LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-02-2010, 10:04 PM   #1
brunoschwartz
LQ Newbie
 
Registered: Aug 2010
Posts: 15

Rep: Reputation: 0
Unable to access web server from the computer running apache


Dear All,

I am a newbie to linux of 4 weeks. I set up my first web server and it works flawlessly - when accessed from external network or from other computers on my lan. However, I cannot access it from the computer where the server is run on. I have found numerous people with similar problems but the flavour I am experiencing is somewhat different and no solutions I have found apply to it.

I have two network interfaces on my server, eth0 (public static IP connected to internet) and eth1 connected to LAN 192.168.1.0/24 range. The server is 192.168.1.1

I added "192.168.1.1 www.server.com" to the /etc/hosts on the server and also on the other machines on the LAN. All the other machines can open website without any problem.

HOwever, the server itself only opens website if the address is localhost. Internal IP, i.e. 192.168.1.1. gets a time out and so does www.server.com.

Here is the firewall script I am using.

#!/bin/sh
#
# Example Firewall Script

###############################################################
### Define interfaces here
EXT_DEV=eth0
INT_DEV=eth1
INT_NET=192.168.1.0/24

### Remove all previous rules, and delete any user defined chains
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

### Set the default policies to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

### Loopback device OK
iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT

### Allow all ICMP Traffic (optional) - IN, OUT and THROUGH.
iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type any -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type any -j ACCEPT

### Allow all Internal traffic to Server
iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT

###############################################################
### OUTBOUND Rule: Allow ALL packets out the external device
iptables -A OUTPUT -o $EXT_DEV -j ACCEPT
iptables -A FORWARD -i $INT_DEV -o $EXT_DEV -j ACCEPT

###############################################################
### SNAT forwarding
iptables -t nat -A POSTROUTING -o $EXT_DEV -s $INT_NET -j SNAT --to-source XX.XX.XX.XX


###############################################################
### INBOUND Rule: Allow ALL EXT packets if a connection already exists (See "NEW" Inbound Rules)
iptables -A INPUT -i $EXT_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $EXT_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT


#
### INBOUND Rules: Allow ONLY NEW packets on these ports.
#

# New INBOUND Connection: Samba from eth1
iptables -A INPUT -i $INT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 139 -j ACCEPT
iptables -A INPUT -i $INT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 445 -j ACCEPT
iptables -A INPUT -i $INT_DEV -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
iptables -A INPUT -i $INT_DEV -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT

# New INBOUND Connection: SMTP and SMTPS (over TLS/SSL)
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 25 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 465 -j ACCEPT

# New INBOUND Connection: POP3 (port 110) or POP3S (port 995)
#iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 110 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 995 -j ACCEPT

# New INBOUND Connection: IMAP (port 143) or IMAPS (port 993)
#iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 143 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 993 -j ACCEPT

# New INBOUND Connection: HTTP (Plain and SSL)
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 80 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 443 -j ACCEPT


I do not understand why the record in etc/hosts doesn't point it in the right direction. It seems that when I open address 192.168.1.1 it still gets routed to the external network. I have seen using DNAT to deal with the problem but it didn't work in my case (maybe I didn't do it correctly). I have spent whole evening/night trying to sort it out, it's 4AM now, going to bed frustrated and angry (at myself hahaha). Still like linux very much, won't be going to windows anymore. Please help
 
Old 08-02-2010, 10:54 PM   #2
smoker
Senior Member
 
Registered: Oct 2004
Distribution: Fedora Core 4, 12, 13, 14, 15, 17
Posts: 2,279

Rep: Reputation: 250Reputation: 250Reputation: 250
Firstly, it's unlikely to be anything to do with the firewall, as you are operating behind the firewall on the same machine.

It seems that the machine doesn't know it's own ip address.

What shows up when you run ifconfig ?
or
What is the contents of /etc/sysconfig/networking/devices/ifcfg-eth1 ?

Is your internal ip in there ?
If not, add the lines
IPADDR=192.168.1.1
BOOTPROTO=static

then restart the network.

Or run netconfig and specify your ip address there.

Last edited by smoker; 08-02-2010 at 10:56 PM.
 
Old 08-03-2010, 07:48 AM   #3
brunoschwartz
LQ Newbie
 
Registered: Aug 2010
Posts: 15

Original Poster
Rep: Reputation: 0
Hello Smoker,

Thanks for your reply. Ifconfig says:

eth1 Link encap:Ethernet HWaddr 00:22:756:B8:F1
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::222:75ff:fed6:b8f1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1866 errors:0 dropped:0 overruns:0 frame:0
TX packets:2236 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:378581 (369.7 KiB) TX bytes:2400037 (2.2 MiB)

And the contents of ifcfg are

DEVICE=eth1
HWADDR=00:22:756:B8:F1
BOOTPROTO=none
ONBOOT=yes
NETMASK=255.255.255.0
IPADDR=192.168.1.1
GATEWAYDEV=eth0
#NETWORK=192.168.1.0
USERCTL=no
TYPE=Ethernet
PREFIX=24
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME="System eth1"
UUID=9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04
NM_CONTROLLED=yes
DNS2=87.194.255.155
DNS1=87.194.255.154
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes

Can you see anything wrong?
 
