Find the answer to your Linux question:
Results 1 to 7 of 7
Hi Gurus out there could you pls help me with my problem. Iam running a newly installed Apache-2.x on my RH9.0 Server. My problem was everytime my LAN client want ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2003
    Posts
    15

    Internal LAN cannot connect to Apache Server


    Hi Gurus out there could you pls help me with my problem. Iam running a newly installed Apache-2.x on my RH9.0 Server. My problem was everytime my LAN client want to access my Apache they are being refused to make connections. But when I turn off my firewall clients can freely access webpages.

    Im quite sure the problem was with my firewall rule. Could anyone pls help me what rule should allow my LAN to access my apache server?

    My other services like Squid Proxy, Ftp and other services are running ok and my clients can freely access those services without any problem. Also, I use this as Gateway to my LAN.

    Here's my Apache configs

    eth1 192.168.0.1--Apache is running on port 80
    eth0 203.x.x.1

    here my firewall rules for Apache

    # ----------------------------------------------------------------------------
    # LOOPBACK
    # ----------------------------------------------------------------------------
    #
    # Unlimited traffic on the loopback interface.
    iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
    iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
    # ----------------------------------------------------------------------------

    # Unlimited traffic within the local network.
    # All internal machines have access to the firewall machine.
    iptables -A INPUT -i $LOCAL_INTERFACE_1 -s $INTRANET -j ACCEPT
    iptables -A OUTPUT -o $LOCAL_INTERFACE_1 -d $INTRANET -j ACCEPT


    # ------------------------------------------------------------------
    # HTTP client (80)
    # ------------------------------------------------------------------

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
    --source-port 80 \
    -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
    -s $IPADDR --source-port $UNPRIVPORTS \
    --destination-port 80 -j ACCEPT

    # ------------------------------------------------------------------
    # HTTPS client (443)
    # ------------------------------------------------------------------

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
    --source-port 443 \
    -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
    -s $IPADDR --source-port $UNPRIVPORTS \
    --destination-port 443 -j ACCEPT


    As you can see, I have unlimited access to my APACHE Server for my LAN.

    Any suggestions?

    TIA,

    rhonneil

  2. #2
    Linux Guru
    Join Date
    Apr 2003
    Location
    London, UK
    Posts
    3,284
    could you paste the entire script? especially the parts that declare $LOCAL_INTERFACE_1 , $INTRANET etc

    Cheers!

    Jason

  3. #3
    flw
    flw is offline
    Linux Engineer
    Join Date
    Mar 2003
    Location
    U.S.A.
    Posts
    1,025
    As j mentioned on posting your entire script, make sure to edit the ip's and any info you don't want out on the net forever. i.e gateway of 192.168.1.1 is fine but outside ip of 68.32.x.x so its clear to us which is the internal ip and which is the external. Same for names and and addresses. Joe S not Joe smith, and 123.com not yourcompanyname.com
    Dan

    \"Keep your friends close and your enemies even closer\" from The Art of War by Sun Tzu\"

  4. #4
    Just Joined!
    Join Date
    Oct 2003
    Posts
    15
    Here's my firewall script.

    NOTE:
    I have a running services like

    squidproxy on ports 8080 3128
    http and httpds ports 80 443
    pop3 and imap ports 110 143
    pop3s and imaps ports 995 993
    ftp and ssh porst 21 22

    some of it were not included here for space considerration. All of which are running and accessible, except HTTP is not accessible when firewall is running.

    # Gateway & Proxy Server Firewall Configuration
    # ----------------------------------------------------------------------------
    #
    # Invoked from /etc/rc.d/init.d/iptables.
    # chkconfig: - 60 95
    # description: Starts and stops the IPTABLES packet filter \


    . /etc/rc.d/init.d/functions
    . /etc/sysconfig/network

    if [ ${NETWORKING} = "no" ]
    then
    exit 0
    fi

    if [ ! -x /sbin/iptables ]; then
    exit 0
    fi

    case "$1" in
    start)
    echo -n "Starting Firewalling: "

