Linux Server - Windows Client -CONFIGURE!!?

[energiza]

I posted this same topic in Linux(server) forum, though I will be brief.

My Linux (RH-8.0)server 192.168.0.1 (.1) is "xover"ed (no hub) to a Windows client 192.168.0.5 (.5). When .1 boots as windows client , the ethernet connection is ok, and when .1 boots as Linux server, there is ip trafic as confirmed by Network Monitor, but .5 can not

http://192.168.0.1.

.1 receives packets from .5, recognizes the http [SYN] command and .1 replies to .5 saying "Destination Unreachables".

Ping from windows to linux works ok with 0% loss, so there is a solid link, but http server doesn't respond to the windows client (it does respond within the same linux server, so Apache is running ok locally, but seems to not answer the requests from "outside&quot

Configuration:

Windows Machine: TCP/IP Ethernet card protocol is configured at IP address with the .5 address above + gateway is given the .1 address of the server.

Linux Server: "Neat" dialog for ether card shows my card active, IP address is statically given (no DHCP is running). Also the "Host" tab of the card is pointing to 127.0.0.1 which is the Apache Server. Finally, the router configured inside the httpd.conf has denied access to "All" but allows from 192.168.0.5.

¿Am I missing something?

Thanks and Regards
Javier

 

[pansophic]

What level did you set for your linux Security? Did you remember to add http to the list of acceptable ports to allow inbound connections?

Also, check /etc/hosts.allow and /etc/hosts.deny (they will probably be empty, and that is OK). List your iptables (or ipchains if that is what you are using) and determine if you are allowing those connections.

'iptables --list' will show you what you are allowing/blocking. You should see a rule something like this:

ACCEPT tcp -- anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN

Take a look at the packet-filtering-HOWTO, NAT-HOWTO and the netfilter-extensions-HOWTO for details.


pansophic

 

[energiza]

Thanks Pansophic, iptables --list (at the end), shows that there is rejection of the tcp protocol, with the "unreachable" message. That's seems to be the main blockage, I don't know how to use iptables but I have the manuals, so I will work on that.

Answering your questions which seem very important:

1.- Level of Security? - I don't know where I can set that, where?

2.- Add HTTP? Where should I do that? , I only let the default in httpd.conf "Listen: *:80", but I do not yet know where I should add HTTP (and certainly any possible FTP, Telnet, etc.?)

3.- hosts.allow and hosts.deny are empty. thanks

4.- iptables - work to do. thanks

5.- howto's, I have them, I will study the topics you mention. thanks

Also, the <proxy *> directive at httpd.conf wasn't working because I had not &quot;LoadModule&quot; the &quot;mod_proxy.so&quot;, now it's done.

QUESTION:

There are many layers of security, if I disable the <proxy *> of the Apache and fix the rest, will the http server respond anyway or does it really need the <proxy *>?
(something I can try-and-error but just to avoid it)

Thanks a lot
Javier
----------------------------
IPTABLES REPORT:
----------------------------
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Lokkit-0-50-INPUT (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp spts:bootps:boot pc dpts:bootps:bootpc
ACCEPT udp -- anywhere anywhere udp spts:bootps:boot pc dpts:bootps:bootpc
ACCEPT all -- anywhere anywhere
REJECT tcp -- anywhere anywhere tcp dpts:0:1023 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:nfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpts:0:1023 reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:nfs reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpts:x11:6009 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:xfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
----------------

 

[energiza]

Ups!, yes, I found the Security Level on the System Settings at the RH Menu. IT'S HIGH! AND USING DEFAULT FIREWALL RULES (IPTABLES PERHAPS?)

Ok, then, even though this dialog will allow me to open incoming traffic, will it override OR redefine IPTABLES?

And, just for knowledge, where (path/file) does this configuration reside?

Thanks, please stay in touch.
Javier

 

[energiza]

Eureka!:

Yes, the http request WORKED immediately (even faster than within the server) when .5 did

http://192.168.0.1.

iptables was changed its configuration after this, but there is still &quot;Reject&quot; for tcp flags, but not for tcp dtp:http, which is in a Accept rule. Got'ya now.

Another related to a modem router:

If I add a hub, and connect to it my 2 pc's + one of those modem-router with an ip address, do I have to configure something else? (besides not conflicting ip addresses).

For example, the .5 machine has .1 as gateway, and will need a second gateway address, say .3 (the new router) to get out to the internet (now .5 uses its own modem that I plan to substitute via the ether port) , so the .1 will not be in the middle to allow or deny, but if I wish to get out from .1 via any protocol, to the internet, is there any setting that I have to move?

Thanks again.
Javier

 

[energiza]

Another:

Now I can always access .1 from .5, but when I'm online with the internet, I can see my index page, but when I disconect from the internet, I get 403 forbidden. (what's going on?)

Regards
Javier

 

[pansophic]

OK, let me see if I am up-to-speed: You got the iptables rules to allow http access; You want to network these machines and allow internet access; You can't access the web server after dialing in to the Internet.

Does that about cover it?

OK, congrats on finding all of firewall rule information. I'm not sure I could find that setting, even though I know it exists.

As far as the Internet access is concerned. You can only have one default route. It should always point to the device with most of world on the other side of it. When you get your new router/modem, that should be the default route for all of your computers. Systems that are in the same broadcast domain will automatically route directly to the other computer. So all of your 192.168.1.x computers will be able to talk to each other, regardless of whether the default route is populated...or working.

I haven't the foggiest about the problems when not connected to the Internet. A 403 response comes from the Web server, not from the IP layer like your previous problems. I would run ethereal on your linux box and capture session information for both scenarios to determine what has changed in the configuration.

You can right click on one of the web packets and select 'Follow TCP Stream' to get the ASCII session information. If you don't understand what it is saying, post it and I will help you decode it.

Good luck!


pansophic

 

[energiza]

Hi Pansophic,

Thanks for the details on the router/gateway info.

The 403 was solved in this way (not very difficult)

1.- The directive <directory &quot;/var/

http://www/html&quot;>

said (default) :

allow from from All (twice from)

2.- I don't know yet if that was a real problem, I will try-error. The httpd did not report a problem on that when booting. Any way I removed one &quot;from&quot;.

3.- The httpd log said that the problem was a proxy one. Indeed, I had only &quot;LoadModule&quot; --> mod_proxy, but had not loaded the &quot;submodule&quot; mod_proxy_http.so. That was it!, so the 403 disappeared and the index page was transmitted instead.

Also a symptom of this (for troubleshooting in any future case somebody may encounter) was that any 192.168.x.x that I could type at .5 before loading this last module, was reporting 403 Forbidded, while after loading the module, the Index.html page was shown when typing 192.168.0.1 at .5, and a 502 Bad Routing page was shown for any other IP typed at .5.

The setting you know it exists, I found its IPTABLES itself but filtered, &quot;seen&quot; or handled through the Dialog you get when clicking &quot;Security Level&quot; command inside System Settings Menu of the Red Hat Menu (Like Windows' Start Menu). When changed settings on that dialog, IPTABLES changes and one is warned at the dialog that the rules will be changed. So IPTABLES can be configured (in the most general aspects, as it happens with Apache) from within the Linux GUI. (I'm using Gnome)

Answering the question of whether or not the <proxy *> directive is needed besides the IPTABLES, the result of the trial-error was that IT IS NEEDED, or a 403 will be reported, but REMEMBER that when enabling THIS (and other directives) A CORRESPONDING MODULE *MUST* BE LOADED as well. I was reading in the RH Official Documentation that many directives USED TO BE HANDLED BY CERTAIN MODULES AND THEY HAVE BEEN SEPARATED, example:

Proxy's Cache USED TO BE INSIDE THE MOD_PROXY and was extracted to MOD_CACHE, so when UNCOMMENTING the default commented <Proxy *> directive, the cache directives WILL NOT WORK UNLESS THE MOD_CACHE is loaded. In my specific case, I commented the cache directives as I did not want it to work at this stage.

Well thanks and regards, Good Weekend
Javier

 

[pansophic]

Were you pointing .5 to the Linux box's proxy server? Or are you using the Proxy server to respond to port 80 requests on the Linux box?

Are you using Tux or Squid to proxy the http requests? I normally use Tux for inbound requests if the server services primarily static pages, and then I use Squid for controlling outbound requests. I don't believe that I have ever loaded MOD_PROXY in Apache.


pansophic

 

[energiza]

Ah!,your question is very instructive, because I had no precise idea about I could use either of those TWO possibilities. So I used BOTH.
ON THE .5 SIDE...
In the tcp/ip ethercard protocol at Network icon in control panel of Windows, under the TAB Gateways, [of machine (.5)] I have included 192.168.0.1.

ON THE .1 SIDE...
Via de &quot;Listen&quot; directive, The Apache Listens to * (all addresses of port 80. I had heard of Squid, never about TUX, but because Apache's manual was claiming about the Proxy, I went straight to:

1.- Enable <proxy *> directive (remove the #)
2.- Load the proxy related modules (LoadModule)

With that .1 is servicing both static and Perl generated pages.

Very very instructive all this review, dear Pansophic (I like the meaning of that!: Wisdom on All), It's always a pleasure to talk to you.

Am I being naive on something?, perhaps I don't yet understand all you mean, Are you saying that when I connect .1 to the internet I will need another proxy to &quot;get out&quot;? if I don't will my server be vulnerable? (+...etc)

Regards
Javier

 

[pansophic]

You don't actually NEED a proxy for outbound web surfing, I just use it to control access and provide logging. Some people use an outbound proxy to filter traffic that their user's are trying to access. Either sites or content.

Plus it allows you to cache others' pages and images locally, improving the performance of your internet connection.


pansophic