Unable to connect to Website Once outside the network

jc_neo · 10-19-2004, 10:25 PM

Dear all experts,

I am now facing a problem with my web server. I have no problem connecting to my website within the company network but once I try to connect from outside, it will say "The requested URL could not be retrieved". But I have no problems with PING from inside and outside the network.

I have looked thru the forum and some of them is also facing this problem. I tried their methods and it still doesn't work. And also I have just configured the following, but still it doesn't work either.

<Directory "/var/www/html">
Options Indexes Includes FollowSymLinks
Order deny,allow
AllowOverride None
Allow from all
</Directory>

My firewall is currently enabled, and WWW (http) is my trusted services, eth0 is my trusted device. As for iptables, I Accept connections coming for port 80.

No luck too when I turned off the firewall and iptables.

This is my site.. enterprise.ise.nus.edu.sg (if anyone can see this site, pls let me know =) )

I got a friend to do a tracert for me and this is the results. (but i don't if this can contribute to solving the problem)

At #15, it manages to reach nusnet-3-193.dynip.nus.edu.sg but after it got timeout . What does this mean?
-------------------------------------------------------------------------------------
1 2 ms 2 ms 1 ms host-203-92-100-167.lga.net.sg [x.x.x.x]

2 16 ms 16 ms 16 ms host-203-92-91-53.lga.net.sg [x.x.x.x]

3 21 ms 21 ms 19 ms host-203-92-90-226.lga.net.sg [x.x.x.x]

4 22 ms 20 ms 19 ms host-203-92-84-25.lga.net.sg [x.x.x.x]

5 19 ms 32 ms 24 ms host-203-92-84-18.lga.net.sg [x.x.x.x]

6 41 ms 229 ms 189 ms 61.8.233.173

7 22 ms 26 ms 25 ms ge-1-0-0.r00.sngpsi01.sg.bb.verio.net [x.x.x.x]

8 206 ms 187 ms 190 ms p1-0-1-2.r80.sttlwa01.us.bb.verio.net [x.x.x.x]

9 195 ms 204 ms 227 ms p16-1-1-1.r21.sttlwa01.us.bb.verio.net [x.x.x.x]

10 212 ms 195 ms 187 ms p16-2-0-0.r03.sttlwa01.us.bb.verio.net [x.x.x.x]

11 228 ms 224 ms 210 ms p1-0.usngp.sttlwa01.us.bb.verio.net [x.x.x.x]

12 178 ms 186 ms 186 ms pos1-0.pgp-cr1.singaren.net.sg [x.x.x.x]

13 192 ms 197 ms 194 ms ge3-9.pgp-dr1.singaren.net.sg [x.x.x.x]

14 204 ms 289 ms 258 ms nus-pgp-border.singaren.net.sg [x.x.x.x]

15 188 ms 186 ms 190 ms nusnet-3-193.dynip.nus.edu.sg [x.x.x.x]

16 * * * Request timed out.

17 * * * Request timed out.

18 * * * Request timed out.

19 182 ms 188 ms 190 ms enterprise.ise.nus.edu.sg [x.x.x.x]

emailssent · 10-19-2004, 10:35 PM

Check ur DNS ip address entry !

-jack

jc_neo · 10-19-2004, 11:01 PM

How will I know that my entry is correct? Any guides?

emailssent · 10-19-2004, 11:07 PM

Which distro r u using ?

===============
For Mandrake 9.2

# cat /etc/resolv.conf

nameserver 192.168.1.2
------------------------------

above ip is the address my DNS.

Try finding the reolv.conf or related file as per ur distro and put ur DNS entry over there.

-jack

jc_neo · 10-19-2004, 11:15 PM

I am using RHEL 3

my /etc/resolv.conf shows

nameserver 137.132.123.4
nameserver 137.132.5.2
; generated by /sbin/dhclient-script
domain enterprise.ise.nus.edu.sg
search nus.edu.sg

darthtux · 10-19-2004, 11:26 PM

Looks like to me the tracert hit your site. The three with * * * just mean those routers weren't returning those requests. But the last was was your web server.

