to ping it from our network but can't pull up the webpage by IP or domain name. My domain name is hosted on an external IP address which points to our firewall. We have an internal DNS server which I have indicated in my /etc/resolv.conf file. We explored the DNS issue but since I can't even pull it up by IP address that tells me something else is wrong.

warned - After making sure iptables is stopped this is the output of "iptables -L"
I'm no pro, but it appears that everything is being allowed through...

SkunkFace - I checkedmy installed rpms and ipfilter is not listed. When I do a "find / -name ipfilter*" I see a file /etc/makedev.d/ipfilter... Not too sure what that file is doing if ipfilter is not installed but here are the contents:
# Aliases for firewalling.
a ipfilter ipauth
a ipfilter ipl
a ipfilter ipnat
a ipfilter ipstate

So in summary - it seems iptables is allowing all traffic through. From my network I can ping my web server but can't pull it up in a web browser by IP or by domain name... no major firewall or DNS changes have been made and I once was able to do this before reinstalling my OS & Apache. Attempts by IP show up in my apache log, attempts by domain name do not. Could this be my apache configuration that is causing the problem? It seems that everything with the OS and the firewall are OK....

Thanks again

just an fyi - i compared a prior apache config to my current and there are no differences. I am posting this to an apache list, but I don't think apache is the culprit.

I think it's either
1) An routing/firewall issue on our network.
2) An OS issue on my server.

Any more thoughts/ideas are very welcome.

Thanks

Well, it don't seems to be a firewall problem. you can proobe this with "nmap" command. I don't know what kind of OSs you have in DMZ but under GNU/Linux you can type:

# nmap -P0 <web_server_ip> -p 80

so you can test if the Firewall is filtering the default web port (80). Nmap will tell you if the port is open, closed or filtered. If you don't have the "nmap" command at hand, try using:

# telnet <web_server_ip> 80

and see if it connect. If don't, you'll get a connection error. It is a good practice to do this proobe from the LAN y from the DMZ. Normally, if DMZ is an independent network segment pending form the FW, this one will never filter the traffic within the segment.

Try this and tell the results, ok?

Good Luck.

warned - thanks for the reply.

nmap is not on our UNIX system and the rest of the computers on our network are all Windows.... so I tried telnet.

I could have sworn I had telnet turned off and refusing all connections.... When I try to telnet to my webserver by IP without specifying a port I get a connection failed.... as well as when I try any port other than 80.

When I telnet to my web server by IP on port 80 it connects.... but I just get a blinking cursor and when I hit the enter key I get booted off but see the following output:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://www.parkingticketpayment.com">here</A>.
<P>
<HR>
<ADDRESS>Apache/1.3.29 Server at www Port 80</ADDRESS>
</BODY></HTML>
Connection to host lost.

I know I said I didn't think it was an apache issue but I've been searching through the archives from the Apache list all morning and it might very well be.

Two questions:
1) The fact that I get this is a good sign right? What this tells me is that our network can establish an HTTP connection to my web server, but something is happening with the request/response. The strange this is that I get nothing in my browser... not even the message above... I just get thrown to a search page.
**Note this is all when doing byt IP address. When I try with the domain name nothing shows up in my apache logs and when I try to telnet to the domain name on port 80 I get a connection failed.

2) Why am I able to telnet to port 80 by IP address... is this a security issue?

Thanks

COMPLUS - Your etup is like this?




NET ------ FWon eth0-------DMZ on eth2 ----------LAN eth3

???? No Particular INFO JUST THE LAYOUT...

I have the same problem a long time ago I resolve on my interneal DNS...

ryancoolest - shoulda listened to you a few posts back I had to rule out all other options (i.e. Linux and Apache) to get my network guys to listen to me and that's pretty much what I did. Here is the set up:

Net
|
|
Cisco PIX Firewall ------ DMZ (My Linux box)
|
|
LAN

Here is what I have found out about Apache. My requests by IP address gets logged in APache logs, but requests by domain name do not. The IP requests show a redirect going on.... This is because I have my server set up so that if any requests from anything other than www.mydomain.com come to my server they will automatically be forwarded to the right domain. Since the IP address qualifies as something "other" my server is attempting to forward it to www.mydomain.com but can't....

So I have two things going on:
1) I am missing a DNS somewhere on our internal DNS server that directs www.mydomain.com requests from our internal network to my server. I am guessing because my server is non-Windows explains why our DNS doesn't consider it part of our domain.

2) A firewall setting somewhere has to be set to route internal requests to the public IP to my server.

I know that this topic is has now become completely unrelated to Linux, and I'd hate to tick anyone off by posting... if no one has a problem with it then I totally appreciate your help here since you say you've had a similar problem. If not then maybe you'd be so kind as to drop me an email?

Thanks

you should be able to set up a host... say www from your dns (with the address being mydomain.com

then point to the web server ip. so anything from www.domain.com will go there..

you CAN make the webserver a part of the domain if you choose. I will post the steps below...

You should also double check your iptables.. you should be able to have a rule in there redirected any requests to your webservers ip address on port 80 to the webserver locally...

also ensure that you have allowed your 192.X to see your 10.X

eg

$IPTABLES -A INPUT -i $INSIDE -d $DMZ -s $LAN -j ACCEPT
and vice versa

Hope that all helps

Thanks Chris


Joining a domain
To join a MS domain from samba you must first ensure the following settings in smb.conf file

encrypt passwords = Yes
security = domain

now shutdown samba

go to DC and add the computer name of the unix samba pc

type:
smbpasswd -j DOMAIN -r DOMAINDCPC

example smb.conf file

[global]
workgroup = MYDC
netbios name = firewall
server string = smb
encrypt passwords = Yes
unix password sync = yes
null passwords = yes
security = domain
[netlogon]
path = /home/netlogon
comment = Netlogon
public = yes
writeable = no
browsable = no
[public]
path = /public
read only = No
guest ok = Yes

[homes]
valid users = %S
read only = No
browseable = No

complus -

You might be right if your using a domain controller on windows. Well I'm not that familiar in windows that's what I think.

YES, it has to be set to redirect your packet request to the destination.

If were you, since you have an internal DNS try to test a same subnet on your network create an internal web server. If this test works you have a routing issue to resolve.

Ok... very strange... First I want to thank you all for your replies.

Secondly, adding a new zone on my DNS server did the trick. I had to practically ring our network admin's neck in order to get access to poke around but finally he got annoyed and said screw it... so you know what I find?? No entry in the forward lookup zone. There was an entry in the Reverse lookup zone for the DMZ subnet but no forward lookup.... All I did was add the forward lookup zone and now it is miraculously working.... (unless my network admin made a change to the firewall that he didn't tell me about....).

So it would appear that the problem is solved... Thank you all again soo much for helping an "old" newbie out... I swear I will never get passed newbie status with this OS but I'm trying!!

Thanks!!