Ok, here is my problem. I'm trying to run a web server on a cable modem.

Current Setup:
WAN --> D-Link 54g Router --> LAN/WLAN

The server is on the LAN at 192.168.0.5 and my box is at 192.168.0.6. The router is a wireless access point and dhcp server to all other pc's, the server and my box are the only ones static.

When I try to access my website @ the local ip 192.168.0.5 everything works fine.
But when i try to access my website (from LAN) @ my public ip address, the pages never finish loading. However, on a remote machine the site works fine. I have all the routing set up in the router as it should be.

I found that my problem is most likely the inability of my router to perform destination NAT and that I need to setup my server as a router and use iptables to do the dnat.

So what I think I need to do is this:
WAN --> Server --> D-Link 54g --> LAN/WLAN

I may be completely confused, if this is not what I need to do, please point me in the right direction.

If this is what I need to do, I need help doing it. I have never used linux to do routing before. I really need to be able to access my site from my box in order to work on it. And I need to be able to still provide wireless internet.

I appreciate any help, I'm a total newb when it comes to fancy networking.

You have everything working the way it should with that setup.
Why do you need to access your server which is on the LAN with a public IP, if you can access it with a private IP. If you do want to invoke name resolution for access, put the www.example.com URL (actually the URL of your site) into your /etc/hosts file and map it to 192.168.0.5.
Your Linksys router is doing it's job, by providing the NAT service for people accessing the server from the internet, but if you try to use your public IP address as a destination from within your LAN, either your router or the gateway router at the ISP will drop the packet, since it already sees itself on that network. Think of it this way...
Why should the ISP's gateway routers' interface pointing to your network try to send a packet to the internet when the target/destination IP address in the IP header is from that network? Same goes for your Linksys router...it sees a packet wanting to leave its WAN interface that has the same destination and source IP in the header.

Maybe a better way would be using the "DMZ host IP Address" on the router. If you can tell us what the server is going to be used for, and do you want it exposed to the internet. Using the DMZ feature will initially expose all ports on the server. But if you're just going to use as Web Server, you can use port triggering to open just port 80......

its a webserver, SMTP, and FTP; and as you all know, my domain name for the site is of course associated with my external ip address. and because i'm using php applications that are configured with the domain name, you can't use the site effectively with the local ip address. Ive tried DMZ and port forwarding and ive even tried port forwarding to the DMZ to the server.

zigzagcom, your saying that I need to put my URL domain name and the local ip address of the server, in the /etc/hosts file on my workstation box?

Yes, because you want to resolve the domain name to a local IP address, preventing the machine from trying to use a DNS server for name resolution.
So, in your /etc/hosts file you have:

127.0.0.1 localhost.localdomain localhost
192.168.0.5 www.yoursite.com

This would be in the hosts file of the machine that is trying to connect to the server at 192.168.0.5
On a windows machine, you'd have to edit C:\Windows\system32\drivers\etc\hosts

gotcha, that makes sense. I'll be glad to put an end to this. i have reformatted and reconfigured so many times it has driven me nuts. and every time i had posted about it on any forum no one ever gives an answer. Then yesterday someone replies and tells me that i need to set up dnat, but from what i could tell, dnat was nothing more than ip forwarding. and that guy was very unclear. I really appreciate your help, you don't know how long ive been battling with this as stupid as it may sound.

Welcome, and let us know if you come right...I think you'll be OK.

Hi,

How do I open port 80 on FC4? ...I recently upgraded my server from FC3 to FC4 and suddenly port 80/tcp is closed. ...all other were working fine. ..I've already tried opening it through system-config-securitylevel open other port option. ...it didn't work.

Thanks.

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

That is the file: /etc/sysconfig/iptables

check yours: the line in red allows port 80.

the GUI tool that you used should have written the proper iptables file though. Your sure that your not behind a router that is blocking or not forwarding port 80.

if you want to try another config tool before editing /etc/sysconfig/iptables manually, you can run lokkit from command line.

about my problem. /etc/hosts did the trick. however, i have only added the ip and hostname to the /etc/hosts on the computer i use the most. I'm wondering if it is possible to setup my server as a DNS server for my local network.

