apache RH9 problem
Hi,
I have been grappling with this problem for the last few days, would much appreciate any advice. I have apache running on redhat9 on an internal LAN behind a cable & router. I am able to browse the website through other m/cs on the internal LAN, but get a connection refused from outside (internet). The apache server is configured to listen to all addresses on port 80, and does not have any virtual hosts configured. The error log for apache does not show anything. I also have an ftp server on this m/c, and this works fine from external ip addresses. Ashv |
A few posibilities:
1) Is this machine directly connected to the outside world or do you need to forward ports from a router etc (if so have you done this for port 80?) 2) Do you have any firewall rules in place: iptables -L 3) Check with your ISP to see if they allow you to run a server on port 80 - some ISPs block this as it is against there aceptable use policy. |
1. This m/c is not directly connected to the outside world, but it *is* sitting in the DMZ of the router that connects to the outside world. I don't have port forwarding set up for ftp, which works.
2. iptables -L shows no rules whatsoever in place. 3. called my ISP, they confirmed that they don't block port 80. i used a net-based port scanner, this is what it showed: Port 21 ftp is open Port 22 ssh is open Port 111 sunrpc is open this was using: http://readyadmin.com/custom/content/tools/portscan.php I had mod_ssl installed, and it showed 443 is open. but i uninstalled it and the above is the result. i think it is some problem with the way I have configured apache...but i have no idea what. I appreciate your response. |
Can you post he output of:
netstat -nlp |
Thanks for your time David!!! Here's the output of netstat -nlp
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN 1561/ tcp 0 0 127.0.0.1:1025 0.0.0.0:* LISTEN 1679/xinetd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1542/ tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 3542/httpd tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 1891/X tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 3093/vsftpd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1665/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1757/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1699/ udp 0 0 0.0.0.0:1025 0.0.0.0:* 1561/ udp 0 0 0.0.0.0:68 0.0.0.0:* 1469/dhclient udp 0 0 0.0.0.0:111 0.0.0.0:* 1542/ udp 0 0 0.0.0.0:631 0.0.0.0:* 1757/cupsd udp 0 0 0.0.0.0:889 0.0.0.0:* 1561/ Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 2 [ ACC ] STREAM LISTENING 2183 1718/gpm /dev/gpmctl unix 2 [ ACC ] STREAM LISTENING 2553 1968/gconfd-2 /tmp/orbit-root/linc-7b0-0-4c045efc35906 unix 2 [ ACC ] STREAM LISTENING 2561 1900/gnome-session /tmp/orbit-root/linc-76c-0-5a0911fe3ebc1 unix 2 [ ACC ] STREAM LISTENING 2323 1815/ /tmp/.font-unix/fs7100 unix 2 [ ACC ] STREAM LISTENING 2989 2007/notification-a /tmp/orbit-root/linc-7d7-0-461d6cc2f06dd unix 2 [ ACC ] STREAM LISTENING 2660 1970/bonobo-activat /tmp/orbit-root/linc-7b2-0-550a1e7a3fc2e unix 2 [ ACC ] STREAM LISTENING 2437 1847/ /tmp/.gdm_socket unix 2 [ ACC ] STREAM LISTENING 2697 1977/ /tmp/.fam_socket unix 2 [ ACC ] STREAM LISTENING 2764 1984/metacity /tmp/orbit-root/linc-7c0-0-4e6c5e378c566 unix 2 [ ACC ] STREAM LISTENING 2681 1972/gnome-settings /tmp/orbit-root/linc-7b4-0-2c820528b361d unix 2 [ ACC ] STREAM LISTENING 2794 1992/magicdev /tmp/orbit-root/linc-7c8-0-756fdbcac97fa unix 2 [ ACC ] STREAM LISTENING 2812 1988/gnome-panel /tmp/orbit-root/linc-7c4-0-47c6f1762720b unix 2 [ ACC ] STREAM LISTENING 2845 1990/nautilus /tmp/orbit-root/linc-7c6-0-47c6f1775ee2 unix 2 [ ACC ] STREAM LISTENING 2896 1995/eggcups /tmp/orbit-root/linc-7cb-0-19cc5bef75519 unix 2 [ ACC ] STREAM LISTENING 3023 1999/python /tmp/orbit-root/linc-7cf-0-3c0f5be4e5eb9 unix 2 [ ACC ] STREAM LISTENING 3760 2032/gnome-terminal /tmp/orbit-root/linc-7f0-0-b4706089e8fd unix 2 [ ACC ] STREAM LISTENING 55759 3490/nautilus-throb /tmp/orbit-root/linc-da2-0-7ef2dcb0d92a7 unix 2 [ ACC ] STREAM LISTENING 2447 1891/X /tmp/.X11-unix/X0 unix 2 [ ACC ] STREAM LISTENING 2525 1957/ssh-agent /tmp/ssh-XXnpxNFd/agent.1900 unix 2 [ ACC ] STREAM LISTENING 2650 1900/gnome-session /tmp/.ICE-unix/1900 |
.
