Unable to access Apache2 website from internet
 

Hi,

I set up apache2 on my debian (sarge, xandros 4.0) machine about a year ago and all was fine. I was able to access the web pages either from the local machine (localhost, IP, or machine name) or from any other machine on the lan (both windows XP).
Last week my (2wire) dsl modem died, I got a new one (also 2wire but a newer model) and now I can't access the same web page from the internet. My browser (FireFox or IE) reports "website taking to long to respond"

I set the modem to allow through port 80 to the Linux/Apache2 box. Checked its logs and it say its letting port 80 through.
I ran ethereal and verified (I think) port 80 is coming in.
I when to Dyndns (where my dynamic IP is setup) and check that port 80 is open. I ping my IP address and it pings. I have ddceint running that updates my IP with dyndns (http://webpage.doesntexist.com/); please note: the site requires a pw to enter, but I don't even get that far.

Since the IP address of the web server has changed I updated the config files of apache2. I ever checked the error logs of apache and didn't find anything that, to me, suggest a problem.

I searched the internet including this site for days and can't seem to solve my problem.

My guess is that I have some bad setting in some file somewhere that is related to the other setup (with old modem) But I don't where to look

please help...

ed.

Hm, I don't know what it might be, but the first step is probably to truly confirm that you can receive incoming TCP on port 80. I recommend netcat for this. Open up a terminal and run:

sudo nc -l your.ip.address 80

(If that doesn't work, try "sudo nc -l -p 80 your.ip.address" -- and if that still doesn't work try replacing "nc" with "netcat". I've found a few different versions floating around. Basically, the "-l" means "listen", and the "-p" means "port", but sometimes -p isn't needed and instead the port is specified at the end. "man nc" for more details.)

Next, confirm you can access it from your own computer. Open up a terminal on that same box and type:

telnet your.ip.address 80

If you can connect, type something and you should see it output in the first window. Close telnet (I think Ctrl+] does it, or just close the terminal window), and the above "netcat" command will end. Restart netcat, and then try this all again, but this time telnet in from a different computer (on a different internet connection).

If it works, then it means you're successfully receiving incoming TCP on port 80, but something in your webserver is screwed up. If it doesn't work, then something is blocking port 80 -- probably a configured iptables rule or firewall or port-forwarding or something.

Good luck!

-david

David,

Thank you for the help.

I tried what you suggested and I'm not sure if the test was a success, this what I did:
console1
"root:~# netcat -l -p 80 -v 192.168.1.66 80"
"listening on [any] 80 ..."

After opening a telnet session (telnet 192.168.1.66 80) in another console (console2) I got
in console1:
"invalid connection to [192.168.1.66] from LINUX.gateway.2wire.net [192.168.1.66] 36948"

I also tryed the samething from my other two (winXP) machines and I got:
"DNS fwd/rev mismatch: XPLAP != XPLAP.gateway.2wire.net"
"invalid connection to [192.168.1.66] from XPLAP [192.168.1.65] 1742"
and
"DNS fwd/rev mismatch: XPDESK != XPDESK.gateway.2wire.net"
"invalid connection to [192.168.1.66] from XPDESK [192.168.1.64] 3815"

and so I tried a telnet from my XPLAP using my internet address (telnet 69.110.43.96 80)
and got no response from netcat

so I check my DSL modem log and found:
"fw,fwmon: src=192.168.1.65 dst=192.168.1.66 ipprot=6 sport=2252 dport=80 Session Matches User Pinhole, Packet Passed"

I not sure what all this means. Does it mean that the local network is working on port 80?

--ed.

Hm, try this:

1) Post here the results of "ifconfig"

2) Try playing with "netcat" using localhost (127.0.0.1) first to make sure you're doing it right. Basically run "netcat -l -p 80 -v 127.0.0.1 80" in one window, and then "telnet 127.0.0.1 80" in another. (If it doesn't work, you might try removing the "-p 80" or removing the "80" at the end of the netcat command.) Once the telnet command succeeds, you should be able to type into the telnet window and see the message appear in the netcat window.

3) Quick note: because you're asking netcat to open port 80, you'll need to run it as "root": only root can open ports under 1024.

4) Once you're able to get netcat working in (2) -- able to open it in one window and then telnet in and type messages from the other window -- then replace 127.0.0.1 with the IP address listed in "ifconfig" in (1) and see if it still works.

