LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-24-2009, 03:46 PM   #1
jimmy99
LQ Newbie
 
Registered: Jul 2009
Posts: 6

Rep: Reputation: 0
Website not accessible from the internet


I have a website configured for port 90 that is visible from localhost, but when I try to browse to it from the internet its not available.

However, when I disable iptables it is visible.

the only complication is that the linux machine is a vmware host, so the iptables entries are configured to forward the port 80 packets to the windows machine on the vmware guest.

This is what I have in the iptables file (ip addresses modified with XXX):

*filter
:INPUT ACCEPT [2737684:2280789513]
:FORWARD ACCEPT [1431:642663]
:OUTPUT ACCEPT [25858:20445722]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Thu Jul 23 17:22:39 2009
# Generated by iptables-save v1.3.5 on Thu Jul 23 17:22:39 2009
*nat
:PREROUTING ACCEPT [2683831:174226130]
-A POSTROUTING -o eth0 -j MASQUERADE
:POSTROUTING ACCEPT [17607:1342814]
:OUTPUT ACCEPT [17532:1338442]
-A PREROUTING -d xxx.38.88.xxx -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination xxx.16.244.xxx:80
-A PREROUTING -d xxx.38.88.xxx -i eth0 -p tcp -m tcp --dport 81 -j DNAT --to-destination xxx.38.88.xxx:8333
COMMIT

Does anyone know how I get the iptables configured to direct the packets to the web server on port 90 of xxx.38.88.xxx?
 
Old 07-24-2009, 04:36 PM   #2
slugmax
Member
 
Registered: Nov 2008
Location: Northern CT
Distribution: Slackware, Debian, Ubuntu
Posts: 69

Rep: Reputation: 25
This thread might help you, your problem seems similar:

http://www.linuxquestions.org/questi...resses-739954/
 
Old 07-25-2009, 01:26 AM   #3
jimmy99
LQ Newbie
 
Registered: Jul 2009
Posts: 6

Original Poster
Rep: Reputation: 0
A small difference

Thanks for the link. Unfortunately I could not get it to work. Your previous post refers to multiple vms. My problem is that there is a website on the vm and a website on the host machine.

I tried:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 90 -d xxx.38.88.172 -j DNAT --to-dest xxx.38.88.172

to direct requests on port 90 to the host machine, but no joy
 
Old 07-25-2009, 11:20 AM   #4
slugmax
Member
 
Registered: Nov 2008
Location: Northern CT
Distribution: Slackware, Debian, Ubuntu
Posts: 69

Rep: Reputation: 25
I guess I'm not clear on your setup, then. Why do you have web servers running on both host and guest? Which one do you want the internet to be able to access? It would also help if you put full IP's in your descriptions, just replace the first octet of each with '10.' if you don't want to show the real IPs.
 
Old 07-25-2009, 04:07 PM   #5
jimmy99
LQ Newbie
 
Registered: Jul 2009
Posts: 6

Original Poster
Rep: Reputation: 0
More details

OK - thanks for the reply..

So I have a windows web server on the VM guest.
The VMware host is a Linux box.
The external ip address exposed to the internet is 456.38.88.172 on eth0

The internal ip address of the vm guest is 123.16.244.2

The web server on the windows vm is set to listen on port 80, and the web server on the linux host is set to listen on port 90.

with these settings the windows web server on the VM guest is accessible from the internet, but the apache web server on the linux host is only accessible locally, or from the windows server, but not from the internet.

I thought the entry:
-A PREROUTING -d 456.38.88.172 -i eth0 -p tcp -m tcp --dport 90 -j DNAT --to-destination 456.38.88.172
which seems superfluous to me would do the trick but to no avail.

I would be grateful of you could see my error.

I have pasted the entire contents of the iptables file below.

# Generated by iptables-save v1.3.5 on Sat Jul 25 07:09:03 2009
*filter
:INPUT ACCEPT [9555:1468540]
:FORWARD ACCEPT [27:4598]
:OUTPUT ACCEPT [118978:6278698]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d 123.16.244.2 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -d 456.38.88.172 -p tcp -m tcp --dport 90 -m state --state NEW -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 123.16.244.2 -o eth0 -p tcp -m multiport --dports 22,53 -m state --state NEW -j ACCEPT
-A OUTPUT -s 123.16.244.2 -o eth0 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
COMMIT
# Completed on Sat Jul 25 07:09:03 2009
# Generated by iptables-save v1.3.5 on Sat Jul 25 07:09:03 2009
*nat
:PREROUTING ACCEPT [160589:10376251]
:POSTROUTING ACCEPT [6:352]
:OUTPUT ACCEPT [709:43196]
-A PREROUTING -d 456.38.88.172 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 123.16.244.2:80
-A PREROUTING -d 456.38.88.172 -i eth0 -p tcp -m tcp --dport 81 -j DNAT --to-destination 456.38.88.172:8333
-A PREROUTING -d 456.38.88.172 -i eth0 -p tcp -m tcp --dport 90 -j DNAT --to-destination 456.38.88.172:90
-A PREROUTING -d 456.38.88.172 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 123.16.244.2
-A PREROUTING -d 456.38.88.172 -i eth0 -p tcp -m tcp --dport 90 -j DNAT --to-destination 456.38.88.172
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -s 123.16.244.2 -o eth0 -j SNAT --to-source 456.38.88.172
-A POSTROUTING -s 456.38.88.172 -o eth0 -j SNAT --to-source 456.38.88.172
COMMIT
# Completed on Sat Jul 25 07:09:03 2009
 
