LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Problem with WAN connections to servers (http://www.linuxquestions.org/questions/linux-networking-3/problem-with-wan-connections-to-servers-865782/)

tekutokiari 03-01-2011 02:04 PM

Problem with WAN connections to servers
 
OK, so, basically, not so long ago I had a modem + LAN cable kind of internet setup, and my friends and colleagues had no problem connecting to my Apache, ircd, etc.

But a few months ago my ISP changed it's policy, and now I have a single cable, plugged directly into the 'eth0' port, which connects to WAN (static IP) and, through PPPoE, to the net (dynamic IP). (Sorry, my knowledge in networking is close to nonexistent)

So, now there is a problem. My friends CAN still connect to my FTP and httpd on Windows XP, through both the external, dynamic IP, as well as the static WAN IP, but my Slackware (WAN IP is set up with DHCP, PPPoE - through pppoe-setup, with firewall at '0') is refusing access. No sings of connection is shown in the /var/log/access_log.

Also, VoiceChatter server DOES log the connection attempt, but it refuses connection, sending a 'Auth challenge', and then cutting connection. (The 'challenge' bit was never there before the new net setup)

All connections are done through WAN static IP (though test with netwide dynamic IP yield the same results =\)

I run Slackware 13.1, didn't touch the firewall settings at all, and, as mentioned, pppoe firewall is set to '0' value.

Any help much appreciated.

shane_kerr 03-02-2011 04:18 AM

In such situations I usually try tcpdump to see if the packets are arriving at the host or not.

To see packets for Apache you would use something like this:

tcpdump -i $interface -s0 -n port 80

In this case, $interface would be eth0 for your static IP and something like ppp0 for the dynamic IP (sorry I don't know Slackware's policies about this).

If you're not seeing any traffic then you know it's a networking problem. If you are seeing traffic then you know it is a problem on the host (for example a routing table issue).

pvs 03-02-2011 04:25 AM

Can you show us, please, output of commands:
ip addr show
ip route show
iptables-save

manolomalaga 03-02-2011 07:25 AM

Hi, you can install webmin http://www.webmin.com/ it's a central web administration. One module is the firewall rules. It's possible you'll need to change dynamics routes to your static new IP.

tekutokiari 03-02-2011 09:26 AM

ip addr show:
Code:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
      valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:f1:c0:55:87 brd ff:ff:ff:ff:ff:ff
    inet 172.16.81.141/21 brd 172.16.87.255 scope global eth0
    inet6 2002:5434:416:b:20c:f1ff:fec0:5587/64 scope global dynamic
      valid_lft 2566022sec preferred_lft 578822sec
    inet6 2002:5434:58b:b:20c:f1ff:fec0:5587/64 scope global dynamic
      valid_lft 2393436sec preferred_lft 406236sec
    inet6 2002:59eb:ec20:b:20c:f1ff:fec0:5587/64 scope global dynamic
      valid_lft 2356491sec preferred_lft 369291sec
    inet6 fe80::20c:f1ff:fec0:5587/64 scope link
      valid_lft forever preferred_lft forever
6: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast state UNKNOWN qlen 3
    link/ppp
    inet 84.52.45.103 peer 212.7.29.236/32 scope global ppp0

ip route show:
Code:

212.7.29.236 dev ppp0  proto kernel  scope link  src 84.52.45.103
172.16.80.0/21 dev eth0  proto kernel  scope link  src 172.16.81.141  metric 202
127.0.0.0/8 dev lo  scope link
default dev ppp0  scope link

iptables-save:
Code:

# Generated by iptables-save v1.4.7 on Wed Mar  2 16:21:29 2011
*mangle
:PREROUTING ACCEPT [1304177:331424303]
:INPUT ACCEPT [1300795:331086533]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1847649:1853836092]
:POSTROUTING ACCEPT [1847660:1853837284]
COMMIT
# Completed on Wed Mar  2 16:21:29 2011
# Generated by iptables-save v1.4.7 on Wed Mar  2 16:21:29 2011
*nat
:PREROUTING ACCEPT [34071:4699912]
:POSTROUTING ACCEPT [28847:1932281]
:OUTPUT ACCEPT [28847:1932281]
COMMIT
# Completed on Wed Mar  2 16:21:29 2011
# Generated by iptables-save v1.4.7 on Wed Mar  2 16:21:29 2011
*filter
:INPUT ACCEPT [1276637:329569453]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1835125:1839970638]
-A INPUT -i ppp+ -p udp -m udp --dport 0:1023 -j LOG
-A INPUT -i ppp+ -p tcp -m tcp --dport 0:1023 -j LOG
-A INPUT -i ppp+ -p udp -m udp --dport 0:1023 -j DROP
-A INPUT -i ppp+ -p tcp -m tcp --dport 0:1023 -j DROP
-A INPUT -i ppp+ -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG
-A INPUT -i ppp+ -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A INPUT -i ppp+ -p icmp -m icmp --icmp-type 8 -j DROP
COMMIT
# Completed on Wed Mar  2 16:21:29 2011

tcpdump does show some packets received by filter

I'm trying out webmin right now.

pvs 03-02-2011 10:25 AM

1)default route looks strange, but this may be because of pppoe, please additionally show me output of windows' command
route print

2)rules
-A INPUT -i ppp+ -p udp -m udp --dport 0:1023 -j DROP
-A INPUT -i ppp+ -p tcp -m tcp --dport 0:1023 -j DROP
are preventing incoming traffic on ports 1-1023, including 20,21,80 (ftp and http)

in this configuration your friends will be able to connect to your Linux only if they are connected to the same local network with ip addresses from the same subnet.

To allow connect to 84.52.45.103 simply disable firewall.

manolomalaga 03-02-2011 11:33 AM

OUTPUT ACCEPT is from your server to Internet, here yo can add tcp ports 80 (http) and 21 (ftp). Add inside INPUT ACCEPT one rule with ports 80 (http) and 21 (ftp) to allow incoming connections to your server.

Here is some doc:

http://en.wikipedia.org/wiki/Netfilter/iptables


All times are GMT -5. The time now is 09:28 AM.