|
the output of netstat -l is:
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:1024 *:* LISTEN tcp 0 0 localhost.localdom:1025 *:* LISTEN tcp 0 0 *:sunrpc *:* LISTEN tcp 0 0 *:http *:* LISTEN tcp 0 0 *:x11 *:* LISTEN tcp 0 0 *:ftp *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp 0 0 localhost.localdoma:ipp *:* LISTEN tcp 0 0 localhost.localdom:smtp *:* LISTEN udp 0 0 *:1025 *:* udp 0 0 *:bootpc *:* udp 0 0 *:sunrpc *:* udp 0 0 *:631 *:* udp 0 0 *:889 *:* Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 2183 /dev/gpmctl unix 2 [ ACC ] STREAM LISTENING 2553 /tmp/orbit-root/linc-7b0-0-4c045efc35906 unix 2 [ ACC ] STREAM LISTENING 2561 /tmp/orbit-root/linc-76c-0-5a0911fe3ebc1 unix 2 [ ACC ] STREAM LISTENING 2323 /tmp/.font-unix/fs7100 unix 2 [ ACC ] STREAM LISTENING 2989 /tmp/orbit-root/linc-7d7-0-461d6cc2f06dd unix 2 [ ACC ] STREAM LISTENING 2660 /tmp/orbit-root/linc-7b2-0-550a1e7a3fc2e unix 2 [ ACC ] STREAM LISTENING 2437 /tmp/.gdm_socket unix 2 [ ACC ] STREAM LISTENING 2697 /tmp/.fam_socket unix 2 [ ACC ] STREAM LISTENING 2764 /tmp/orbit-root/linc-7c0-0-4e6c5e378c566 unix 2 [ ACC ] STREAM LISTENING 2681 /tmp/orbit-root/linc-7b4-0-2c820528b361d unix 2 [ ACC ] STREAM LISTENING 2794 /tmp/orbit-root/linc-7c8-0-756fdbcac97fa unix 2 [ ACC ] STREAM LISTENING 2812 /tmp/orbit-root/linc-7c4-0-47c6f1762720b unix 2 [ ACC ] STREAM LISTENING 2845 /tmp/orbit-root/linc-7c6-0-47c6f1775ee2 unix 2 [ ACC ] STREAM LISTENING 2896 /tmp/orbit-root/linc-7cb-0-19cc5bef75519 unix 2 [ ACC ] STREAM LISTENING 3023 /tmp/orbit-root/linc-7cf-0-3c0f5be4e5eb9 unix 2 [ ACC ] STREAM LISTENING 3760 /tmp/orbit-root/linc-7f0-0-b4706089e8fd unix 2 [ ACC ] STREAM LISTENING 55759 /tmp/orbit-root/linc-da2-0-7ef2dcb0d92a7 unix 2 [ ACC ] STREAM LISTENING 2447 /tmp/.X11-unix/X0 unix 2 [ ACC ] STREAM LISTENING 2525 /tmp/ssh-XXnpxNFd/agent.1900 unix 2 [ ACC ] STREAM LISTENING 2650 /tmp/.ICE-unix/1900 |
Well - apache is listening:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 3542/httpd What firewall device are you using for setting up the dmz - are you sure there are no rules denying access to port 80? |
it is a netgear mr814 wireless router... it doesn't have any explicit firewall... i don't have any rules in it saying block port 80...
i disabled iptables service, and also set security to "no firewall", flushed the iptables etc. etc. I think I am going to have to re-install the whole system... i tried to uninstall the apache server, and RH9's package mgr is saying it needs httpd to be installed first?! and when i try to install is from disc1, it says it is already installed!! |
Looking at the docs for that router you will need to NAT port 80 to ther address of the web server - I assume that you don't actually have a physical DMZ:
http://kbserver.netgear.com/kb_web_files/n101145.asp |
you're right, its not a physical DMZ... but i shouldn't need port forwarding if the server is put in the DMZ?
FTP seems to work fine from the DMZ without having port forwarding configured... i've tried it with the port forwarding for 80 enabled... no good. i'm thinking this is a apache issue... ethereal traces on the server m/c show that the tcp socket connection from external addresses is being rejected: for a working connect (example, ftp, or http from internal lan) the initiating [SYN] packet is responded to with a [SYN, ACK], while for http from external addresses it responds with a [RST, ACK]. So the packets are getting through from outside the LAN to the server m/c, but they are being refused by the machine. i tried uninstalling apache, but it is not happening as mentioned.. thanks for your time David, i have to go someplace now and i will tackle this when i get back. Ashv |
you're right, its not a physical DMZ... but i shouldn't need port forwarding if the server is put in the DMZ?
FTP seems to work fine from the DMZ without having port forwarding configured... i've tried it with the port forwarding for 80 enabled... no good. i'm thinking this is a apache issue... ethereal traces on the server m/c show that the tcp socket connection from external addresses is being rejected: for a working connect (example, ftp, or http from internal lan) the initiating [SYN] packet is responded to with a [SYN, ACK], while for http from external addresses it responds with a [RST, ACK]. So the packets are getting through from outside the LAN to the server m/c, but they are being refused by the machine. i tried uninstalling apache, but it is not happening as mentioned.. thanks for your time David, i have to go someplace now and i will tackle this when i get back. Ashv |
When you say it is in the DMZ - do you mean that the server has its own public IP address?
|
The server has a private ip address in the internal LAN, and this server is "exported" to the DMZ, so that all services not meant for other m/cs on the lan are re-directed to this server...
|
so does anyone know howto fix this?
|
All times are GMT -5. The time now is 04:12 PM. |