Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Router configuration for Apache
Router configuration for Apache
Hey guys
I'm still trying to set up my network correctly, can't get from my external IP to my server. This is the network layout:
ExternalIP, Port 80 -> Router (Zyxel p623me), forwarding port 80 to 192.168.1.2 -> My server (192.168.1.2)
It works over localhost but not over the external IP (DynDNS).
Here are some screenshots from the Router configuration.
If there's any more data that could be helpful, please tell me what you need.
I'm still trying to set up my network correctly, can't get from my external IP to my server. This is the network layout:
ExternalIP, Port 80 -> Router (Zyxel p623me), forwarding port 80 to 192.168.1.2 -> My server (192.168.1.2)
It works over localhost but not over the external IP (DynDNS).
Here are some screenshots from the Router configuration.
If there's any more data that could be helpful, please tell me what you need.
Whoah man, you've got some pretty unsecure settings there.
Before you go any further, turn off all Remote Management (SNMP). Not LAN, but off, even though they're filtered. And turn off UPnP... they have it easy enough as it is. And check Web.
The NAT section also concerns me. 0.0.0.0 means all IPs, so you're forwarding all outside ports to all your LAN IPs! What are ports 6112-9? If torrent, just use 60940 and encrypt & peer-peer with BitTyrant; in your firewall open 60940 in and out, tcp and udp, and run the client as a very unprivileged user. Also make the webserver forward, start and end port 80, not 1-80. Ports below 1024 are privileged and should be handled with care.
Now for your question. {hehe} Do yourself a favor and in /etc/profile put this line:
alias listen='lsof -i -n -P |more'
... and next time you log in type listen in konsole. Make sure that Apache is listening on at least 192.168.1.2 . If not, change config file and reload. And while you're at it, set all daemons you can to only listen on the localhost (127.0.0.1), for security.
Before you go any further, turn off all Remote Management (SNMP). Not LAN, but off, even though they're filtered. And turn off UPnP... they have it easy enough as it is. And check Web.
The NAT section also concerns me. 0.0.0.0 means all IPs, so you're forwarding all outside ports to all your LAN IPs! What are ports 6112-9? If torrent, just use 60940 and encrypt & peer-peer with BitTyrant; in your firewall open 60940 in and out, tcp and udp, and run the client as a very unprivileged user. Also make the webserver forward, start and end port 80, not 1-80. Ports below 1024 are privileged and should be handled with care.
Now for your question. {hehe} Do yourself a favor and in /etc/profile put this line:
alias listen='lsof -i -n -P |more'
... and next time you log in type listen in konsole. Make sure that Apache is listening on at least 192.168.1.2 . If not, change config file and reload. And while you're at it, set all daemons you can to only listen on the localhost (127.0.0.1), for security.
Done, thanks.Quantum wrote:Before you go any further, turn off all Remote Management (SNMP). Not LAN, but off, even though they're filtered. And turn off UPnP... they have it easy enough as it is. And check Web.
The NAT section also concerns me. 0.0.0.0 means all IPs, so you're forwarding all outside ports to all your LAN IPs! What are ports 6112-9? If torrent, just use 60940 and encrypt & peer-peer with BitTyrant; in your firewall open 60940 in and out, tcp and udp, and run the client as a very unprivileged user. Also make the webserver forward, start and end port 80, not 1-80. Ports below 1024 are privileged and should be handled with care.
I put it on the first free uncommented line but:Quantum wrote:Now for your question. {hehe} Do yourself a favor and in /etc/profile put this line:
alias listen='lsof -i -n -P |more'
... and next time you log in type listen in konsole. Make sure that Apache is listening on at least 192.168.1.2 . If not, change config file and reload.
Code: Select all
bash: listen: command not found
Code: Select all
tcp 0 0 192.168.1.2:80 0.0.0.0:* LISTEN 4331/apache
192.168.1.2:8080 works but the external IP is still dead. What the hell?TonyT wrote:Just use the apache defaults. But change the port apaches listens on to 8080. This is because your isp likely filters port 80 so as to prevent subscribers from running Web servers. Then port-forward 8080 to the lan ip of the comp w/ apache.
hosts.allow has ALL:ALL by the way.
listen is a new command you are creating, which shows which daemons are listening to what ports. This is for your use, and Apache has no use for it. Once you've put it in /etc/profile, you have to log out and back in for it to be available. I notice that Debian is busted however, in that it doesn't execute /etc/profile on login. So you must add this to /home/<youruser>/.bashrc
Once you get listen running, it should look something like mine:
Now; let's see your listen, and the NAT section of your router.
Code: Select all
if [ -f /etc/profile ]; then
. /etc/profile
fi
if [ -f /etc/bash.bashrc ]; then
. /etc/bash.bashrc
fi
Code: Select all
# listen
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
dnsmasq 5804 dnsmasq 4u IPv4 10414 TCP 127.0.0.1:53 (LISTEN)
dnsmasq 5804 dnsmasq 5u IPv4 10415 UDP 127.0.0.1:53
dnsmasq 5804 dnsmasq 6u IPv4 10416 UDP *:38095
avahi-dae 5826 avahi 14u IPv4 10461 UDP *:5353
avahi-dae 5826 avahi 15u IPv4 10462 UDP *:46898
cupsd 5962 root 3u IPv4 26708 TCP 127.0.0.1:631 (LISTEN)
squid 6338 proxy 5u IPv4 11603 UDP *:49852
squid 6338 proxy 10u IPv4 11766 TCP 127.0.0.1:8080 (LISTEN)
squid 6338 proxy 11u IPv4 11767 UDP *:3130
Edit: Here's the lsof -i -n -P |more (listen didn't work) command.
And the NAT.
Code: Select all
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
portmap 2883 daemon 3u IPv4 7910 UDP *:111
portmap 2883 daemon 4u IPv4 7913 TCP *:111 (LISTEN)
hpiod 3142 root 0u IPv4 8372 TCP 127.0.0.1:2208 (LISTEN)
python 3145 hplip 4u IPv4 8383 TCP 127.0.0.1:44906 (LISTEN)cupsd 3266 root 1u IPv4 8530 TCP 127.0.0.1:631 (LISTEN)
cupsd 3266 root 3u IPv4 8533 UDP *:631
avahi-dae 3359 avahi 13u IPv4 10596 UDP *:5353
avahi-dae 3359 avahi 14u IPv4 10597 UDP *:32768
exim4 3439 Debian-exim 3u IPv4 10732 TCP 127.0.0.1:25 (LISTEN)
inetd 3458 root 4u IPv4 10773 TCP *:113 (LISTEN)
tor 3468 debian-tor 4u IPv4 11187 TCP 192.168.1.2:35759->156.56.103.103:9001 (ESTABLISHED)
tor 3468 debian-tor 7u IPv4 10804 TCP 127.0.0.1:9050 (LISTEN)
tor 3468 debian-tor 10u IPv4 11514 TCP 192.168.1.2:37762->80.237.231.146:9001 (ESTABLISHED)
dhclient 3475 root 5u IPv4 10892 UDP *:68
rpc.statd 3553 statd 3u IPv4 11010 UDP *:32769
rpc.statd 3553 statd 6u IPv4 10976 UDP *:761
rpc.statd 3553 statd 7u IPv4 11019 TCP *:43916 (LISTEN)
proftpd 3595 proftpd 1u IPv4 11105 TCP *:21 (LISTEN)
apache 3697 root 16u IPv4 11392 TCP 192.168.1.2:8080 (LISTEN)
Still forwarding all ports to all internal machines man. You can not set that first entry to 0.0.0.0, as it opens up everything to The Internets. Set that to blank, or if it won't let you, set it to some bogus IP.
OK, your network plumbing for Apache looks fine. (assuming you have checkmarked router|InternetSecurity|Web) You should point your browser at
http://192.168.1.2:8080
... and if it does not work you must concentrate on whatever the Apache config problem is. If it works then point your browser at
http://<yourexternalWANIPinrouter>:8080
... and if it does not work, please give exact error. If it does work point your browser at
http://<yourdoman>:8080
... and if it now does not work you have a DNS problem. (See Registrar above)
A few security notes about your listen command:
- portmap tcp must always and forevermore only listen to 127.0.0.1 . This is an unsecure daemon. Change this in its config file.
- Yikes! Turn off auth in inetd (port 113) by commenting it out.
