My lan clients cannot browse internal web server.

[mawdryn]

Hello All,

This may be difficult to explain, but I'll try.

I have a network with 5 systems. 3 windows, 2 linux.

Linux box 1(NAT router) is a Redhat 8 system with two network cards and and ADSL connection to the outside world.

Interface 1 is eth0 which services the internal
windows clients.
Interface 2 is eth1 which is services the other linux
system. (NOT set up as DMZ presently)

Linux box 2 is a Slackware 8 system which is a http/ftp server.

Problem is that the windows machines on eth0 cannot browse to web server using the domain name or external ip address. Only by the private IP address. These windows machines can ping the web server fine by int/ext ip or domain.
Even the webserver itself cannot browse to the external ip or the domain name

It may be worth noting that any external host can browse to the web server fine.

I feel it's an iptables rule problem, as I had to manually add a rule to allow ftp'ing from eth0/1 to work.

I'm using gShield as the firewall script.
I currently have forward set up that looks like this:
================================================
Allow from Type Sourceort Destinationort

0/0 tcp 0/0:80 192.168.1.2:8080
0/0 tcp 0/0:8080 192.168.1.2:8080
================================================

If anyone has any ideas, I'd be very grateful... maybe even a different firewall prog. Must be console configurable as the router does not have httpd or xwindows on it.

 

[Morsing]

Can you telnet to it??

Can you post the network setup on the Linux box 2??

Can you post the iptables setup on the to computers (with the command iptables -L please).

CHeers Henrik Morsing
IBM Certified AIX 4.3 Systems Administration

 

[mawdryn]

Hello,

I can't telnet as it's disabled, however I can ssh into it fine from any system.

I'm not sure exactly what you want in regards to the network setup on the web server, however here is an ifconfig of it:

===========================================================
root@metabelis:/# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:10:B5:0F:BD:50
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:20513 errors:0 dropped:0 overruns:0 frame:0
TX packets:21289 errors:14 dropped:0 overruns:0 carrier:28
collisions:2281 txqueuelen:100
RX bytes:3437871 (3.2 Mb) TX bytes:12844024 (12.2 Mb)
Interrupt:11 Base address:0x6800
===========================================================

An lastly here is the firewall rules on the router. There is no firewall enabled on the web server.

These rules are generated by gShield

===========================================================

[root@espace conf]# /sbin/iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
loopback all -- anywhere anywhere
ACCEPT all -- 192.168.0.0/24 192.168.0.0/24
ACCEPT all -- 192.168.0.0/24 192.168.0.0/24
ACCEPT all -- 192.168.0.0/24 192.168.1.0/24
ACCEPT all -- 192.168.0.0/24 127.0.0.0/24
ACCEPT all -- 192.168.1.0/24 192.168.0.0/24
ACCEPT all -- 192.168.1.0/24 192.168.1.0/24
ACCEPT all -- 192.168.1.0/24 127.0.0.0/24
ACCEPT all -- 127.0.0.0/24 192.168.0.0/24
ACCEPT all -- 127.0.0.0/24 192.168.1.0/24
ACCEPT all -- 127.0.0.0/24 127.0.0.0/24
RESERVED all -- 10.0.0.0/8 anywhere
RESERVED all -- 172.16.0.0/12 anywhere
RESERVED all -- 192.168.0.0/16 anywhere
RESERVED all -- ALL-SYSTEMS.MCAST.NET anywhere
RESERVED all -- ALL-ROUTERS.MCAST.NET anywhere
RESERVED all -- DVMRP.MCAST.NET anywhere
RESERVED all -- OSPF-ALL.MCAST.NET anywhere
RESERVED all -- OSPF-DSIG.MCAST.NET anywhere
RESERVED all -- RIP2-ROUTERS.MCAST.NET anywhere
RESERVED all -- PIM-ROUTERS.MCAST.NET anywhere
RESERVED all -- ALL-CBT-ROUTERS.MCAST.NET anywhere
ACCEPT icmp -- anywhere anywhere limit: avg 1/sec burst 5
ACCEPT udp -- oznet02.ozemail.com.au anywhere udp spt:ntp dpts:1024:65535
DNS udp -- dialcache310.ns.uu.net anywhere udp spt:domain
PUBLIC tcp -- anywhere 29.cust5.nsw.dsl.ozemail.com.autcp dpt:ssh
PUBLIC udp -- anywhere 29.cust5.nsw.dsl.ozemail.com.auudp dpt:ssh
REJECT tcp -- anywhere anywhere tcp dpt:auth reject-with tcp-reset
HIGHPORT tcp -- 192.168.0.0/24 anywhere tcp dpts:1024:65535
HIGHPORT udp -- 192.168.0.0/24 anywhere udp dpts:1024:65535
OPENPORT tcp -- anywhere anywhere tcp dpt:afs3-fileserver
OPENPORT udp -- anywhere anywhere udp dpt:afs3-fileserver
OPENPORT tcp -- anywhere anywhere tcp dpts:6891:6900
OPENPORT udp -- anywhere anywhere udp dpts:6891:6900
OPENPORT tcp -- anywhere anywhere tcp dpt:10000
OPENPORT udp -- anywhere anywhere udp dpt:10000
OPENPORT tcp -- anywhere anywhere tcp dpt:1280
OPENPORT udp -- anywhere anywhere udp dpt:1280
SCAN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG state INVALID,NEW,RELATED
SCAN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE state INVALID,NEW,RELATED
SCAN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN state INVALID,NEW,RELATED
STATEFUL all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT udp -- anywhere skaro udp dpt:3784
ACCEPT tcp -- anywhere skaro tcp dpt:3784
ACCEPT udp -- anywhere skaro udp dpt:28900
ACCEPT udp -- anywhere skaro udp dpt:27900
ACCEPT tcp -- anywhere skaro tcp dpt:18009
ACCEPT udp -- anywhere skaro udp dpt:3783
ACCEPT tcp -- anywhere skaro tcp dpt:3782
ACCEPT tcp -- anywhere skaro tcp dpt:14534
ACCEPT udp -- anywhere skaro udp dpt:8767
ACCEPT tcp -- anywhere metabelis tcp dpt:ftp-data
ACCEPT tcp -- anywhere metabelis tcp dpt:ftp
ACCEPT tcp -- anywhere metabelis tcp dpt:webcache
ACCEPT tcp -- anywhere metabelis tcp dpt:webcache
ACCEPT tcp -- anywhere metabelis tcp dpt:223
ACCEPT tcp -- anywhere metabelis tcp dpt:ftp-data
ACCEPT tcp -- anywhere metabelis tcp dpt:ftp
ACCEPT tcp -- anywhere metabelis tcp dpt:http
ACCEPT udp -- anywhere metabelis udp dpt:http
ACCEPT tcp -- anywhere metabelis tcp dpt:https
ACCEPT udp -- anywhere metabelis udp dpt:https
ACCEPT tcp -- anywhere metabelis tcp dpt:mysql
ACCEPT udp -- anywhere metabelis udp dpt:mysql
SCAN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
SCAN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-ns
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-ns
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-dgm
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-dgm
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-ssn
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-ssn
STATEFUL all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
loopback all -- anywhere anywhere
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-ns
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-ns
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-dgm
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-dgm
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-ssn
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-ssn

Chain ACCEPTnLOG (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `gShield (accept) '
ACCEPT all -- anywhere anywhere

Chain BLACKLIST (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `gShield (blacklisted drop) '
DROP all -- anywhere anywhere

Chain BLOCK_OUT (12 references)
target prot opt source destination
DROP all -- anywhere anywhere

Chain CLIENT (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain CLOSED (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `gShield (closed port drop) '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
DROP all -- anywhere anywhere

Chain DHCP (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `gShield (DHCP accept) '
ACCEPT all -- anywhere anywhere

Chain DMZ (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `gShield (DMZ drop) '
DROP all -- anywhere anywhere

Chain DNS (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain DROPICMP (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `gShield (icmp drop) '
DROP all -- anywhere anywhere

Chain DROPnLOG (1 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
ACCEPT tcp -- anywhere anywhere tcp spt:http dpts:1024:65535 flags:!SYN,RST,ACK/SYN
DROP udp -- anywhere 255.255.255.255 udp spt:bootps dpt:bootpc
LOG all -- anywhere anywhere limit: avg 20/min burst 5 LOG level warning prefix `gShield (default drop) '
LOG gre -- anywhere anywhere limit: avg 20/min burst 5 LOG level warning prefix `gShield (default drop / GRE) '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
DROP all -- anywhere anywhere

Chain HIGHPORT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain MON_OUT (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain OPENPORT (8 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain PUBLIC (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain RESERVED (11 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
DROP all -- anywhere anywhere

Chain SCAN (5 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `gShield (possible port scan) '
DROP all -- anywhere anywhere

Chain SERVICEDROP (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `gShield (service drop) '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
DROP all -- anywhere anywhere

Chain STATEFUL (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
DROPnLOG all -- anywhere anywhere

Chain loopback (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
===========================================================

 

[Morsing]

Sorry but I don't understand your original post then. What is internal and external address when the web-server only has one address??

Cheers Henrik Morsing
IBM Certified AIX 4.3 Systems Administration

 

[mawdryn]

Hi Morsing,

Basically, I have a pseudo domain, espace.hopto.org through no-ip.com.
If you open your browser to point to it, you will get the apache test page. Problem is, My internal machines cant do this. They can only see the web site if I point the browser to

http://192.168.1.2/

Which is fine, except that my php and perl scripts fall over on the internal systems as it is trying to locate information on

http://espace.hopto.org.

 

[Morsing]

Can you run nslookup on the machine and find espace.hopto.org?? (I just tried and I can't).

Cheers Henrik Morsing
IBM Certified AIX 4.3 Systems Administration

 

[mawdryn]

Default Server: oznet.ozemail.com.au
Address: 203.2.193.124

> set q=any
> espace.hopto.org
Server: oznet.ozemail.com.au
Address: 203.2.193.124

espace.hopto.org internet address = 203.102.232.29
hopto.org nameserver = nf2.no-ip.com
hopto.org nameserver = nf1.no-ip.com
nf2.no-ip.com internet address = 66.185.162.100
nf1.no-ip.com internet address = 66.185.166.131
>

 

[mawdryn]

Here's a ping result as well. This is all from the windows systems

Pinging espace.hopto.org [203.102.232.29] with 32 bytes of data:

Reply from 203.102.232.29: bytes=32 time=3ms TTL=64
Reply from 203.102.232.29: bytes=32 time=1ms TTL=64
Reply from 203.102.232.29: bytes=32 time=1ms TTL=64
Reply from 203.102.232.29: bytes=32 time=1ms TTL=64

Ping statistics for 203.102.232.29:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 1ms

 

[Morsing]

Ok, so the problem is not your clients but the server side scripts.
There must be something in a log or something that points to why they wont run??

CHeers Henrik Morsing
IBM Certified AIX 4.3 Systems Administration

 

[mawdryn]

If any machine behind my firewall tries to browse to

http://espace.hopto.org

, I get page cannot be displayed...

The router itself can browse to it fine using lynx

Doesn't make sense to me why this is happening

 

[Morsing]

What does 'netstat -Ainet' on the router show when this happens??

And maybe you could try something like 'tcpdump -i eth1 -p http' while browsing.

Cheers Henrik Morsing
IBM Certified AIX 4.3 Systems Administration

 

[mawdryn]

Hi,

Netstat -Ainet shows:
============================================================

[root@espace /]# /usr/sbin/tcpdump -i eth1
tcpdump: listening on eth1
23:26:34.282652 metabelis.http > gallifrey.1163: R 0:0(0) ack 2756001119 win 0
23:26:34.743699 gallifrey.1163 > metabelis.http: S 2756001118:2756001118(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
23:26:34.744019 metabelis.http > gallifrey.1163: R 0:0(0) ack 1 win 0
23:26:35.246762 gallifrey.1163 > metabelis.http: S 2756001118:2756001118(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
23:26:35.247082 metabelis.http > gallifrey.1163: R 0:0(0) ack 1 win 0

============================================================

tcpdump -i eth1 shows: (-p http gave an error)
============================================================

[root@espace firewall]# netstat -Ainet
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.1.1:4099 metabelis:223 ESTABLISHED
tcp 0 0 espace:222 gallifrey:1132 ESTABLISHED
tcp 0 256 espace:222 gallifrey:1075 ESTABLISHED

============================================================
The TCPDUMP only worked while browsing to

http://192.168.1.2/

 

[mawdryn]

sorry... wrong order... I'm sure you figured that out though

 

[mawdryn]

and just for the record, when I get &quot;page cannot be found&quot; when trying to browse to the domain name, there are no entries reflecting this in the access/error logs on the web server.

 

[Morsing]

Ok, let's see if I got this right.
You have a WAN interface on espace, right?? GOing to the Internet??

I couldn't remember how to specify a port on tcpdump, try tcpdump --help. But to use tcpdump on the external address you should point it (with -i) to your WAN interface.

This could however, be your problem. I think your clients send the request to the Internet but if you're not using NAT (to translate your ip addresses) Metabelis can't return the packets.

Does the client error occur right away or after a while??

Cheers Henrik Morsing
IBM Certified AIX 4.3 Systems Administration

 

[mawdryn]

The error returns pretty much immediately.

If I enable my proxy server, I get connection refused.

It's as if the router is not forwarding calls from the internal machines for espace.hopto.org port 80 to 192.168.1.2....

That would be my best analysis.

 

[marsd]

This should be a trivial problem.

Are your internal clients able to connect to
the external (internet connected) addressed
listening web service?
If not you have:
1) A packet filtering problem.
2) A possible routing problem.

If you can connect you have a nameservice issue.

To troubleshoot further:
Save your dgaurd ruleset, I'm not familiar with dgaurd but
have a low opinion of firewall creation utilities.
You could use a ruleset similar to this ruleset to check
this:
(where internal_net=&quot;192.168.1.0/24&quot
iptables -F
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -t nat POSTROUTING -s $internal_net -d 0/0 -o eth0
-j ACCEPT
iptables -A FORWARD -s $internal_net -d 0/0 -o eth0 -j ACCEPT
iptables -A FORWARD -s 0/0 -d $internal_net -i eth1 -m --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 0/0 -d $internal_net -i eth1 -m --state RELATED -j ACCEPT
iptables -A INPUT -s 0/0 -d $webserver -p tcp --dport 80
-j ACCEPT

man iptables for help.
iptables -L -v -n gives you fast stats, -t will specify
a table, route -n will give you a quick look at your routing table.

 

[marsd]

Mistake:
First rule target(nat) should be MASQUERADE.

 

[mawdryn]

Hi marsd,

I tried what you suggested but most of the rules came up with an error along the lines of:

iptables v1.2.6a: Couldn't load match `--state':/lib/iptables/libipt_--state.so: cannot open shared object file: No such file or directory

Just to recap, The systems behind the firewall cannot browse to

http://espace.hopto.org

which is the domain name for my webserver It give host not found. They can ping it, tracert to it, do an nslookup on it, etc.

My web server is listening on port 8080. It is perfectly accessible from the outside world.

 

[mawdryn]

Here's my routing table:

[root@espace tboon]# /sbin/route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
203.102.232.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
239.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0


I think I need a chain that would show up like this with an &quot;iptables -L -v -n&quot;

Input Chain

target prot opt in out source destination

ACCEPT all -- !eth0 * 192.168.0.0/24 192.168.1.0/24