Lost on figuring out how to enable inbound traffic.
 

This is driving me batty and I'm sure it is something simple, so I'm posting in the newbie forum. I want to accept http and ssh requests from the outside world. Here are some things I have been able to triangulate on:

1. It is definitely my system and not the router. I had been accepting these connections just fine on my Fedora 6 system, but upgraded to FC11 and haven't been able to get these inbound connections working. I still have the drive with the FC6 system and whenever I put the old drive in the system, the connections work fine. So, the hardware, wiring, etc is identical between the FC6 and FC11 systems.

2. The system's firewall is disabled. iptables, and ip6tables are turned off both at startup (e.g., chkconfig iptables off) and using "service iptables stop". (Note--my router also works as a firewall)

3. sshd and httpd are both on and listening on all interfaces. "nmap -P0 -p 22,80 127.0.0.1" shows both ports open, as does 192.168.1.80. But when I use the same command looping through the external IP, the ports are filtered:
Host is up.
PORT STATE SERVICE
22/tcp filtered ssh
80/tcp filtered http

4. hosts.deny is empty.

5. The messages and secure logs do not show anything in response to the nmap scans.

Again, I'd have sworn this was my router, except that it cleanly allows the traffic when I swap the drives in my system. Any thoughts on other ways that I can diagnose this issue? I'd really appreciate any insights here.

How about testing access from another computer on the local network?

/Janne

Yeah. No issues. Other machines on my 192.168 network can access the ports with no issues, which is weird, no? I can't imagine that the server is doing something to prompt the router to shut down those ports. I keep coming back to the router, but then I don't understand why it works with the FC6 disk. The router has a secure log where it reports events like port scanning and other activities it doesn't like; nothing is showing up on those logs from the internal boxes.

How many interfaces do you have, BTW?

Does tcpdump on the server's interface see the frames/packets arriving from the router?

Maybe perform an nmap scan on your router's WAN side like (example):...while running tcpdump on the server like (example):

Hey - that's helpful, I think. I don't know what to make of the results, but I can see that the system is getting all the packets. It's just filtering them when they come from the outside. Looks to me like some kind of firewall issue. I'm pretty sure that I've turned off iptables. Is there a way to check, and could there be anything else that is filtering packets on the box? To answer your question, there are 2 interfaces: eth0=192.168.1.80 and eth1=192.168.0.80 (which really just serves my samba network). eth0 is the one connected to the router and is really the interface that we're most interested in here.

When I run nmap -p 80 -PN 192.168.1.80 from another machine on the internal network, it reports that the port is open, and I get the following results. (Note that I can also plug 192.168.1.80 into a browser on my internal network and get the expected index.htm page).
[root@nansen ~]# tcpdump -ve -i eth0 port 80
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
12:27:28.956318 00:19:5b:60:31:22 (oui Unknown) > 00:08:74:4b:c7:70 (oui Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 41, id 54924, offset 0, flags [none], proto TCP (6), length 44) 192.168.1.5.37681 > 192.168.1.80.http: S, cksum 0x9415 (correct), 1448578706:1448578706(0) win 2048 <mss 1460>
12:27:28.956458 00:08:74:4b:c7:70 (oui Unknown) > 00:19:5b:60:31:22 (oui Unknown), ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44) 192.168.1.80.http > 192.168.1.5.37681: S, cksum 0x4c6d (correct), 3521996505:3521996505(0) ack 1448578707 win 5840 <mss 1460>
12:27:32.356061 00:08:74:4b:c7:70 (oui Unknown) > 00:19:5b:60:31:22 (oui Unknown), ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44) 192.168.1.80.http > 192.168.1.5.37681: S, cksum 0x4c6d (correct), 3521996505:3521996505(0) ack 1448578707 win 5840 <mss 1460>
12:27:38.356090 00:08:74:4b:c7:70 (oui Unknown) > 00:19:5b:60:31:22 (oui Unknown), ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44) 192.168.1.80.http > 192.168.1.5.37681: S, cksum 0x4c6d (correct), 3521996505:3521996505(0) ack 1448578707 win 5840 <mss 1460>
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel

