[TriLUG] Apache innaccessible from outside of home router

Ken Mink kmtrilug at nc.rr.com
Mon Aug 23 13:17:13 EDT 2004


This type of a firewall setup is actually fairly common in 
corporations. It is used to try to slow down trojans and mail relays. 
Usually all traffic but 80 and 443 is blocked and they go through a 
proxy.

When I am monkeying with my Apache setup, I like to use my TriLUG shell 
account as test point. The network setup is a known and very 
stable(thanks guys), but outside both my home network and my work 
network. Perfect place to test from.

Ken

On Aug 23, 2004, at 10:53 AM, Matt Frye wrote:

> You might want to check whether the LAN of the PC outside your network
> even allows non-80 ports to be accessed.  I've seen at least two cases
> where someone was trying to access a page on their home web server
> from their work PC and found out later that their company's firewall
> was dropping or disallowing all non-port-80 httpd requests.
>
> Matt Frye
>
> On Mon, 23 Aug 2004 10:08:30 -0400, Jeff Groves <jgroves at krenim.org> 
> wrote:
>> Victor Snesarev wrote:
>>
>>> I know this subject has been discussed to death on the net, but 
>>> nothing
>>> I was able to google up helped.
>>>
>>> Here's the network:
>>>
>>> ---[CableModem]---[d-link 713p router]---[PC IP=196.168.0.122]
>>>
>>>
>>> PC running FC2 Linux 2.6.5-1.358 and Apache 2.0.49.
>>>
>>> I can reach the sample Apache page from a different computer on the 
>>> same
>>> 196.168.0.xxx subnet, but cannot reach it from the outside world 
>>> using
>>> the router's IP address.
>>>
>>> httpd.conf is set up to "Listen 8888" and port 8888 is forwarded to
>>> 196.168.0.122 by the router.
>>>
>>> In fact, I know that outside requests reach the PC because Ethereal
>>> shows a short TCP session when I try to reach the PC from outside the
>>> router. I compared it to the TCP session from the local home LAN and 
>>> saw
>>> something odd. The TCP handshake from the outside connection looks 
>>> like
>>> this:
>>>
>>> Router-to-PC  SYN
>>> PC-to-Router  SYN,ACK
>>> Router-to-PC  RST  (terminate)
>>>
>>> A handshake from a local LAN PC completes fine and Apache serves the 
>>> page.
>>>
>>> This almost points to the router, but I am not sure where to go from 
>>> here.
>>>
>>> Just for reference, I am not running iptables or ipchains (I don't 
>>> think
>>> it's even installed) on the Linux box. Apache access_log and 
>>> error_log
>>> do not show any events associated with a connection attempt from 
>>> outside
>>> the local LAN.
>>>
>>> Any ideas?
>>>
>>> -Victor
>>>
>>>
>> The only thing that I can think of (and it's pretty unlikely at best) 
>> is
>> that you may have some entry /etc/hosts.deny file that is preventing 
>> the
>> connection.
>>
>> Jeff G.
>>
>>
>>
>> --
>> TriLUG mailing list        : 
>> http://www.trilug.org/mailman/listinfo/trilug
>> TriLUG Organizational FAQ  : http://trilug.org/faq/
>> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
>>
> -- 
> TriLUG mailing list        : 
> http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
>
>
---------------------------------------------
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."--Benjamin Franklin
" 'Necessity' is the plea for every infringement of human liberty; it
is the argument of tyrants; it is the creed of slaves."--William Pitt




More information about the TriLUG mailing list