Old 08-03-2010, 11:41 AM   #4
smoker
Senior Member
 
Registered: Oct 2004
Distribution: Fedora Core 4, 12, 13, 14, 15, 17
Posts: 2,279

Rep: Reputation: 250Reputation: 250Reputation: 250
Well the ip is in there alright.
You could have a look in /etc/host.conf and make sure that it says order hosts,bind but it should say that already anyway.

What does your httpd.conf say ? Did you specify an ip address or just listen 80 ?
How does the machine connect to the internet ? Is there a router anywhere in this config ? How do the other machines get their ip addresses and what is their gateway ?
 
Old 08-03-2010, 03:54 PM   #5
brunoschwartz
LQ Newbie
 
Registered: Aug 2010
Posts: 15

Original Poster
Rep: Reputation: 0
Hello Smoker,

Thanks again. First of all, he host.conf says order=hosts,bind
2) httpd only listens to port 80
3) the server which runs apache connects to the internet directly. it runs iptables firewall and also SNAT for other computers on my internal lan.
The other comps on my lan are set to private static ip, such as 192.168.1.X and their gateway is 192.168.1.1 which is the server running the website. All of them are connected to an umanaged switch which is then connected to eth1 of the server. The server then connects through eth0 directly to the internet.

As I said, the other comps on my lan can access the server through both internal private IP and server's name after I added 192.168.1.1 server into their /etc/hosts. Thanks for your help. I hope we will get to a succesful finale.

Regards,
 
Old 08-04-2010, 03:21 AM   #6
brunoschwartz
LQ Newbie
 
Registered: Aug 2010
Posts: 15

Original Poster
Rep: Reputation: 0
Hello there,

I would like to point out one thing. The problem has definitely something to do with my firewall setting. When I turn iptables off, I can access everything. There is a setting to accept all the traffic from my internal network interface, why is it not working?

REgards


Quote:
Originally Posted by brunoschwartz View Post
Hello Smoker,

Thanks again. First of all, he host.conf says order=hosts,bind
2) httpd only listens to port 80
3) the server which runs apache connects to the internet directly. it runs iptables firewall and also SNAT for other computers on my internal lan.
The other comps on my lan are set to private static ip, such as 192.168.1.X and their gateway is 192.168.1.1 which is the server running the website. All of them are connected to an umanaged switch which is then connected to eth1 of the server. The server then connects through eth0 directly to the internet.

As I said, the other comps on my lan can access the server through both internal private IP and server's name after I added 192.168.1.1 server into their /etc/hosts. Thanks for your help. I hope we will get to a succesful finale.

Regards,
 
Old 08-04-2010, 11:23 AM   #7
smoker
Senior Member
 
Registered: Oct 2004
Distribution: Fedora Core 4, 12, 13, 14, 15, 17
Posts: 2,279

Rep: Reputation: 250Reputation: 250Reputation: 250
Quote:
Originally Posted by brunoschwartz View Post
There is a setting to accept all the traffic from my internal network interface, why is it not working?
Because you're not going through a network interface, you're connecting internally, but one of your rules is sending all packets out through eth0.

What happens if you telnet or ssh to 192.168.1.1 from the server ? If either of them connect ok, then the server knows and can access it's own address.
 
Old 08-05-2010, 04:55 PM   #8
brunoschwartz
LQ Newbie
 
Registered: Aug 2010
Posts: 15

Original Poster
Rep: Reputation: 0
Hello Smoker,

Thanks for your help. I found the culprit after hours of playing with iptables.

This was my original setup for local loopback
### Loopback device OK
iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT

Changing it to

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

did the trick. NOw everything is working fine. I hope having it setup like that wont jeopardise the security.

Regards,
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Unable to access file on web server Ryan_Sutton Linux - Newbie 2 11-19-2008 03:21 PM
Is Web Server Running? Want Apache SBFree Linux - Newbie 6 03-28-2005 10:04 PM
Running a web server with Apache? Anth3m Linux - Newbie 4 12-09-2003 07:39 AM
Unable to access to a website on apache web server bisbane Linux - Networking 3 07-11-2001 09:18 AM
Unable to access to a website on apache web server bisbane General 3 07-10-2001 11:03 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:21 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration