forum.excito.org

Bubba community forum
https://forum.excito.org/

Suddenly can't access Bubba externally

https://forum.excito.org/viewtopic.php?t=1683

Page 1 of 1

Suddenly can't access Bubba externally

Posted: 25 Mar 2009, 08:54
by shocks
Hi

I'm able to SSH into Bubba externally but cannot access the webserver externally. My port redirect from my router is working fine (I can redirect to other webservers on port 80). I restored my iptables config (because I thought that may be the problem) per Carl's post in another thread. iptables -L is now:

Chain INPUT (policy DROP)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp flags:SYN,ACK/SYN,ACK state NEW reject-with tcp-reset
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:webcache

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Where am I going wrong here?

Thanks
Ben

Posted: 25 Mar 2009, 09:05
by carl
Hello,

cold oyu post the output of iptables-save instead, it is often easier to debug that output than iptabled -L

/Carl

Posted: 25 Mar 2009, 09:19
by shocks
Hi Carl

bubba:/etc/init.d# iptables-save
# Generated by iptables-save v1.3.6 on Wed Mar 25 13:18:55 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [5063:3484914]
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Mar 25 13:18:55 2009
# Generated by iptables-save v1.3.6 on Wed Mar 25 13:18:55 2009
*nat
:PREROUTING ACCEPT [88:7765]
:POSTROUTING ACCEPT [255:90328]
:OUTPUT ACCEPT [255:90328]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 80
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Mar 25 13:18:55 2009
bubba:/etc/init.d#

Posted: 25 Mar 2009, 10:15
by carl
shocks wrote:Hi Carl

bubba:/etc/init.d# iptables-save
# Generated by iptables-save v1.3.6 on Wed Mar 25 13:18:55 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [5063:3484914]
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Mar 25 13:18:55 2009
# Generated by iptables-save v1.3.6 on Wed Mar 25 13:18:55 2009
*nat
:PREROUTING ACCEPT [88:7765]
:POSTROUTING ACCEPT [255:90328]
:OUTPUT ACCEPT [255:90328]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 80
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Mar 25 13:18:55 2009
bubba:/etc/init.d#
The two rules in the nat chain below seems to be wrong; Try to remove them, and probably access to port 80 on the bubba will work again:

Code: Select all

-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 80
/Carl
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited