[CLUE-Tech] Banging my head on apache.
Robert L. Harris
Robert.L.Harris at rdlg.net
Wed Jan 23 16:06:29 MST 2002
Old Scenario:
www server was 192.168.0.2 (internal dedicated box)
iptables forwarded trafic going to my public IP to the internal box
New Scenario:
New firewall is "strong enough" to be www server.
Install apache on firewall
disable (delete rules) forwarding of port 80 traffic and restart
iptables
Problem: hitting port 80 of the firewall doesn't connect, through both
netscape and telnet. It has been opened up in the iptables rules...
In the messages log I see this though:
Jan 23 16:04:33 wally kernel: IN=eth0 OUT=eth1 SRC=12.253.54.145 DST=192.168.0.2 LEN=60 TOS=0x10 PREC=0x00 TTL=60 ID=13845 DF PROTO=TCP SPT=1556 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Traffic is still being sent to the 192.168.0.2 server...
iptables:
Chain INPUT (policy DROP)
target prot opt source destination
first all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:auth state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:www state NEW
ACCEPT tcp -- anywhere anywhere tcp spt:ntp
ACCEPT udp -- anywhere anywhere udp spt:ntp
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp spt:ftp
local all -- anywhere anywhere
cleanup all -- anywhere anywhere
I have completely deleted the forwarding rules and flushed the tables
(verified) and restarted.
It's gotta be something stupid I'm overlooking.
:wq!
---------------------------------------------------------------------------
Robert L. Harris | Micros~1 :
Senior System Engineer | For when quality, reliability
at RnD Consulting | and security just aren't
\_ that important!
DISCLAIMER:
These are MY OPINIONS ALONE. I speak for no-one else.
FYI:
perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'
More information about the clue-tech
mailing list