Your DNS info is correct. I found it on http://www.dnsstuff.com/

May be a firewall issue.

jc_neo · 10-19-2004, 11:45 PM

I ran the dnsreport and results is

[ERROR: The parent servers say that the domain enterprise.ise.nus.edu.sg does not have any NS records (although they may have some other information on that zone). I can not do a DNS report on a hostname (such as mail.example.com) or a domain name that does not have its own zone.]

Can someone explain to me, in layman terms.

I am rather bad with all these networking details.

scowles · 10-20-2004, 12:47 AM

ise.nus.edu.sg is your domain name. A "registered" domain name must list the authoritative name servers that will answer DNS queries for that domain name. This is done using Name Server (NS) records.
...while
enterprise.ise.nus.edu.sg is a host within the above domain space. AKA: fully qualified domain name (fqdn) Host entries are referenced with address (A) records in DNS, not NS reocrds. This is why dnsreport gave you the error you posted. Try using dnsreport again using your domain name instead. The only error I saw was the lack of MX records.

jc_neo · 10-20-2004, 02:01 AM

Actually, nus.edu.sg is our domain name

We got 2 servers, one is www.ise and the other is of course belongs to me, enterprise.ise

So am I right to say I must get the people at nus.edu.sg to add enterprise.ise to their DNS?

scowles · 10-20-2004, 09:56 AM

Quote:

Actually, nus.edu.sg is our domain name

nus.edu.sg is your Top Level Domain (TLD). There are other delegated domains below nus.edu.sg (like ise).

Currently, enterprise.ise.nus.edu.sg is listed as a host (address record) within the domain ise.nus.edu.sg, not a domain name. If your goal is to create a domain name enterprise.ise.nus.edu.sg, then you would need to contact the DNS admin at ise.nus.edu.sg. The DNS admin would then have to add the proper delegation records (NS records) that point to the authoritative name servers for enterprise.ise.nus.edu.sg. See below:

Code:

[scowles@excelsior scowles]$ dig +short enterprise.ise.nus.edu.sg a             
137.132.166.170
[scowles@excelsior scowles]$ dig +short enterprise.ise.nus.edu.sg ns
[scowles@excelsior scowles]$
[scowles@excelsior scowles]$ dig +trace enterprise.ise.nus.edu.sg ns
 
; <<>> DiG 9.2.3 <<>> +trace enterprise.ise.nus.edu.sg ns
;; global options:  printcmd
.                       487422  IN      NS      K.ROOT-SERVERS.NET.
.                       487422  IN      NS      L.ROOT-SERVERS.NET.
.                       487422  IN      NS      M.ROOT-SERVERS.NET.
.                       487422  IN      NS      A.ROOT-SERVERS.NET.
.                       487422  IN      NS      B.ROOT-SERVERS.NET.
.                       487422  IN      NS      C.ROOT-SERVERS.NET.
.                       487422  IN      NS      D.ROOT-SERVERS.NET.
.                       487422  IN      NS      E.ROOT-SERVERS.NET.
.                       487422  IN      NS      F.ROOT-SERVERS.NET.
.                       487422  IN      NS      G.ROOT-SERVERS.NET.
.                       487422  IN      NS      H.ROOT-SERVERS.NET.
.                       487422  IN      NS      I.ROOT-SERVERS.NET.
.                       487422  IN      NS      J.ROOT-SERVERS.NET.
;; Received 436 bytes from 127.0.0.1#53(127.0.0.1) in 53 ms
 
sg.                     172800  IN      NS      auth02.ns.uu.net.
sg.                     172800  IN      NS      ds.nic.net.sg.
sg.                     172800  IN      NS      ns.ripe.net.
sg.                     172800  IN      NS      ns1.pacific.net.sg.
sg.                     172800  IN      NS      dnssec5.singnet.com.sg.
;; Received 260 bytes from 193.0.14.129#53(K.ROOT-SERVERS.NET) in 149 ms
 
edu.sg.                 86400   IN      NS      ds.nic.net.sg.
edu.sg.                 86400   IN      NS      ns1.pacific.net.sg.
edu.sg.                 86400   IN      NS      ns2.pacific.net.sg.
edu.sg.                 86400   IN      NS      pridns.cyberway.com.sg.
edu.sg.                 86400   IN      NS      secdns.cyberway.com.sg.
edu.sg.                 86400   IN      NS      dnssec5.singnet.com.sg.
edu.sg.                 86400   IN      NS      dnssec6.singnet.com.sg.
edu.sg.                 86400   IN      NS      ns1.cwasia.net.sg.
edu.sg.                 86400   IN      NS      ns2.cwasia.net.sg.
edu.sg.                 86400   IN      NS      sgsec.lga.net.sg.
;; Received 414 bytes from 198.6.1.82#53(auth02.ns.uu.net) in 91 ms
 