Old 07-25-2009, 05:25 PM   #6
slugmax
Member
 
Registered: Nov 2008
Location: Northern CT
Distribution: Slackware, Debian, Ubuntu
Posts: 69

Rep: Reputation: 25
Sounds like your linux host has one interface already exposed to the internet (eth0), so I think the issue is there are too many NAT rules. You don't need to do any NAT at all to allow access to your linux webserver. So get rid of these two rules:

Code:
-A PREROUTING -d 456.38.88.172 -i eth0 -p tcp -m tcp --dport 90 -j DNAT --to-destination 456.38.88.172:90
-A PREROUTING -d 456.38.88.172 -i eth0 -p tcp -m tcp --dport 90 -j DNAT --to-destination 456.38.88.172
then the one rule you already have:

Code:
-A INPUT -d 456.38.88.172 -p tcp -m tcp --dport 90 -m state --state NEW -j ACCEPT
...will allow the inbound requests to port 90 just fine (and the ESTABLISHED,RELATED match will handle the connections once they get going).

Also, get rid of this rule:

Code:
-A POSTROUTING -o eth0 -j MASQUERADE
since outbound SNAT from your windows vm is handled by the very next SNAT rule. And you can also get rid of this one:

Code:
-A POSTROUTING -s 456.38.88.172 -o eth0 -j SNAT --to-source 456.38.88.172
Since it just does SNAT to the same source IP.

When you get this working, change at least your default INPUT policy to DROP. If this is also acting as a firewall for internal hosts (i.e. if it is forwarding traffic to other physical hosts), the default policy on the FORWARD chain should also be DROP. And if you leave your OUTPUT policy as ACCEPT, then you don't need any of the OUTPUT chain state rules. You want to be precise in the traffic you allow, and drop everything else - just get your setup working first before you do that. I have some commented iptables scripts that might be a good reference for you, see http://blog.unixlore.net/2006/03/lin...l-scripts.html .

If this doesn't work, I would verify that inbound port 90 traffic is actually getting to your linux box, using tcpdump.

Code:
tcpdump -n -i eth0 tcp port 90 and host <source IP address>
 
Old 07-25-2009, 06:24 PM   #7
jimmy99
LQ Newbie
 
Registered: Jul 2009
Posts: 6

Original Poster
Rep: Reputation: 0
tcpdump

Thanks for your help with this.
Noluck with the web access on port 90.
I tried tcpdump - on port 90 no packets captured

Then I tried with port 80, and the packets come through.

Now I'm wondering whether the hosting company is blocking port 90 before the packets reach my server. What do you think, or is there some other approach I should adopt?
 
Old 07-25-2009, 06:34 PM   #8
slugmax
Member
 
Registered: Nov 2008
Location: Northern CT
Distribution: Slackware, Debian, Ubuntu
Posts: 69

Rep: Reputation: 25
If you aren't even seeing port 90 traffic get to your server, then it's a safe bet something upstream is blocking that port. I would try a port likely to be open, like 443, for example (assuming you have no need for SSL), or 8080 might be better.
 
Old 07-25-2009, 06:53 PM   #9
jimmy99
LQ Newbie
 
Registered: Jul 2009
Posts: 6

Original Poster
Rep: Reputation: 0
port 8080 is also blocked. port 443 is open though and I can now get to the web server.

Thanks for all your help and patience
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
My website is not accessible from particular countries gubak Linux - Networking 10 11-02-2006 03:34 AM
Ubuntu Web Server Not Accessible From Internet lugos Linux - Server 1 08-23-2006 04:20 PM
My website is not accessible anymore coralsaw Debian 7 03-07-2006 12:58 PM
slow internet for certain website. onnyloh Linux - Networking 1 10-15-2004 04:34 AM
Server not accessible from internet checta Linux - Networking 5 05-11-2004 06:30 AM


All times are GMT -5. The time now is 08:58 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration