Re: Smoothwall may not be forwarding port 80

martin.woolley@xxxxxxxxx wrote:
I'm not sure if this is a smoothie problem or not. We have smoothwall
express 2.0 (fixes 7). On the red interface is an adsl router. On
the orange interface is a hub with m/cs 172.24.0.x. We've setup port
forwarding, port 22 to go to 172.24.0.19 and port 80 to 172.24.0.18.
If I ssh to the i/p address given to us by our isp, I get to the "19"
machine (file repository). However if I use a web browswer to access
the i/p address I get a 504 error. If I logon to the "18" machine
(web server), fire up a web browser and access localhost, up pops the
web pages, so we know the the httpd daemon is running on the "18" box.

If I nmap the i/p address from the outside world I see
PORT STATE SERVICE
22/tcp open ssh
80/tcp filtered http

which probably explains why the web site doesn't appear. There is no
firewall on the webserver (iptables has no rules). Any ideas as to
where we look to resolve the problem?

I'd suggest a systematic approach. The nmap result and the "Gateway
Timeout" error suggest IMHO that either some router on your LAN is
dropping the packets, or that the forwarding does not work correctly.

1. Check on which interfaces it's listening (netstat -ntl) to make sure
it's accessible on the public interface.
2. Check the actual packet filter configuration (iptables -nL,
iptables -t nat -nL, iptables -t mangle -nL) to make sure that it's
really not the packet filter on the host itself. Keep the default
policies in mind!
3. Make a portscan from a host on the same network segment to check
whether access from some other host is possible at all.
4. Check the configuration of any router/firewall between the web server
and your border router.
5. Check the router/firewall configuration (port forwarding as well as
filtering rules).
6. Check your private DNS config. Maybe it's an internal name resolution
issue.

I did try connecting another box on the network and running ethereal
on it but this showed no packets, even when I did a successful ssh
session; clearly ethereal is either lying or not capturing any
packets.

I'd suspect that you made some mistake there, because ethereal should at
least show the outgoing packets, even if there are no replies.

cu
59cobalt
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq
.

Relevant Pages

  • Re: Publish Web Server behind SBS 2003 Standard
    ... I ended up plugging another router into the WAN. ... How to configure Internet access in Windows Small BusinessServer2003http://support.microsoft.com/kb/825763/en-us ... network interface on right (By default the interface name should be ... input 80 in Outgoing port box. ...
    (microsoft.public.windows.server.sbs)
  • RE: Cisco IOS vulnerability
    ... You are vulnerable unless you have deny statement which blocks all ... packets other than say ICMP or IPSEC coming to the router interface ... Even though the packets targeted *at* the routers interface is only ...
    (Incidents)
  • Re: Nmap questions concering my router
    ... >interface can only have assigned ip address and no more. ... but isnt this also the same concept a Port translation is? ... network services externally where the server is on am internal host. ... If someone connected to port 80 on your router, ...
    (comp.security.firewalls)
  • Re: Solipsis: Python-powered Metaverse
    ... >>>through the same router, ... to be address *from* that particular port. ... was/is a steady stream of updates to both clients even if they send nothing ... > areas of>the packets it sends, the router usually can't properly rewrite ...
    (comp.lang.python)
  • Re: 2621 and pix how to find bandwidth abuser
    ... When I ping the router instead of <1ms I am ... minute input rate, 5 minute output rate, packets input, packets output). ... If you have a Cisco switch that supports SPAN, you might want to place a sniffer on a SPAN destination port and monitor source ports of interest. ...
    (comp.dcom.sys.cisco)