nus.edu.sg.             86400   IN      NS      dnssec1.singnet.com.sg.
nus.edu.sg.             86400   IN      NS      dnssec2.singnet.com.sg.
nus.edu.sg.             86400   IN      NS      dnssec3.singnet.com.sg.
nus.edu.sg.             86400   IN      NS      ns1.nus.edu.sg.
nus.edu.sg.             86400   IN      NS      ns2.nus.edu.sg.
;; Received 237 bytes from 202.42.194.205#53(ds.nic.net.sg) in 265 ms
 
ise.nus.edu.sg.         7200    IN      NS      nuscc.nus.edu.sg.
ise.nus.edu.sg.         7200    IN      NS      id4.nus.edu.sg.
;; Received 113 bytes from 165.21.83.11#53(dnssec1.singnet.com.sg) in 260 ms
 
ise.nus.edu.sg.         28800   IN      SOA     id4.nus.edu.sg. dnsadmin.id4.nus.edu.sg.
 2004091602 3600 1800 604800 28800
;; Received 92 bytes from 137.132.5.2#53(nuscc.nus.edu.sg) in 256 ms

Note that the SOA record was returned, not the NS record. Meaning the delegation (NS records) for enterprise.ise.nus.edu.sg. does not exist at ise.nus.edu.sg. Again, this is why dnsreport gave you the error message you posted. It could not find the NS records for your domain name. So based on the SOA above, you would need to contact dnsadmin@id4.nus.edu.sg and have that person add the proper delegation records (NS) for domain enterprise.ise.nus.edu.sg. In addition, you (or the dns admin) would also have to setup the authoritative name servers to answer all queries for the domain enterprise.ise.nus.edu.sg.

jc_neo · 10-20-2004, 08:12 PM

Ok. I will check with the respective peoples first. It might take me a few days.

BillJennings · 10-21-2004, 04:57 AM

It appears that enterprise.ise.nus.edu.sg (137.132.166.170) is being seriously firewalled. According to nmap: all priveledged ports (ones less than 1024) are filtered except: 113/tcp auth, 389/tcp ldap, 522/tcp ulp,
577/tcp vnas which are all closed.

In fact, the only open ports on this IP address at all are:

6000/tcp open X11
7100/tcp open font-service
8000/tcp open http-alt
32773/tcp open sometimes-rpc9

and these you may not want open.

If you request a web page on port 80000, it closes the connection without a response.

Hope this helps.

Bill Jennings

jc_neo · 10-21-2004, 09:48 PM

But when I do a nmap on myself, this is what i get

Port State Service
22/tcp open ssh
80/tcp open http
199/tcp open smux
443/tcp open https
6000/tcp open X11
7100/tcp open font-service
32773/tcp open sometimes-rpc9

Could it be the firewall at nus.edu.sg that is blocking the incoming request?

BillJennings · 10-22-2004, 02:22 AM

When you nmap yourself, where are you coming from?

When I traceroute (ICMP) to 137.132.166.170 from the internet at large, I get through (with three routers just before 137.132.166.170 not responding). BUT... when I tcptraceroute (ssh) to 137.132.166.170, it dies just after nus-pgp-border.singaren.net.sg (202.3.135.130). The next hop in the ICMP traceroute is nusnet-3-193.dynip.nus.edu.sg (137.132.3.193). Judging by the name, I'd say that the edge router for singaren.net.sg is trying to protect it's dynamically-assigned customers/students (e.g. nusnet-3-193.dynip.nus.edu.sg) by firewalling the bejesus out of all incoming traffic.

They may not want you running a server there.

Hope this helps.

Bill Jennings

jc_neo · 10-22-2004, 02:42 AM

oops.. stupid me. I nmap myself in the nus.edu.sg network. Of coz I get reach myself.

Since you mention about ICMP, I've got a line in my iptables stating

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Is this line the culprit?