Unable to connect to Webserver from Outside Network

shizzles · 02-22-2011, 11:00 AM

So I have, what I consider, a unique issue.

I have a Ubuntu server (10.10) setup with apache and is being port NAT'ted via firewall from outside to the webserver.

I am able to access the webserver from inside LAN but not from outside. NATs are working fine because I can see the traffic come through on tcpdump but the webserver will not respond to the request from outside ip address.

Here are the tcpdumps.

-----------------------------------------------------------------------------------
10:11:58.939005 IP 12.xxx.xxx.6.10146 > 172.16.2.100.80: Flags [S], seq 3098920688, win 65535, options [mss 1380,nop,nop,nop,nop], length 0
10:12:01.898852 IP 12.xxx.xxx.6.10146 > 172.16.2.100.80: Flags [S], seq 3098920688, win 65535, options [mss 1380,nop,nop,nop,nop], length 0
10:12:07.935801 IP 12.xxx.xxx.6.10146 > 172.16.2.100.80: Flags [S], seq 3098920688, win 65535, options [mss 1380,nop,nop,nop,nop], length 0
-----------------------------------------------------------------------------------

IPTABLES OUTPUT
-----------------------------------------------------------------------------------
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 127.0.0.1 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
LOGNDROP all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain LOGNDROP (1 references)
target prot opt source destination
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `DENIED: TCP '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `DENIED: UDP '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `DENIED: ICMP '
DROP all -- 0.0.0.0/0 0.0.0.0/0
-----------------------------------------------------------------------------------

No drops seen on iptables log.

The apache2.conf is standard nothing out of the ordinary added/removed on it.

Also every once in a while I would loose the ability to do nslookups on the it but tcpdump shows it was successful.

===================================================================================
suhale@suhale:~$ nslookup www.google.com
;; connection timed out; no servers could be reached
-----------------------------------------------------------------------------------
10:57:01.086126 IP 172.16.2.100.55151 > 208.67.222.222.53: 11749+ A? www.google.com. (32)
10:57:01.104381 IP 208.67.222.222.53 > 172.16.2.100.55151: 11749 6/0/0 CNAME www.l.google.com., A 74.125.225.19, A 74.125.225.20, A 74.125.225.18, A 74.125.225.16, A 74.125.225.17 (132)
10:57:10.613787 IP 172.16.2.100.37952 > 208.67.222.222.53: 46992+ A? www.google.com. (32)
10:57:10.632792 IP 208.67.222.222.53 > 172.16.2.100.37952: 46992 6/0/0 CNAME www.l.google.com., A 74.125.225.19, A 74.125.225.20, A 74.125.225.18, A 74.125.225.16, A 74.125.225.17 (132)
===================================================================================

After a few minutes, it would just fix itself without any configuration changes or restart of any service(s).

I am confused o.0 !

Thanks in advance for the help.

P.S- Not sure if this would be a good place to post this or <Networking> forum.

Noway2 · 02-22-2011, 11:33 AM

Do either of your Apache error or access logs show anything related to the connection attempts?
Also, what do you get if you try to telnet into port 80 on the server? Try this from both within and outside of your LAN.

shizzles · 02-22-2011, 11:50 AM

access.log
172.16.2.13 - - [22/Feb/2011:10:04:46 -0600] "GET / HTTP/1.1" 200 469 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 GetMiroToolbar/1.2"

12.xxx.xxx.6 - - [22/Feb/2011:10:11:16 -0600] "GET / HTTP/1.1" 200 476 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 (.NET CLR 3.5.30729)"

Nothing in error logs concerning the outside ip.

Telnet from inside shows blank return most likely due to me setting the "ServerTokens Minimal" && "ServerSignature Off"
Telnet from outside shows it trying to connect but never connects

benq70 · 02-22-2011, 06:37 PM

What happens when you stop iptables service? Does it behave properly then? Web and dns lookups?

The fact you are having issues with dns lookups is more of a concern than your web service.

KinnowGrower · 02-22-2011, 10:09 PM

These are the firewall setting needs on router to run Apache behind the NATED Server/router

After DNAT Forwarded Packets to Apache must be allowed by the firewall

iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 172.16.0.100 --dport 8080 --sport 1024:65535 -m state --state NEW -j ACCEPT

iptables -A FORWARD -t filter -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT