Results 1 to 7 of 7
|
|
Enjoy an ad free experience by logging in. Not a member yet? Register.
|
|
-
11-05-2003 #1Just Joined!
- Join Date
- Oct 2003
- Posts
- 15
Internal LAN cannot connect to Apache Server
Hi Gurus out there could you pls help me with my problem. Iam running a newly installed Apache-2.x on my RH9.0 Server. My problem was everytime my LAN client want to access my Apache they are being refused to make connections. But when I turn off my firewall clients can freely access webpages.
Im quite sure the problem was with my firewall rule. Could anyone pls help me what rule should allow my LAN to access my apache server?
My other services like Squid Proxy, Ftp and other services are running ok and my clients can freely access those services without any problem. Also, I use this as Gateway to my LAN.
Here's my Apache configs
eth1 192.168.0.1--Apache is running on port 80
eth0 203.x.x.1
here my firewall rules for Apache
# ----------------------------------------------------------------------------
# LOOPBACK
# ----------------------------------------------------------------------------
#
# Unlimited traffic on the loopback interface.
iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
# ----------------------------------------------------------------------------
# Unlimited traffic within the local network.
# All internal machines have access to the firewall machine.
iptables -A INPUT -i $LOCAL_INTERFACE_1 -s $INTRANET -j ACCEPT
iptables -A OUTPUT -o $LOCAL_INTERFACE_1 -d $INTRANET -j ACCEPT
# ------------------------------------------------------------------
# HTTP client (80)
# ------------------------------------------------------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 80 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 80 -j ACCEPT
# ------------------------------------------------------------------
# HTTPS client (443)
# ------------------------------------------------------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 443 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 443 -j ACCEPT
As you can see, I have unlimited access to my APACHE Server for my LAN.
Any suggestions?
TIA,
rhonneil
-
11-05-2003 #2Linux Guru
- Join Date
- Apr 2003
- Location
- London, UK
- Posts
- 3,284
could you paste the entire script? especially the parts that declare $LOCAL_INTERFACE_1 , $INTRANET etc
Cheers!
Jason
-
11-05-2003 #3Linux Engineer
- Join Date
- Mar 2003
- Location
- U.S.A.
- Posts
- 1,025
As j mentioned on posting your entire script, make sure to edit the ip's and any info you don't want out on the net forever. i.e gateway of 192.168.1.1 is fine but outside ip of 68.32.x.x so its clear to us which is the internal ip and which is the external. Same for names and and addresses. Joe S not Joe smith, and 123.com not yourcompanyname.com
Dan
\"Keep your friends close and your enemies even closer\" from The Art of War by Sun Tzu\"
-
11-06-2003 #4Just Joined!
- Join Date
- Oct 2003
- Posts
- 15
Here's my firewall script.
NOTE:
I have a running services like
squidproxy on ports 8080 3128
http and httpds ports 80 443
pop3 and imap ports 110 143
pop3s and imaps ports 995 993
ftp and ssh porst 21 22
some of it were not included here for space considerration. All of which are running and accessible, except HTTP is not accessible when firewall is running.
# Gateway & Proxy Server Firewall Configuration
# ----------------------------------------------------------------------------
#
# Invoked from /etc/rc.d/init.d/iptables.
# chkconfig: - 60 95
# description: Starts and stops the IPTABLES packet filter \
. /etc/rc.d/init.d/functions
. /etc/sysconfig/network
if [ ${NETWORKING} = "no" ]
then
exit 0
fi
if [ ! -x /sbin/iptables ]; then
exit 0
fi
case "$1" in
start)
echo -n "Starting Firewalling: "
IPADDR=`ifconfig eth0 | fgrep -i inet | cut -d : -f 2 | cut -d " " -f 1`
EXTERNAL_INTERFACE="eth0"
LOOPBACK_INTERFACE="lo"
LOCAL_INTERFACE_1="eth1" # Internal LAN interface
INTRANET="192.168.0.0/16" # Private IP Addr Range
PRIMARY_NAMESERVER="203.x.x.3"
SECONDARY_NAMESERVER="203.x.x.4"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:"
SSH_LOCAL_PORTS="1022:65535"
SSH_REMOTE_PORTS="513:65535"
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
iptables -F
iptables -F -t nat
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
# Unlimited traffic within the local network.
iptables -A INPUT -i $LOCAL_INTERFACE_1 -s $INTRANET -j ACCEPT
iptables -A OUTPUT -o $LOCAL_INTERFACE_1 -d $INTRANET -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -i $LOCAL_INTERFACE_1 -s ! $INTRANET -j DROP
# Allow all internal packets out of our network.
iptables -A FORWARD -m state --state NEW,ESTABLISHED \
-i $LOCAL_INTERFACE_1 -s $INTRANET -j ACCEPT
# Allow the associated packets with those connections back in.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED \
-i $EXTERNAL_INTERFACE -s ! $INTRANET -j ACCEPT
iptables -A POSTROUTING -t nat -o $EXTERNAL_INTERFACE -j MASQUERADE
iptables -A FORWARD -i $EXTERNAL_INTERFACE -m state \
--state NEW,INVALID -j REJECT
# Refuse any connection from problem sites
if [ -f /etc/rc.d/rc.firewall.blocked ]; then
deny_file="/etc/rc.d/rc.firewall.blocked"
temp_file="/tmp/temp.ip.addresses"
cat $deny_file | sed -n -e "s/^[ ]*\([0-9.]*\).*$/\1/p" \
| awk ' $1 ' > $temp_file
while read ip_addy
do
case $ip_addy in
*) iptables -A INPUT -i $EXTERNAL_INTERFACE -s $ip_addy -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -d $ip_addy -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $ip_addy -j REJECT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $ip_addy -j REJECT
;;
esac
done < $temp_file
rm -f $temp_file > /dev/null 2>&1
unset temp_file
unset deny_file
fi
# ----------------------------------------------------------------------------
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 192.0.2.0/24 -j DROP
iptables -A INPUT -s 224.0.0.0/3 -j DROP
# ----------------------------------------------------------------------------
# DNS forward-only nameserver
# ----------------------------------------------------------------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $PRIMARY_NAMESERVER --source-port 53 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port $UNPRIVPORTS \
-d $PRIMARY_NAMESERVER --destination-port 53 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $PRIMARY_NAMESERVER --source-port 53 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
-d $PRIMARY_NAMESERVER --destination-port 53 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $SECONDARY_NAMESERVER --source-port 53 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port $UNPRIVPORTS \
-d $SECONDARY_NAMESERVER --destination-port 53 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $SECONDARY_NAMESERVER --source-port 53 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
-d $SECONDARY_NAMESERVER --destination-port 53 -j ACCEPT
# ------------------------------------------------------------------
# HTTP client (80)
# ------------------------------------------------------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 80 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 80 -j ACCEPT
# ------------------------------------------------------------------
# HTTPS client (443)
# ------------------------------------------------------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 443 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 443 -j ACCEPT
# ------------------------------------------------------------------
# WWW-CACHE client
# ------------------------------------------------------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 3128 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 3128 -j ACCEPT
# ------------------------------------------------------------------
# TRANSPARENT PROXY client
# ------------------------------------------------------------------
iptables -t nat -A PREROUTING -i $LOCAL_INTERFACE_1 -p tcp \
--destination-port 80 -j REDIRECT --to-port 3128
# ------------------------------------------------------------------
;;
stop)
echo -n "Shutting Firewalling: "
# Remove all existing rules belonging to this filter
iptables -F
# Delete all user-defined chain to this filter
iptables -X
# Reset the default policy of the filter to accept.
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
;;
status)
status iptables
;;
restart|reload)
$0 stop
$0 start
;;
*)
echo "Usage: iptables {start|stop|status|restart|reload}"
exit 1
esac
echo "done"
exit 0
Sorry for the lengthy reply.
thanks,
rhonneil
-
11-06-2003 #5Linux Guru
- Join Date
- Apr 2003
- Location
- London, UK
- Posts
- 3,284
Try this instead:
Originally Posted by rhonneil
Code:iptables -A INPUT -i $LOCAL_INTERFACE_1 -p tcp --destination-port 80 -j ACCEPT iptables -A OUTPUT -o $LOCAL_INTERFACE_1 -p tcp --source-port 80 --destination-port $UNPRIVPORTS -j ACCEPT
-
11-07-2003 #6Just Joined!
- Join Date
- Oct 2003
- Posts
- 15
Thanks, the firewall rule now gave my LAN access to my apache webpages BUT NOT ON THE OUTSIDE. Could you pls check my firewall rule see what could be the problem why it can't provide connection to my client outside as indicated above? Originally Posted by Jaguar
Try this instead: Originally Posted by rhonneil
Code:iptables -A INPUT -i $LOCAL_INTERFACE_1 -p tcp --destination-port 80 -j ACCEPT iptables -A OUTPUT -o $LOCAL_INTERFACE_1 -p tcp --source-port 80 --destination-port $UNPRIVPORTS -j ACCEPT
Pls note that whenever I turn off my firewall I can freely access apache both from my LAN and the Internet.
A million thanks for your help,
rhonneil
-
11-12-2003 #7Just Joined!
- Join Date
- Nov 2003
- Posts
- 34
Why is that this rule does not provide rhonneil Internet clients to access his apache server? While I got the same firewall rule as his, though not exactly defined as indicated. More or less the same.
Hmm, where could be the problem lies....
Any comment from those Gurus out there?
# ------------------------------------------------------------------
# HTTP client (80)
# ------------------------------------------------------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 80 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 80 -j ACCEPT
Reply With Quote
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
