Topic: server & gateway - but port 80 closed??

[Guck]

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on my.external.ip (xxx.xxx.xxx.xxx):
(The 1589 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp
22/tcp     open        ssh
25/tcp     open        smtp
53/tcp     open        domain
110/tcp    open        pop-3
113/tcp    open        auth
139/tcp    open        netbios-ssn
143/tcp    open        imap2
389/tcp    open        ldap
515/tcp    open        printer
1723/tcp   open        pptp
3306/tcp   open        mysql

Nmap run completed -- 1 IP address (1 host up) scanned in 1 second

everything I need is there except httpd... how can I enable it - and why would it be closed?

I have 4 domains pointed at this server, it has been recently upgraded from 5.1.2. I do have named issues (double zone listed in config) but I've fixed that for now and named is running ok.

Weird.

[Charlie Brady]

Guck wrote:

> everything I need is there except httpd... how can I enable
> it - and why would it be closed?

Find out why apache isn't running. The answer will be in /var/log/httpd/error_log.

Charlie

[Guck]

Charlie Brady wrote:

> Find out why apache isn't running. The answer will be in
> /var/log/httpd/error_log.

Well, apache is running just fine (I see several in ps) - I can access all my sites from inside my network - and doing a portscan from the inside IP yields :

[user@server user]$ nmap -sT 192.168.1.1

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on myserver.com (192.168.1.1):
(The 1585 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp
22/tcp     open        ssh
25/tcp     open        smtp
53/tcp     open        domain
80/tcp     open        http
110/tcp    open        pop-3
113/tcp    open        auth
139/tcp    open        netbios-ssn
143/tcp    open        imap2
389/tcp    open        ldap
443/tcp    open        https
515/tcp    open        printer
980/tcp    open        unknown
981/tcp    open        unknown
1723/tcp   open        pptp
3306/tcp   open        mysql

Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds

It's like the firewall has port 80 closed on the external IP.

doing iptables --list -n I get (amongst other things):

Chain InboundTCP_645 (1 references)
target     prot opt source               destination
denylog    all  --  0.0.0.0/0           !(my external ip)
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:113
denylog    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:21
denylog    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:80

I'm having difficulty interpreting that - but it looks like :
deny everything not going to (my external ip),
accept all http traffic
accept all auth traffic
deny all ftp traffic
DENY ALL HTTP TRAFFIC (?)

Confusing.

G

[dave]

Guck,

This may be completely out of place here as I know very little about iptables.  I will say that some time back, I was using a cable provider as my ISP.  I spent a couple weeks setting up a website for a not-for-profit group my wife is involved with and all my testing went just fine.  The day I put the site up live, suddenly no one could get to the site.  I tried everything I could think of, even reloading the server and trying another box.  

As it turns out, that was about the time the codered virus started propagating everywhere and that was also about the time AT&T bought the parent company of the cable provider we used.  AT&T had silently blocked port 80 on the local network.  We could browse out no problem but if someone wanted to my site, in my providers local network block of IP's, they got the not found error.  I wound up going with TZO.com so I could use a nonstandard port for a while then we changed our provider.

Are you certain your ISP hasn't blocked the port?  

Just a guess mind you...

Dave

[Guck]

"I'm sorry Dave, I'm afraid it can't be that"

A fair guess, but in this case though I'm using Speakeasy DSL and they are reknowned for letting you run whatever you want (-spam -warez).

I've done some more testing on IP tables stuff, and have edited the ipmasq file to remove the reference to the DENYLOG port 80 (if it works, I'll template it) - but to no avail! It's getting more freaky since when I list my firewall rules now (even after reboot) I see no reference to a port 80 block on inbound tcp.

Doing nmap from an external address shows that the http and the https ports are closed.

So either:

- the ipmasq file doesn't really control the firewall
- the current list of firewall rules are not really in effect
- Something Else.

I had hoped to avoid the "tear down the firewall and build it back up rule by rule to see when it breaks" because of the hellishly convoluted (IMHO) nature of iptables. Does anybody have any ideas before I get dirty?

G

[Guck]

OK, I finally managed to figure out what the heck was up here.

The bottom line is that :

a) the firewall closed the incoming https port on the external ip
b) the httpd.conf WAS NOT LISTENING to the external ip AT ALL

I don't know about the "why" - I am going to submit to bugs@ - but it looks like when I changed this server from "server mode" to "server & gateway" mode, the httpd.conf wasn't rewritten to take into account the additional, external IP address. And as for the closed https port on the firewall... could someone with a 5.6 server in "server & gateway" mode do a :

/sbin/iptables --list --numeric | grep 443

and report their results? I now get :
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:443
denylog    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:443

because I added in the top rule to the firewall.

Bloody weird business, but as ever a great learning experience...
the precis being, if your firewall rules says "ok" and your portscans say "not ok" - check there's something really, really listening on that port.

Seems obvious in retrospect - and in fact it's what Charlie Brady was saying ("Find out why apache isn't running. The answer will be in /var/log/httpd/error_log.") in effect, apache wasn't running (well, it was, but not on the external IP)

So, thank you Charlie  - you told me so

Cheers,

G

[Guck]

I know I keep thrashing away at this issue, but in looking to template my way out of this problem, I found that when I asked :

/sbin/e-smith/db configuration getprop httpd-e-smith access

I get "private" as the response...

looking at

/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35Listen80

I see it says :

my $listen_default = "Listen 0.0.0.0:80";
...
my $httpdAccess =
    db_get_prop($confref, "httpd-e-smith", "access") || "private";

return $listen_default unless ($httpdAccess eq "private");

# Only selectively bind interfaces if we are in private server/gateway mode

my @ipAddresses = ("127.0.0.1", $LocalIP);

[Guck]

[Damn it, sent by accident].

so it looks like because my
/sbin/e-smith/db configuration getprop httpd-e-smith access
says "private" httpd is only going to be listening to localhost and the Local IP address...?

I guess if I changed the property to be anything other than "private" it would make httpd listen to all IP addresses on the server.

Does this make any sense?

G