Here is what I'd like to do:
router is still at 192.168.0.1
my server is still at 192.168.0.5
all other computers get their address from the router (dhcp)

so right now my router is configured with the nameservers 68.87.68.162 and 68.87.74.162

I want my router to use 192.168.0.5 as its nameserver.

I don't really know how to explain because I don't know much about it, but here is my best effort.

I want to configure bind so that when it receives a request for one of my domains, it directs it to the local address for the website. And when it receives a request for any other domain, it goes to 68.87.68.162 or 68.87.74.162.

so basically i want a DNS request to flow like this:

[DHCP Client] --domain name request--> [router] --> [local Bind] --if not hosted locally--> [nameserver-68.87.68.162]

edit: I thought I would add that I'd like to also have caching-nameserver setup so that it will store a domain's info when retrieved from 68.87.68.162

I hope I was able to explain that, I have no idea if it is even possible though, haha. sorry for being a newb.

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

That is the file: /etc/sysconfig/iptables

check yours: the line in red allows port 80.

the GUI tool that you used should have written the proper iptables file though. Your sure that your not behind a router that is blocking or not forwarding port 80.

if you want to try another config tool before editing /etc/sysconfig/iptables manually, you can run lokkit from command line.

Yup, port 80 is allowed, however when I type:
#service httpd restart
Stopping httpd: [FAILED]
Starting httpd: [OK]

but when I type:
#nmap IP_ADDR -p 80
80/tcp closed http

unfortunately GUI is also messed up. ...

btw, this box is connected directly to the internet via dsl modem. ...I'm using it as our mail server and web server at the same time. ...mail is working properly.

if your hosting a website, can you access it. even if you don't have a site up, does the Apache temp page show up. it looks like your apache is running.

have you rebooted after making changes or at least restarted some services.

try:
/etc/init.d/iptables restart
/etc/init.d/network restart

edit: disregard my previous question about /etc/rc.local if you saw it.

i'm totally guessing at this point, but what are the contents of your /etc/rc.local ?


this is my /etc/rc.d/rc.local

#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

for f in /proc/sys/net/ipv4/conf/*/accept_redirects
do
echo 1 > $f
done

iptables=/sbin/iptables
iptables --flush -t nat
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -A INPUT -j ACCEPT -p all -s 192.168.0.0/24 -i eth1
iptables -A OUTPUT -j ACCEPT -p all -d 192.168.0.0/24 -o eth1


"/etc/rc.d/rc.local" 29L, 786C

if your hosting a website, can you access it. even if you don't have a site up, does the Apache temp page show up. it looks like your apache is running.

have you rebooted after making changes or at least restarted some services.

try:
/etc/init.d/iptables restart
/etc/init.d/network restart

edit: disregard my previous question about /etc/rc.local if you saw it.

When I tried to access through Firefox "http://192.168.0.4/" Firefox is unable to connect same as when I tried "www.technoware.com.ph". ...however, the email still works. Which means that smtp and pop3 is still working and the DNS settings as well.

are you getting any kind of error messages anywhere?

if your hosting a website, can you access it. even if you don't have a site up, does the Apache temp page show up. it looks like your apache is running.

have you rebooted after making changes or at least restarted some services.

try:
/etc/init.d/iptables restart
/etc/init.d/network restart

edit: disregard my previous question about /etc/rc.local if you saw it.

Yup I reboot after the changes. ..

This is my /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5483 -j ACCEPT-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
"/etc/sysconfig/iptables" 23L, 1054C

are you getting any kind of error messages anywhere?

