What is blocking port 80?

Cam Roe yellowdog-general@lists.terrasoftsolutions.com
22 Sep 2004 15:01:41 -0600 

Hi Dave

This was a really good tip!!! but before I get to that let me say I
agree that the proper configuration of iptables is important but for now
I'm just working on getting the web server working and am using sort of
a brute force method to eliminate iptables as a factor for now. 

Let me tell you what I did. I set apache to listen on port 81 and
forwarded port 81 from the router. It all worked fine!!! I set the
router to forward port 80 and set apache to listen on port 80 and it all
failed. damn.  Ok so apparently it only fails if i try to forward port
80 from the router. 
So back on my YDL, I did a 'tcpdump dst port 80'  and set the router to
forward port 80 to port 80 on my YDL box. i set apache to listen on port
80 and restarted. I checked the nmap and http is on port 80. The output
I got from the tcpdump is below. It seems as though the YDL box is
getting the packets, but Apache is not. (there are not errors in the
either the error log or access log to indicate that anything happened
from the apache side.) 

[root@localhost conf]# tcpdump dst port 80
tcpdump: listening on eth0
14:37:32.001913 s142-179-148-227.ab.hsia.telus.net.61652 >
192.168.1.105.http: S 4026405647:4026405647(0) win 5840 <mss
1460,sackOK,timestamp
424418336 0,nop,wscale 0> (DF)
14:37:34.998295 s142-179-148-227.ab.hsia.telus.net.61653 >
192.168.1.105.http: S 4026405647:4026405647(0) win 5840 <mss
1460,sackOK,timestamp
424418636 0,nop,wscale 0> (DF)
14:37:40.998462 s142-179-148-227.ab.hsia.telus.net.61654 >
192.168.1.105.http: S 4026405647:4026405647(0) win 5840 <mss
1460,sackOK,timestamp
424419236 0,nop,wscale 0> (DF)
14:37:52.998550 s142-179-148-227.ab.hsia.telus.net.61657 >
192.168.1.105.http: S 4026405647:4026405647(0) win 5840 <mss
1460,sackOK,timestamp
424420436 0,nop,wscale 0> (DF)
14:38:16.998456 s142-179-148-227.ab.hsia.telus.net.61658 >
192.168.1.105.http: S 4026405647:4026405647(0) win 5840 <mss
1460,sackOK,timestamp
424422836 0,nop,wscale 0> (DF)
14:39:04.999757 s142-179-148-227.ab.hsia.telus.net.61659 >
192.168.1.105.http: S 4026405647:4026405647(0) win 5840 <mss
1460,sackOK,timestamp
424427636 0,nop,wscale 0> (DF)

So what I am seeing (I think) is that if I set everything up to forward
and listen on port 81 (or any other port) I can make it function. If I
set it up on port 80, The router SEEMS to forward the packets correctly
but YDL SEEMS to be blocking it somehow. 

iptables is off - is there anything else I should be checking? i.e. port
protection? (is there such a thing) any other firewall stuff besides
iptables? (I checked for old copies of ipchains on a long shot but
didn't find anything - which is good! ) 

Another thing that I've noticed is that if I do an nmap -p 23,80
xxx.xxx.xxx.xxx (where xxx stuff is the ip address of the router) and I
do this from an external PC (Redhat Linux) I USUALLY get


Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on dxxx-xxx-xxx-xxx.abhsia.telus.net
(xxx.xxx.xxx.xxx):
(The 1 port scanned but not shown below is in state: closed)

Port       State       Service
23/tcp     open        telnet

Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds

BUT if I repeat it I can sometimes get 

Port       State       Service
23/tcp     open        telnet
80/tcp     filtered    http

Anyone know what 'filtered' means? 