- You don't seem to be running NFS (also very unsecure), so find out what's starting rpc.statd and stop that.
OK, your network plumbing for Apache looks fine. (assuming you have checkmarked router|InternetSecurity|Web) You should point your browser at
http://192.168.1.2:8080
... and if it does not work you must concentrate on whatever the Apache config problem is. If it works then point your browser at
http://<yourexternalWANIPinrouter>:8080
... and if it does not work, please give exact error. If it does work point your browser at
http://<yourdoman>:8080
... and if it now does not work you have a DNS problem. (See Registrar above)
A few security notes about your listen command:
- portmap tcp must always and forevermore only listen to 127.0.0.1 . This is an unsecure daemon. Change this in its config file.
- Yikes! Turn off auth in inetd (port 113) by commenting it out.
- You don't seem to be running NFS (also very unsecure), so find out what's starting rpc.statd and stop that.
Done.Quantum wrote:Still forwarding all ports to all internal machines man. You can not set that first entry to 0.0.0.0, as it opens up everything to The Internets. Set that to blank, or if it won't let you, set it to some bogus IP.
Works, getting the placeholder page.Quantum wrote:OK, your network plumbing for Apache looks fine. (assuming you have checkmarked router|InternetSecurity|Web) You should point your browser at
http://192.168.1.2:8080
From lynx:Quantum wrote: http://<yourexternalWANIPinrouter>:8080
... and if it does not work, please give exact error.
Code: Select all
Alert!: Unable to connect to remote host.
I uncommented OPTIONS="-i 127.0.0.1" in /etc/default/portmap.Quantum wrote:A few security notes about your listen command:
- portmap tcp must always and forevermore only listen to 127.0.0.1 . This is an unsecure daemon. Change this in its config file.
In /etc/inetd.conf? Can't find it there.Quantum wrote:-- Yikes! Turn off auth in inetd (port 113) by commenting it out.
I disabled nfs-common with sysv-rc-conf.Quantum wrote:- You don't seem to be running NFS (also very unsecure), so find out what's starting rpc.statd and stop that.
It is a pleasure to actually get feedback on what people found or did. Makes possible a deeper understanding. Thank you.Aku wrote:Done.Quantum wrote:Still forwarding all ports to all internal machines man. You can not set that first entry to 0.0.0.0, as it opens up everything to The Internets. Set that to blank, or if it won't let you, set it to some bogus IP.
Is this all you have set up for now? Or should it be showing your site?Aku wrote:Works, getting the placeholder page.
Sorry, just to make sure, you had substituted the actual IP address which is in your router for the external address? You didn't just click on my (exemplary) link?Aku wrote:From lynx:Quantum wrote: http://<yourexternalWANIPinrouter>:8080
... and if it does not work, please give exact error.Code: Select all
Alert!: Unable to connect to remote host.
Is your firewall set to accept incoming tcp on port 8080? If so, I am pretty well kerfuffled.
Not sure if you're running inet.d or xinet.d, and I have neither installed. But if memory serves, if inet.d it should be a line-item in inetd.conf, and if xinet.d in its directory, in the auth file, set it to disabled. Or just remove the daemon startup in rc5.d, since you're not using anything else of inet.d.Aku wrote:In /etc/inetd.conf? Can't find it there.Quantum wrote:-- Yikes! Turn off auth in inetd (port 113) by commenting it out.
You're more than welcome, glad to get some help. I have to use 0.0.0.0 for a bit longer though, MSN and some other stuff stopped working.Quantum wrote:It is a pleasure to actually get feedback on what people found or did. Makes possible a deeper understanding. Thank you.
Nope there's no content yet.Quantum wrote:Is this all you have set up for now? Or should it be showing your site?
Yes, I'm just a Linux and especially Debian newbie.Quantum wrote:Sorry, just to make sure, you had substituted the actual IP address which is in your router for the external address? You didn't just click on my link?
Afaik I don't have one unless there's a default firewall that comes with Debian.Quantum wrote:Is your firewall set to accept incoming tcp on port 8080? If so, I am pretty well kerfuffled.
I'm pretty sure I have inet.d. And the inetd.conf file is empty, this is the only line that isn't commented-out:Quantum wrote:Not sure if you're running inet.d or xinet.d, and I have neither installed. But if memory serves, if inet.d it should be a line-item in inetd.conf, and if xinet.d in its directory, in the auth file, set it to disabled.
Code: Select all
#:INFO: Info services
ident stream tcp wait identd /usr/sbin/identd identd
Erh, S20openbsd-inetd?Quantum wrote:Or just remove the daemon startup in rc5.d, since you're not using anything else of inet.d.
Code: Select all
asgard:/etc/rc5.d# dir
K20bittorrent S19hplip S20exim4 S20vboxdrv S89cron
K79nfs-common S20acpid S20hotkey-setup S20vboxnet S90binfmt-support
README S20cpufrequtils S20makedev S21gdm S91apache
S10sysklogd S20cupsys S20mplayer S50proftpd S99rc.local
S11klogd S20dbus S20openbsd-inetd S89anacron S99rmnologin
S18portmap S20ddclient S20tor S89atd S99stop-bootlogd
No, there is no legitimate reason why ANY outside ANYthing needs to reach into your network at the moment. They have no business doing that.Aku wrote:I have to use 0.0.0.0 for a bit longer though, MSN and some other stuff stopped working.
I am beginning to suspicion that this NAT entry doesn't behave according to convention. Maybe best to read the Zyxel user guide about this.
This response is not clear. When I say:Aku wrote:Yes, I'm just a Linux and especially Debian newbie.Quantum wrote:Sorry, just to make sure, you had substituted the actual IP address which is in your router for the external address? You didn't just click on my link?
http://<yourexternalWANIPinrouter>:8080
... I mean you should go to your router and find the external IP address (WAN) it currently has. This would likely be on a Home screen or Information screen for the router as WAN address or such. Substitute that IP address for when I say <yourexternalWANIPinrouter>, so if your external IP is 74.23.92.6 for example, in your browser:
http://74.23.92.6:8080
... you should see your placeholder page.
Please install and learn a good one (like Shorewall), as soon as possible. Sooner than is possible.Aku wrote:Afaik I don't have one unless there's a default firewall that comes with Debian.Quantum wrote:Is your firewall set to accept incoming tcp on port 8080? If so, I am pretty well kerfuffled.
Ah yes, please # that out, forthwith.Aku wrote:Code: Select all
ident stream tcp wait identd /usr/sbin/identd identd
Right. Delete that symlink in rc2.d, rc3.d, rc4,d, and rc5.d. (or better, move it into /etc/init.d/Filed)Aku wrote:Erh, S20openbsd-inetd?Quantum wrote:Or just remove the daemon startup in rc5.d, since you're not using anything else of inet.d.
See, the way Linux works is daemons are started on boot using the 'rc system'. The scripts to start them live in /etc/init.d. Linux can be started in different 'runlevels', such as single-user mode (rc2), multiuser with networking non-graphical (rc3), and multiuser with networking graphical (rc5.d). The one you use most is rc5, and so you should have the daemons you want started on boot symlinked in rc5.d. You don't need inet.d at the moment, so delete that symlink. (or better, move it into /etc/init.d/Filed) The S in the symlink means Start (as opposed to Kill), and the number determines in what order the daemons are started. This matters, because firewall should be started before networking, for example. rcS.d is where the System daemons are started. (for all runlevels) An easier way to **** around with daemon startups is K|System|KSysV.
BTW, nobody ever explained this stuff to me; I had to dig and sweat and tear out every bloody scrap of information I own, over great lengths of time, chasing down the information and furiously choking facts out of it.
Huh? WTF is the Tor daemon there for? You using that? Does it make you a Tor peer? And README doesn't belong here, only in init.d .Aku wrote:Code: Select all
README S20tor
I can't get Kopete to connect to MSN without it, so until I figure out which port exactly it is I'll keep the 0.0.0.0.Quantum wrote:No, there is no legitimate reason why ANY outside ANYthing needs to reach into your network at the moment. They have no business doing that.
There's just some DAU stuff, nothing detailed about NAT.Quantum wrote:I am beginning to suspicion that this NAT entry doesn't behave according to convention. Maybe best to read the Zyxel user guide about this.
That's what I was trying to imply. I know about networking in general.Quantum wrote:This response is not clear. When I say:
http://<yourexternalWANIPinrouter>:8080
... I mean you should go to your router and find the external IP address (WAN) it currently has. This would likely be on a Home screen or Information screen for the router as WAN address or such. Substitute that IP address for when I say <yourexternalWANIPinrouter>, so if your external IP is 74.23.92.6 for example, in your browser:
http://74.23.92.6:8080
... you should see your placeholder page.
I will once I get this stuff working, just seems like yet another source of failure.Quantum wrote:Please install and learn a good one (like Shorewall), as soon as possible. Sooner than is possible.
Done. (What is this info service?)Quantum wrote:Ah yes, please # that out, forthwith.
Done.Quantum wrote:Right. Delete that symlink in rc2.d, rc3.d, rc4,d, and rc5.d. (or better, move it into /etc/init.d/Filed)
Thanks for the info but what exactly does inet.d do if I don't need it? (And why is it run by default?)Quantum wrote:See, the way Linux works is daemons are started on boot using the 'rc system'. The scripts to start them live in /etc/init.d. Linux can be started in different 'runlevels', such as single-user mode (rc2), multiuser with networking non-graphical (rc3), and multiuser with networking graphical (rc5.d). The one you use most is rc5, and so you should have the daemons you want started on boot symlinked in rc5.d. You don't need inet.d at the moment, so delete that symlink. (or better, move it into /etc/init.d/Filed) The S in the symlink means Start (as opposed to Kill), and the number determines in what order the daemons are started. This matters, because firewall should be started before networking, for example. rcS.d is where the System daemons are started. (for all runlevels) An easier way to **** around with daemon startups is K|System|KSysV.
I tried a good 3-4 hours of google & error myself but to no avail.Quantum wrote:BTW, nobody ever explained this stuff to me; I had to dig and sweat and tear out every bloody scrap of information I own, over great lengths of time, chasing down the information and furiously choking facts out of it.
Yes I'm using Tor but I'm not a node. (I hope?)Quantum wrote:Huh? WTF is the Tor daemon there for? You using that? Does it make you a Tor peer?
Removed.Quantum wrote:And README doesn't belong here, only in init.d .
Well I've been drinking, bbut I'll do the best I can. inetd is wha't's describerd as a 'wrapper daemon'. It wraps around other commonly-used daemons providing an additional level of security. It's controlled by host.accept and host.deny (if memory sserves). It's an addiitional level of securoty for apps that don't have it inherently.Aku wrote:Thanks for the info but what exactly does inet.d do if I don't need it? (And why is it run by default?)
Bah, I haven't used that-search-engine-that-everybody-uses for several years. Clusty is better IMHO, and is a meta seach engine, which does every bit as well, and does not have the atrocious privacy policies that that-search-engine-that-everybody-uses has.Aku wrote:I tried a good 3-4 hours of google & error myself but to no avail.
Daemon implies server, which implies node. Not necessarily bad, as long as it runs extremely unprivileged and that you are aware.Aku wrote:Yes I'm using Tor but I'm not a node. (I hope?)
Not much it seems, thanks that helped.Quantum wrote:Well I've been drinking, bbut I'll do the best I can. inetd is wha't's describerd as a 'wrapper daemon'. It wraps around other commonly-used daemons providing an additional level of security. It's controlled by host.accept and host.deny (if memory sserves). It's an addiitional level of securoty for apps that don't have it inherently.
I'll try it. Pretty happy with most of google's results though.Quantum wrote:Bah, I haven't used that-search-engine-that-everybody-uses for several years. Clusty is better IMHO, and is a meta seach engine, which does every bit as well, and does not have the atrocious privacy policies that that-search-engine-that-everybody-uses has.
Oh well my server's not doing much 99% of the time, guess it's alright.Quantum wrote:Daemon implies server, which implies node. Not necessarily bad, as long as it runs extremely unprivileged and that you are aware.
I'll switch ISP's soon and due to that I'll also get a new router. Shall I let you know if that helped?
Well it's the only thing left I can think of.Quantum wrote:Not sure why it would help. We need to know what's actually going on. I am still not clear whether you are entering the http://<wanIP> correctly. That is crucial.Aku wrote:I'll switch ISP's soon and due to that I'll also get a new router. Shall I let you know if that helped?
Sure, keep us posted.
I am using the external IP, guaranteed.