5) If it doesn't work, then that probably means iptables is blocking it? You might try clearing the iptables rules (not sure how to do that off the top of my head) and try again. Basically, the first step in getting other machines to connect to you is to verify you can connect to yourself.

Good luck!

-david

David,

here is the output from ifconfig:
eth0 Link encap:Ethernet HWaddr 00:16:17:17:9F:9E
inet addr:192.168.1.66 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:49652 errors:0 dropped:0 overruns:0 frame:0
TX packets:26984 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:14083271 (13.4 MiB) TX bytes:3569907 (3.4 MiB)
Interrupt:185 Base address:0x2000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:6432 errors:0 dropped:0 overruns:0 frame:0
TX packets:6432 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1039493 (1015.1 KiB) TX bytes:1039493 (1015.1 KiB)


I was able to get netcat to work at the local machine both 127.0.0.1 and lan ip 192.168.1.66 by using the command "netcat -l -p 80 -v 192.168.1.66"
and as you stated everything I type at one window appears in the other an visa-versa

when I telnet in from either the xp desk or the xp laptop I still get:
"DNS fwd/rev mismatch: XPDESK != XPDESK.gateway.2wire.net"
"invalid connection to [192.168.1.66] from LOURDES [192.168.1.64] 2482"


However when I start apache I can access the web page from either/any machine on the lan (linux, xp desk, and xp laptop)

as to your suggestion about clearing the iptables, first I don't know how to do that and second will that affect my samba setting?

--ed

That's good the netcat testing is working on the local box.

But it's odd that you're getting the DNS error from the WinXP box when you try to telnet. Is that error being output by telnet.exe? (ie, if you open a "cmd.exe" command prompt and type "telnet 192.168.1.66 80", does it spit out that error?) Or are you using some other telnet client?

I've never seen that error before, but it's odd that it mentions DNS given that we're testing with straight IP addresses (and not DNS names).

Hm. I think I'm running out of ideas to test.

You say that Apache is able to serve up pages just fine to your XP box when it's on the LAN, right? But the problem is you can't access Apache from the internet?

Have you tried constructing a URL using your latest IP address directly and then accessing it from another internet connection? For example:

http://12.34.56.78

If that URL works, then it might be a Dynamic DNS problem screwing you up.

Or, another crazy idea: when you test your external dynamic DNS link, are you using a computer on your LAN? If so, maybe your new router doesn't support "hairpinning" -- internal computers accessing other internal computers using an external IP address. Is http://webpage.doesntexist.com the real URL of your server? (If so, it doesn't work for me.)


Hm... Not sure. I generally use netcat to verify I'm able to connect via TCP using pure IP addresses, and then try it with DNS, and then try it with HTTP. Basically, work my way up through the protocols. My suggestion is to first get netcat working everywhere, and then work your way up the stack. Sorry I can't be of more help!

-david

David,

Thanks again for all you help.

in my WinXP I call the console with cmd and type "telnet 192.18.1.66 80" and the screen go empty until I type anything then I get the command prompt back, when I look over at the linux box I get the "DNS fwd/rev mismatch: ...." message from netcat an the bash prompt.

Apache2 work fine via the LAN (it servers up a logging dialog then the main page with two links to a wiki I'm playing with)

My guess is that the new modem is somehow different than the 3 year old one it replaced.

I thought about as you say: "...new router doesn't support "hairpinning"..." so I tried from my place of work also no luck.

while I was playing with netcat I had to shutdown apache. I'll restart it and if you could try again (http://webpage.doesntexist.com) I would appreciate it.

I'll keep working at it -- thanks

Was the machine used to perform the testing actually on the WAN or LAN side of your router ?

This is the point I'm getting at above. Many cheap routers do not perform NAT loopback.

Use the LAN IP when you are on the LAN, and the WAN IP when you are on the WAN.

This is also likely the cause of the forward <-> reverse DNS records not matching.

Actually, that link works fine for me -- I see the "Restricted files" password prompt. Yep, it might be a hairpinning issue with the new modem's NAT. To bypass this, you might edit the "/etc/hosts" file of each LAN computer to specify the LAN address of the webserver for "doesntexist.com" -- this way it won't try to access the webserver using the external IP and fail.

Or setup and use a split DNS.

David (aka quinthar)
Thats odd ... when I tried it didn't work (from work) but I was tring many things I may have been confused -- thanks.

Mr C
The machine was always on the lan side.... I doesn't both me (too much) that I access the site from the lan when at home and wan when I'm away..


thanks guys...

ed.