    IPADDR=`ifconfig eth0 | fgrep -i inet | cut -d : -f 2 | cut -d " " -f 1`

    EXTERNAL_INTERFACE="eth0"
    LOOPBACK_INTERFACE="lo"
    LOCAL_INTERFACE_1="eth1" # Internal LAN interface
    INTRANET="192.168.0.0/16" # Private IP Addr Range
    PRIMARY_NAMESERVER="203.x.x.3"
    SECONDARY_NAMESERVER="203.x.x.4"
    LOOPBACK="127.0.0.0/8"
    CLASS_A="10.0.0.0/8"
    CLASS_B="172.16.0.0/12"
    CLASS_C="192.168.0.0/16"
    CLASS_D_MULTICAST="224.0.0.0/4"
    CLASS_E_RESERVED_NET="240.0.0.0/5"
    BROADCAST_SRC="0.0.0.0"
    BROADCAST_DEST="255.255.255.255"
    PRIVPORTS="0:1023"
    UNPRIVPORTS="1024:"

    SSH_LOCAL_PORTS="1022:65535"
    SSH_REMOTE_PORTS="513:65535"

    TRACEROUTE_SRC_PORTS="32769:65535"
    TRACEROUTE_DEST_PORTS="33434:33523"

    iptables -F
    iptables -F -t nat
    iptables -X

    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP

    iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
    iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT

    # Unlimited traffic within the local network.
    iptables -A INPUT -i $LOCAL_INTERFACE_1 -s $INTRANET -j ACCEPT
    iptables -A OUTPUT -o $LOCAL_INTERFACE_1 -d $INTRANET -j ACCEPT

    iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
    iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
    iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
    iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
    iptables -A FORWARD -i $LOCAL_INTERFACE_1 -s ! $INTRANET -j DROP

    # Allow all internal packets out of our network.
    iptables -A FORWARD -m state --state NEW,ESTABLISHED \
    -i $LOCAL_INTERFACE_1 -s $INTRANET -j ACCEPT

    # Allow the associated packets with those connections back in.
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED \
    -i $EXTERNAL_INTERFACE -s ! $INTRANET -j ACCEPT

    iptables -A POSTROUTING -t nat -o $EXTERNAL_INTERFACE -j MASQUERADE

    iptables -A FORWARD -i $EXTERNAL_INTERFACE -m state \
    --state NEW,INVALID -j REJECT

    # Refuse any connection from problem sites
    if [ -f /etc/rc.d/rc.firewall.blocked ]; then
    deny_file="/etc/rc.d/rc.firewall.blocked"
    temp_file="/tmp/temp.ip.addresses"
    cat $deny_file | sed -n -e "s/^[ ]*\([0-9.]*\).*$/\1/p" \
    | awk ' $1 ' > $temp_file
    while read ip_addy
    do
    case $ip_addy in
    *) iptables -A INPUT -i $EXTERNAL_INTERFACE -s $ip_addy -j DROP
    iptables -A INPUT -i $EXTERNAL_INTERFACE -d $ip_addy -j DROP
    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $ip_addy -j REJECT
    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $ip_addy -j REJECT
    ;;
    esac
    done < $temp_file
    rm -f $temp_file > /dev/null 2>&1
    unset temp_file
    unset deny_file

    fi
    # ----------------------------------------------------------------------------
    iptables -A INPUT -s 0.0.0.0/8 -j DROP
    iptables -A INPUT -s 127.0.0.0/8 -j DROP
    iptables -A INPUT -s 169.254.0.0/16 -j DROP
    iptables -A INPUT -s 192.0.2.0/24 -j DROP
    iptables -A INPUT -s 224.0.0.0/3 -j DROP

    # ----------------------------------------------------------------------------
    # DNS forward-only nameserver
    # ----------------------------------------------------------------------------

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
    -s $PRIMARY_NAMESERVER --source-port 53 \
    -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
    -s $IPADDR --source-port $UNPRIVPORTS \
    -d $PRIMARY_NAMESERVER --destination-port 53 -j ACCEPT

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
    -s $PRIMARY_NAMESERVER --source-port 53 \
    -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
    -s $IPADDR --source-port $UNPRIVPORTS \
    -d $PRIMARY_NAMESERVER --destination-port 53 -j ACCEPT

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
    -s $SECONDARY_NAMESERVER --source-port 53 \
    -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
    -s $IPADDR --source-port $UNPRIVPORTS \
    -d $SECONDARY_NAMESERVER --destination-port 53 -j ACCEPT

