Topic: HELP:Sme Server - Web Server

[rockyoyster]

I have installed the SME Server for personal use. I want to take
advantage of the web server and FTP features. I installed it in SERVER ONLY MODE. I access everything from the local network fine. But when I try to access it from outside the network, I get no response. Previous to this setup I was running Apache in Debian and it worked fine. So I know the equipment is good. I think I'm missing some security settings somewhere. I was under the impression that in server only mode, the Primary directories would have no security, hence the need for it to be behind a firewall/router. Is this correct? If not, can someone point me in the proper direction as far as how to edit the HOSTS file and/or httpd.conf files; if that is where the issue is? I am able to ping everything from within the network. When I pingfrom the server to the  outside the network it doesn't give me an Unreachable destination, I just get no reply. As if all incoming traffic is being blocked. But I'm not sure where or how to unblock it properly.


Broadband Modem connected to Linksys Router.
Linksys Router connected to Server.
Linksys Connected to a laptop and dekstop as well.
Port 80 is being forwarded to the server.

Any suggestions? I don't necessarily need answers, just directions. I've done fairly well in the past debugging something like this, but I'm just a bit lost this time...

Thanks!!!!!

[hordeusr]

I assume you are trying to reach http on that server via your verified external IP address from a different Internet connection that the one hosting the server (if your router can do loopback and you have it enabled you can hit the external ip from inside your network).  I also assume you aren't using DNS for testing yet.  http (port 80) should work from any network that can reach your server without modification.  If the port 80 forwarding to the SME server on the router is working and your ISP isn't blocking port 80 it should work.  I have the same setup (different router).  As a test I would setup a simple web server on a different computer on the network, and change the port forward to that ip address...to verify the port foward is working as it should.  If you are using dns to hit the server, make sure you have an entry in the "domains" on the SME server.  As far as pinging goes, some ISP's also block ping....mine does.  Your router may also be stopping the ping on the way back.  Also verify internet access on the SME box via lynx

Simple web server for windows if you need it....
http://www.analogx.com/contents/download/network/sswww.htm

[rockyoyster]

I assume you are trying to reach http on that server via your verified external IP address from a different Internet connection that the one hosting the server

Yes, that is correct. What do you mean by verified? I used my neighbors wireless connection.(with permission of course!) And I also tried from work. All of which worked with my previous setup.

[rockyoyster]

I installed the simple server for windows on the laptop and sent port 80 over to it and it appears to be working fine. Page loads right up.. I really think that the SME server is blocking the port. How can I test the ports on the server? I ran i beleive netsta and it shows port 80 as listening.... the hosts.allow and hosts.deny appear to be ok.. but I'm not sure.. I think I'm off for a Hosts 101 course... any more input would be appreciated.,
thanks!!

[hordeusr]

It really should just work...on an unaltered SME install.  Have you done any unusual configuration changes?  Any information in the log files?  I've set-up many of these as a server-only with a simple port forward of 80/25/whatever else I need and it works flawless.  If you are really stuck you can try:

signal-event post-upgrade
signal-event reboot

This worked one time for me when I had a strange problem.  Why it works locally and not via the port forward is a mystery to me.

[rockyoyster]

I am going to try those two, then I will re-install from scratch. I hadn't changed anything. I'm gonna try hooking it up direct to the modem without the router and see if it works. Otherwise I think I will do a clean install and see what happens. If no go, I will install XAMPP on it and see if it still works. I let you know..

Thanks!!

[rockyoyster]

I burned a new image of the server and reinstalled and the exact same thing happens. I can not access anything from outside my network. Now i'm sad.

I did server only.
I didn't turn on DHCP.
I changed the mycompany.local to a XXXXXX.COM
The IP I changed to 192.168.1.100
Netmask is 255.255.255.0 (default)
The gateway is 192.168.1.1
I named it server
I did not specify a DNS server.

Works fine from home.. I'm real sad now.

[bpivk]

1.) go to shields-up and check your ports (www.grc.com)
2.) report your findings here
3.) if you didn't try it yet: try to connect from another location trough your ip not dns

[rockyoyster]

That was exactly something that I was looking for. It appears that it confirms my thoughts. But I don't know how to open the port. All config file that I look into appear to show port 80 open, but it's apparently not?


----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2007-06-12 at 18:57:48

Results from scan of ports: 0-1055

    0 Ports Open
    0 Ports Closed
 1056 Ports Stealth
---------------------
 1056 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: PASSED - ALL tested ports were STEALTH,
                   - NO unsolicited packets were received,
                   - NO Ping reply (ICMP Echo) was received.

[rockyoyster]

I am able to access the internet with lynx. So the ETH0 is working. I am also able to update the software with YUM through Server Manager. But I simply can not access under construction web page outside of my local network. I am no Linux wiz, and this is by far my worst experience with anything linux. I'm sure it's an operator idiocy. Perhaps I should go back to Debian/Xampp and try to be merry... I'm sure glad I out grew the Monitor Through The Window stage.

Thanks!!

[bpivk]

I think that it's something to do with the router (wrong ip maybe) because i never had all the ports stelthed unless i used my router.
Use the "ifconfig" command. You should get some info about your nics and their ip's. Then use the apropriate ip in your router to forward the ports.
Repeat the shields up test after you're done with configuring the router.

[rockyoyster]

Maybe the router is no good. But when I replaced the server with my laptop running a simple www server it worked fine. It also worked fine when I had Debian and XAMPP running on the same box, same router settings. All I did was install a fresh SME on there. The actual error is that the server is taking too long to respond. Would it be possible to turn off any and all firewall settings and leave it more open then it should allready be? As much as I'd like to walk away from these; I really need to know why this doesn't work. Maybe I just need a lobotomy. Anyhow, lemme know what you think. I did the IFCONFIG and the port is being forwarded to that IP. The gateway is correct as well.

[bpivk]

SME (in gateway mode) shouldn't have any firewall so that shouldn't be a problem (and it shouldn't be even if he had it's firewall enabled).

Did you try a small test. Put your server's on DMZ and check if it works. It's not recomended but well se what happens when you do that. Then you'll know if your router is blocking the ports. But i agree it should work if you're routing the correct ports but i had a similar problem with my belkin router which wouldn't route SME traffic and even the tech support didn't know why.

[rockyoyster]

I also DMZ'd the IP and still nothing. I tried running the ShieldzUp with Lynx and it is still bringing up port 80 as stealth.

[rockyoyster]

I truely feel it's something in the Iptables. Which makes no sense.   Unfortunately, I'm not too swift with deciphering the MASQ file. I can forward that port to anything else and it works fine. I'm gonna try to connect to it with HttpS( that's secure connection right?) When I DMZ'd my laptop port 80 came through stealth but port 403 was open. 403 is the https port i beleive?

It works with the https. yee haw!?

Perhaps my ISP is stealthing the ports for me? even so, I have and am
still able to run apache here and have it accessible from outside the network. Would that lead to a configuration/rules issue?

[bpivk]

443 is HTTPS port.

Well did you mess with iptables? Because it should work stock.

On the port-forwarding panel, forward port 8080 (or whatever) to port 80 and try that port.

[rockyoyster]

I did not mess with anything. I was looking through them. But I dont touch!!

I don't follow the port forwarding. My panel only allows me to forward ports to IP's, but there are no options to forward ports to ports. I'd like to forward port 80 to port 403 or some other open port. But I don't see anything like that.

 I was contemplating looking through the tables of apache or some other server that actually works and see if there are any noticable differences..

[rockyoyster]

Because port 80 is stealth, could it be that SME  is expecting to see it; but it's not. So it is dropping the packet or it just times out? Is that an option with IPTABLES? I don't see anything in the log files to prove this but maybe I'm not seeing the right log files... hmmmm

[bpivk]

I did not mess with anything. I was looking through them. But I dont touch!!

I don't follow the port forwarding. My panel only allows me to forward ports to IP's, but there are no options to forward ports to ports. I'd like to forward port 80 to port 403 or some other open port. But I don't see anything like that.

 I was contemplating looking through the tables of apache or some other server that actually works and see if there are any noticable differences..

My mistake. I was thinking of sme server-manager pannel. I guess that i should point that out.
Use the sme port forwarding function to forward to another port (eg. 8080 localhost 80).

Your server should work if you say that you didn't touch anything. The only other thing could be that your ISP blocks port 80 but if you say that it worked before...

[rockyoyster]

It is running in Server Only Mode and port forwarding is not available. It is only available in Gateway Mode.

[bpivk]

It is running in Server Only Mode and port forwarding is not available. It is only available in Gateway Mode.

Umm. Could be. I never ran my server in server-only mode.

Did you try to run it on a dmz line?

[rockyoyster]

I am going to use port 8080. I will forward the router to port 8080. I am going to change  80 to 8080 in httpd.conf. Do I also need to change this in MASQ and/or IPTABLES? Or is there a command I can issue that will send all 8080 requests to 80 and vice versa?

[bpivk]

How do I allow public access to a service I've added to SME7?
The procedure has changed and is now much simpler in SME7. For this example the service you have installed is called 'manta' and 'nnn' is the TCP port number that needs to be opened. Watch your capitalization with the command below:


config set manta service access public status enabled TCPPort nnn
For UDP services, use UDPPort instead of TCPPort.
Note that you can also set restrictions with AllowHosts and DenyHosts:


config setprop manta ~AllowHosts 1.2.3.4,10.11.12.0/24
config setprop manta ~DenyHosts 16.17.18.18
Then, to activate, do:


signal-event remoteaccess-update

Got this from the old wiki.

[rockyoyster]

I think we are good now. I did the CONFIG command. It did change the ports but there was still no access. I changed the 80 to 8080 on the Listen line in HTTPD.CONF and it works. I also changed the 80 to 8080 in the MASQ file. Everything appears to be working so far.

 It appears that my ISP is stealthing the popular ports;atleast thats all I can come up with right now. However, I would be interested in knowing why I was able to run the XAMPP with the exact same setup no problem. I think I will dig through some config files and see if I can come up with anything.

 Thanks for you help. I would have otherwise abandoned this a few days ago. Can I offer you some coffee?

[bpivk]

Your server should work if you say that you didn't touch anything. The only other thing could be that your ISP blocks port 80 but if you say that it worked before...

I was asking this question myself a few posts earlier.

But you'll have to template your changes if you want to keep them after a reboot.

Code: [Select]


#mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
#cp /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35Listen80 /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/35Listen80
#mcedit /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/35Listen80
#/sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
#service httpd-e-smith restart

This should do it.

[rockyoyster]

I will have to look into the blocking of the ports. They would have had to of done this quite recently. I had the other server going just a few weeks ago. If the port is Stealth, does that make it completely inaccesible?

Welp, thanks for you help again. For now the 8080 will do just fine.

[bpivk]

If the port is Stealth, does that make it completely inaccesible?

Yes. Closed means that the port is closed and stealth means that the port doesn't even seem to exist.

For now the 8080 will do just fine.

Ok but you really need to template it or you'll lost your changes after the next upgrade.

[rockyoyster]

All Done.. It's a good thing you mentioned the templates. I had no clue! I wold have been in a world of confusion all over again! Thank you!!