When I run nmap -p 80 -PN 71.135.45.108 from inside, then I can see that the port is filtered and I get the results below. As you might expect, when I plug 71.135.45.108 into my browser, the connection times out.
[root@nansen ~]# tcpdump -ve -i eth0 port 80
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
12:34:52.078102 00:0f:cc:17:80:b8 (oui Unknown) > 00:08:74:4b:c7:70 (oui Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 54, id 58408, offset 0, flags [none], proto TCP (6), length 44) adsl-71-135-45-108.dsl.pltn13.pacbell.net.54437 > 192.168.1.80.http: S, cksum 0xa1ca (correct), 2325306337:2325306337(0) win 1024 <mss 1460>
12:34:53.090970 00:0f:cc:17:80:b8 (oui Unknown) > 00:08:74:4b:c7:70 (oui Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 44, id 62330, offset 0, flags [none], proto TCP (6), length 44) adsl-71-135-45-108.dsl.pltn13.pacbell.net.54440 > 192.168.1.80.http: S, cksum 0x99c9 (correct), 2325240800:2325240800(0) win 3072 <mss 1460>
12:34:55.664366 00:0f:cc:17:80:b8 (oui Unknown) > 00:08:74:4b:c7:70 (oui Unknown), ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 116, id 60750, offset 0, flags [DF], proto TCP (6), length 48) 200.44.244-124.dyn.dsl.cantv.net.lansurveyorxml > 192.168.1.80.http: S, cksum 0x85ea (correct), 2828650230:2828650230(0) win 65535 <mss 1408,nop,nop,sackOK>
12:34:58.611470 00:0f:cc:17:80:b8 (oui Unknown) > 00:08:74:4b:c7:70 (oui Unknown), ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 116, id 60812, offset 0, flags [DF], proto TCP (6), length 48) 200.44.244-124.dyn.dsl.cantv.net.lansurveyorxml > 192.168.1.80.http: S, cksum 0x85ea (correct), 2828650230:2828650230(0) win 65535 <mss 1408,nop,nop,sackOK>
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel

You can check your iptables filter table with this command:Please post the output of that, along with the output of these:FWIW, I suspect what is happening here is that you don't have the gateway address properly set (which may explain why things work fine within the LAN, but not through the router). It's just a hunch, though, we'll see when you post back.

[root@nansen ~]# iptables -nvL
Chain INPUT (policy ACCEPT 428K packets, 82M bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 389K packets, 739M bytes)
pkts bytes target prot opt in out source destination


[root@nansen ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:08:74:4B:C7:70
inet addr:192.168.1.80 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::208:74ff:fe4b:c770/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:55653 errors:0 dropped:0 overruns:1 frame:0
TX packets:683 errors:0 dropped:0 overruns:0 carrier:1
collisions:0 txqueuelen:1000
RX bytes:3978101 (3.7 MiB) TX bytes:125278 (122.3 KiB)
Interrupt:11 Base address:0x2c00

eth1 Link encap:Ethernet HWaddr 00:00:86:5B:F5:8F
inet addr:192.168.0.80 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::200:86ff:fe5b:f58f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:461145 errors:0 dropped:0 overruns:0 frame:0
TX packets:578814 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:92150056 (87.8 MiB) TX bytes:754732655 (719.7 MiB)
Interrupt:11 Base address:0x4000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:861 errors:0 dropped:0 overruns:0 frame:0
TX packets:861 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:90667 (88.5 KiB) TX bytes:90667 (88.5 KiB)


[root@nansen ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 1 0 0 eth1
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth1


Hmmm. That looks ok to me. Do you see anything awry?

Oh - meant to add that the gateway is 192.168.1.254.

hmmmm. ok. when I ran route -n earlier, the 192.168.1.254 default gateway was missing, so I added it and tried again and still saw the filtered ports. Just got home and tried again and the ports are open. maybe adding the default route did the trick? Feel like a total dope not checking the gateway. Thank you tons for the help!!

Awesome! Glad you got things squared away! :)