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
    -s $SECONDARY_NAMESERVER --source-port 53 \
    -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
    -s $IPADDR --source-port $UNPRIVPORTS \
    -d $SECONDARY_NAMESERVER --destination-port 53 -j ACCEPT

    # ------------------------------------------------------------------
    # HTTP client (80)
    # ------------------------------------------------------------------

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
    --source-port 80 \
    -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
    -s $IPADDR --source-port $UNPRIVPORTS \
    --destination-port 80 -j ACCEPT

    # ------------------------------------------------------------------
    # HTTPS client (443)
    # ------------------------------------------------------------------

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
    --source-port 443 \
    -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
    -s $IPADDR --source-port $UNPRIVPORTS \
    --destination-port 443 -j ACCEPT

    # ------------------------------------------------------------------
    # WWW-CACHE client
    # ------------------------------------------------------------------

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
    --source-port 3128 \
    -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
    -s $IPADDR --source-port $UNPRIVPORTS \
    --destination-port 3128 -j ACCEPT

    # ------------------------------------------------------------------
    # TRANSPARENT PROXY client
    # ------------------------------------------------------------------

    iptables -t nat -A PREROUTING -i $LOCAL_INTERFACE_1 -p tcp \
    --destination-port 80 -j REDIRECT --to-port 3128

    # ------------------------------------------------------------------

    ;;
    stop)
    echo -n "Shutting Firewalling: "

    # Remove all existing rules belonging to this filter
    iptables -F

    # Delete all user-defined chain to this filter
    iptables -X

    # Reset the default policy of the filter to accept.
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT

    ;;
    status)
    status iptables
    ;;

    restart|reload)
    $0 stop
    $0 start
    ;;

    *)
    echo "Usage: iptables {start|stop|status|restart|reload}"
    exit 1

    esac
    echo "done"

    exit 0

    Sorry for the lengthy reply.

    thanks,

    rhonneil

  5. #5
    Linux Guru
    Join Date
    Apr 2003
    Location
    London, UK
    Posts
    3,284
    Quote Originally Posted by rhonneil
    # ------------------------------------------------------------------
    # HTTP client (80)
    # ------------------------------------------------------------------

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
    --source-port 80 \
    -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
    -s $IPADDR --source-port $UNPRIVPORTS \
    --destination-port 80 -j ACCEPT
    Try this instead:
    Code:
    iptables -A INPUT -i $LOCAL_INTERFACE_1 -p tcp --destination-port 80 -j ACCEPT
    
    iptables -A OUTPUT -o $LOCAL_INTERFACE_1 -p tcp --source-port 80 --destination-port $UNPRIVPORTS -j ACCEPT

  6. #6
    Just Joined!
    Join Date
    Oct 2003
    Posts
    15
    Quote Originally Posted by Jaguar
    Quote Originally Posted by rhonneil
    # ------------------------------------------------------------------
    # HTTP client (80)
    # ------------------------------------------------------------------

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
    --source-port 80 \
    -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
    -s $IPADDR --source-port $UNPRIVPORTS \
    --destination-port 80 -j ACCEPT
    Try this instead:
    Code:
    iptables -A INPUT -i $LOCAL_INTERFACE_1 -p tcp --destination-port 80 -j ACCEPT
    
    iptables -A OUTPUT -o $LOCAL_INTERFACE_1 -p tcp --source-port 80 --destination-port $UNPRIVPORTS -j ACCEPT
    Thanks, the firewall rule now gave my LAN access to my apache webpages BUT NOT ON THE OUTSIDE. Could you pls check my firewall rule see what could be the problem why it can't provide connection to my client outside as indicated above?

    Pls note that whenever I turn off my firewall I can freely access apache both from my LAN and the Internet.

    A million thanks for your help,

    rhonneil

  7. #7
    Just Joined!
    Join Date
    Nov 2003
    Posts
    34
    Why is that this rule does not provide rhonneil Internet clients to access his apache server? While I got the same firewall rule as his, though not exactly defined as indicated. More or less the same.

    Hmm, where could be the problem lies....

    Any comment from those Gurus out there?

    # ------------------------------------------------------------------
    # HTTP client (80)
    # ------------------------------------------------------------------

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
    --source-port 80 \
    -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
    -s $IPADDR --source-port $UNPRIVPORTS \
    --destination-port 80 -j ACCEPT

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •