Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: Guck on March 26, 2003, 04:07:13 AM
-
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on my.external.ip (xxx.xxx.xxx.xxx):
(The 1589 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
110/tcp open pop-3
113/tcp open auth
139/tcp open netbios-ssn
143/tcp open imap2
389/tcp open ldap
515/tcp open printer
1723/tcp open pptp
3306/tcp open mysql
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
everything I need is there except httpd... how can I enable it - and why would it be closed?
I have 4 domains pointed at this server, it has been recently upgraded from 5.1.2. I do have named issues (double zone listed in config) but I've fixed that for now and named is running ok.
Weird.
-
Guck wrote:
> everything I need is there except httpd... how can I enable
> it - and why would it be closed?
Find out why apache isn't running. The answer will be in /var/log/httpd/error_log.
Charlie
-
Charlie Brady wrote:
> Find out why apache isn't running. The answer will be in
> /var/log/httpd/error_log.
Well, apache is running just fine (I see several in ps) - I can access all my sites from inside my network - and doing a portscan from the inside IP yields :
[user@server user]$ nmap -sT 192.168.1.1
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on myserver.com (192.168.1.1):
(The 1585 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop-3
113/tcp open auth
139/tcp open netbios-ssn
143/tcp open imap2
389/tcp open ldap
443/tcp open https
515/tcp open printer
980/tcp open unknown
981/tcp open unknown
1723/tcp open pptp
3306/tcp open mysql
Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds
It's like the firewall has port 80 closed on the external IP.
doing iptables --list -n I get (amongst other things):
Chain InboundTCP_645 (1 references)
target prot opt source destination
denylog all -- 0.0.0.0/0 !(my external ip)
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
I'm having difficulty interpreting that - but it looks like :
deny everything not going to (my external ip),
accept all http traffic
accept all auth traffic
deny all ftp traffic
DENY ALL HTTP TRAFFIC (?)
Confusing.
G
-
Guck,
This may be completely out of place here as I know very little about iptables. I will say that some time back, I was using a cable provider as my ISP. I spent a couple weeks setting up a website for a not-for-profit group my wife is involved with and all my testing went just fine. The day I put the site up live, suddenly no one could get to the site. I tried everything I could think of, even reloading the server and trying another box.
As it turns out, that was about the time the codered virus started propagating everywhere and that was also about the time AT&T bought the parent company of the cable provider we used. AT&T had silently blocked port 80 on the local network. We could browse out no problem but if someone wanted to my site, in my providers local network block of IP's, they got the not found error. I wound up going with TZO.com so I could use a nonstandard port for a while then we changed our provider.
Are you certain your ISP hasn't blocked the port?
Just a guess mind you...
Dave
-
"I'm sorry Dave, I'm afraid it can't be that" :)
A fair guess, but in this case though I'm using Speakeasy DSL and they are reknowned for letting you run whatever you want (-spam -warez).
I've done some more testing on IP tables stuff, and have edited the ipmasq file to remove the reference to the DENYLOG port 80 (if it works, I'll template it) - but to no avail! It's getting more freaky since when I list my firewall rules now (even after reboot) I see no reference to a port 80 block on inbound tcp.
Doing nmap from an external address shows that the http and the https ports are closed.
So either:
- the ipmasq file doesn't really control the firewall
- the current list of firewall rules are not really in effect
- Something Else.
I had hoped to avoid the "tear down the firewall and build it back up rule by rule to see when it breaks" because of the hellishly convoluted (IMHO) nature of iptables. Does anybody have any ideas before I get dirty?
G
-
OK, I finally managed to figure out what the heck was up here.
The bottom line is that :
a) the firewall closed the incoming https port on the external ip
b) the httpd.conf WAS NOT LISTENING to the external ip AT ALL
I don't know about the "why" - I am going to submit to bugs@ - but it looks like when I changed this server from "server mode" to "server & gateway" mode, the httpd.conf wasn't rewritten to take into account the additional, external IP address. And as for the closed https port on the firewall... could someone with a 5.6 server in "server & gateway" mode do a :
/sbin/iptables --list --numeric | grep 443
and report their results? I now get :
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
because I added in the top rule to the firewall.
Bloody weird business, but as ever a great learning experience...
the precis being, if your firewall rules says "ok" and your portscans say "not ok" - check there's something really, really listening on that port.
Seems obvious in retrospect - and in fact it's what Charlie Brady was saying ("Find out why apache isn't running. The answer will be in /var/log/httpd/error_log.") in effect, apache wasn't running (well, it was, but not on the external IP)
So, thank you Charlie - you told me so :)
Cheers,
G
-
I know I keep thrashing away at this issue, but in looking to template my way out of this problem, I found that when I asked :
/sbin/e-smith/db configuration getprop httpd-e-smith access
I get "private" as the response...
looking at
/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35Listen80
I see it says :
my $listen_default = "Listen 0.0.0.0:80";
...
my $httpdAccess =
db_get_prop($confref, "httpd-e-smith", "access") || "private";
return $listen_default unless ($httpdAccess eq "private");
# Only selectively bind interfaces if we are in private server/gateway mode
my @ipAddresses = ("127.0.0.1", $LocalIP);
-
[Damn it, sent by accident].
so it looks like because my
/sbin/e-smith/db configuration getprop httpd-e-smith access
says "private" httpd is only going to be listening to localhost and the Local IP address...?
I guess if I changed the property to be anything other than "private" it would make httpd listen to all IP addresses on the server.
Does this make any sense?
G