Here is part of my /var/log/httpd/error_log

[Sat Mar 11 12:38:13 2006] [notice] LDAP: SSL support unavailable
[Sat Mar 11 12:38:14 2006] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.
[Sat Mar 11 12:38:14 2006] [error] (17)File exists: Cannot create SSLMutex with file `/etc/httpd/logs/ssl_mutex.2980'
Configuration Failed
[Sat Mar 11 12:47:24 2006] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat Mar 11 12:47:25 2006] [notice] Digest: generating secret for digest authentication ...
[Sat Mar 11 12:47:25 2006] [notice] Digest: done
[Sat Mar 11 12:47:25 2006] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Sat Mar 11 12:47:25 2006] [notice] LDAP: SSL support unavailable
[Sat Mar 11 12:47:25 2006] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.
[Sat Mar 11 12:47:25 2006] [error] (17)File exists: Cannot create SSLMutex with file `/etc/httpd/logs/ssl_mutex.3811'
Configuration Failed
[Sat Mar 11 12:59:42 2006] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat Mar 11 12:59:42 2006] [error] (17)File exists: Cannot create SSLMutex with file `/etc/httpd/logs/ssl_mutex.2132'
Configuration Failed

When I tried to access through Firefox "http://192.168.0.4/" Firefox is unable to connect same as when I tried "www.technoware.com.ph". ...however, the email still works. Which means that smtp and pop3 is still working and the DNS settings as well.

yeah, thats kind of weird. ive been trying a few different things on my box but i'm still not sure why yours is doing that. what does your /etc/sysconfig/iptables look like?

And here's my nmap:

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-03-11 13:27 PHT
sendto in send_ip_packet: sendto(4, packet, 28, 0, 127.0.0.1, 16) => Operation not permitted
Interesting ports on technoware.com.ph (127.0.0.1):
(The 1651 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
110/tcp open pop3
111/tcp open rpcbind
139/tcp open netbios-ssn
199/tcp open smux
445/tcp open microsoft-ds
514/tcp open shell
631/tcp open ipp
783/tcp open hp-alarm-mgr
6009/tcp open X11:9

Nmap finished: 1 IP address (1 host up) scanned in 0.370 seconds


what is port 783/tcp and 6009/tcp doing? ...how do I turn it off?

change:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5483 -j ACCEPT-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

to look like this:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5483 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

in your /etc/sysconfig/iptables

then do: /etc/init.d/iptables restart

change:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5483 -j ACCEPT-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

to look like this:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5483 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

in your /etc/sysconfig/iptables

then do: /etc/init.d/iptables restart

port 80 is still closed as reported by nmap.

is this a serious problem. ...when I type: service network restart
[root@technoware ~]# service network restart
Shutting down interface eth0: [ OK ]
Shutting down interface eth1: [ OK ]
Shutting down loopback interface: [ OK ]
Disabling IPv4 packet forwarding: net.ipv4.ip_forward = 0
[ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: [ OK ]
Bringing up interface eth1: RTNETLINK answers: Invalid argument
[ OK ]

port 80 is still closed as reported by nmap.


see thats the part I don't understand. I deliberately closed off port 80 on my server and then did that command that your doing to test nmap @ port 80 and it said it was still open. I don't know anything about nmap, but i have decided that your problem is probably not firewall related. its something else, something is not configured right. I wish i could have been more help, maybe someone else will chime in.

see thats the part I don't understand. I deliberately closed off port 80 on my server and then did that command that your doing to test nmap @ port 80 and it said it was still open. I don't know anything about nmap, but i have decided that your problem is probably not firewall related. its something else, something is not configured right. I wish i could have been more help, maybe someone else will chime in.

How about SELinux? ...I remembered when I upgraded to FC4 and I tried yum to update it, I got a lot of "scriplet failed" error. ...and when I searched for it I found out that SELinux was the culprit. ...so I disabled SELinux "enforcing" thing and then reboot and tried yum update again and it works. ...it upgraded almost 200 packages including kernel-2.6.15-1833.FC4. ...then I reboot. ..and that was it, I don't have GUI anymore, and http:80 is down. ...but we an still receive and send email and I can still ssh to my server. ..do you know how I can configure SELinux using the command line?

Thanks a lot for your effort.

Finally, its working now. ...I disable SELinux "enforcing" thing and reboots ...and there is our website up again. ...whew! ....any idea on the security issue of what I have done?

Thanks a lot! :)

ah, see I always disable SELinux during the installation so that never even crossed my mind. glad you got it working.