This is driving me crazy!!! .... and not in a good way. :) 

Cheers

Cam






On Tue, 2004-09-21 at 22:51, David Wadson wrote:
> Have you tried running tcpdump on the web server to see whether any of 
> the packets are getting through to it? If you don't have a firewall 
> running on the webserver, I would suspect either the firewall on the 
> router is blocking something, or the port forwarding isn't properly 
> configured for WWW. Try 
> http://support.dlink.com/faq/view.asp?prod_id=1005 for info on how to 
> set up the ports.
> 
> Getting iptables properly configured on your web server is good idea as 
> you'll want to keep someone from hacking into it.
> 
> Dave
> 
> On Tuesday, September 21, 2004, at 01:01  PM, camroe@telusplanet.net 
> wrote:
> 
> > Hi all,
> >
> > So I'm trying to run an Apache web server on my YDL.
> > I'm running Apache 2.0.50 on YellowDog Linux (YDL) Release 3.0, Kernel
> > version 2.4.22-2f. I am running it behind a D-Link DSL firewall/router
> > DI-601. My YDL machine is assigned a local IP 192.168.1.5.
> > I was screwing around with the port forwarding but wasn't having any 
> > luck so
> > I put the YDL in a DMZ (i.e. WAN has ALL access to this machine) I can 
> > FTP
> > and Telnet to it using the dynamically assigned ISP IP address of the 
> > router
> > (199.21.148.227 ... and no that's not the real address :)  )
> >
> > The problem is that when I  browse to the address (199.21.148.227) I 
> > expect
> > to get the Apache test page, but I get 'The connection was refused when
> > attempting to contact 199.21.148.227'. I can brows to the 
> > 192.168.1.105 from
> > another machine on my local home network, but I can't get to it from an
> > external machine - i.e. at the office. I've tried both netscape and 
> > IE, as
> > well as tried to telnet to port 80 (tenet 199.21.148.227 80), but 
> > still get
> > connection refused. I've checked the Apache logs and there are no 
> > access_log
> > entries or error_log entries. That there are no entries confirms my 
> > belief
> > that Apache never gets the request and that port 80 is being blocked 
> > from
> > external access.
> > Thinking about what could be blocking port 80 (http) but not port 
> > 23(telnet)
> > -  I know just enough about IP chains to get into trouble, so I simply 
> > tried
> > switching them off with 'service iptables stop'.
> >
> > So  when I do an iptables -L   I get the following:
> >
> > Chain INPUT (policy ACCEPT)
> > target prot opt source  		destination
> >
> > Chain FORWARD (policy ACCEPT)
> > target prot opt source  		destination
> >
> > Chain OUTPUT (policy ACCEPT)
> > target prot opt source  		destination
> >
> > To me this says that the machine is WIDE open.
> >
> > I also checked with my ISP provider to make sure that they weren't 
> > blocking
> > port 80 but they confirmed that they do not do anything special to 
> > block
> > anything.
> >
> > Just to confirm that http was indeed running I did an nmap with the
> > following result.
> >
> > nmap -p 1-1024 localhost
> >
> > Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on
> > localhost.localdomain (127.0.0.1):
> > (The 1017 ports scanned but not shown below are in state: closed)
> > Port       State       Service
> > 21/ftp     open        ftp
> > 22/tcp     open        ssh
> > 23/tcp     open        telnet
> > 25/tcp     open        smtp
> > 80/tcp     open        http
> > 111/tcp    open        sunrpc
> > 443/tcp    open        https
> > 631/tcp    open        ipp
> >
> > Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds
> >
> >
> > So to review:
> > 1. I've opened up the machine by putting it in a DMZ (all access open 
> > from
> > the router)
> > 2. I've turned off any ipchain rules
> > 3. I can access the machine through telnet(port23) but can't access 
> > port 80.
> >
> > That's all I can think of to check! My question is  - what else could 
> > be
> > blocking port 80? Any idea's on what to check?
> >
> > Thanks for your help!!!
> 
> _______________________________________________
> yellowdog-general mailing list
> yellowdog-general@lists.terrasoftsolutions.com
> http://lists.terrasoftsolutions.com/mailman/listinfo/yellowdog-general
> HINT: to Google archives, try  '<keywords> site:terrasoftsolutions.com'