Virtual Server works behind firewall but not outside

Post #39,401 by orion 5/21/02 1:33:45 PM Reply	Virtual Server works behind firewall but not outside [link\|http://normad.homelinux.com/\|[link\|http://normad.homelinux.com/\|http://normad.homelinux.com/]] It seems to work behind the firewall, but outside it cannot be accessed but can be pinged. I set up port 80 to the Windows 2000 Server IP address (192.168.0.2) via the Router's Virtual Server settings. Any other settings that I need to set to let the outside world see it? What is DMZ? It was in the Vritual Server settings. Do I need it? How about routing, RIP1, RIP2? Will allowing port 80 to work disable my protection that the Firewall permits? *I am free now, to choose my own destiny.*
Post #39,447 by folkert 5/21/02 8:41:36 PM Reply	If you have port-forwarding as an option... Well, it goes like this. 1.) Any routing protocol is not needed, unless you have REAL Internet Addresses on the inside of the firewall. Which you don't. 2.) Port Forwarding is what you need. You can do this with nearly any GOOD firewall product... including IPTABLES. 3.) "Crackers" typically have less of a chance to compromise your web-server when using port-forwarding. It allows you to use your one ip addr, to be service by many machines should you so choose. Fer instance: Your public IP is 208.1.2.3 You use 172.16.0.0/16 as your private network 172.16.10.17 is you Webserver with SSL also on tcp ports 80 & 443, running Apache and AIX 172.16.20.34 is you "anonftp" server on ports 20 & 21, Running on Winbloze-Oh-Oh 172.16.30.51 is a ssl-webmin managed server on port 10000, running on SuSE Linux 172.16.40.68 is a public LDAP/SSL-LDAP server on tcp 389, udp 389 & tcp 636, running on Novell Netware 6 with eDIR 172.16.50.85 is your user-world for ssh-shell and ssl-usermin access on ports tcp/udp 22 and tcp 20000, running on Tru64 v5.01a That would mean your rules would look something like this: 208.1.2.3 tcp ports 80 & 443 ----> 172.16.10.17 tcp ports 80 & 443 208.1.2.3 tcp ports 20 & 21 ----> 172.16.20.34 tcp ports 21 & 21 208.1.2.3 tcp port 10000 ----> 172.16.30.51 tcp port 10000 208.1.2.3 tcp/udp port 389 & tcp port 636 ---> 172.16.40.68 tcp/udp port 389 & tcp port 636 208.1.2.3 tcp ports 22 & 20000 ---> 172.16.50.85 tcp ports 22 & 20000 Imagine what a port scan on that (provided you responded to port scans) would look like. Sidenote: You should obviously NOT be using that big of a subnet any where in this world currently, even with IPv6 and BGP. Also I am assuming static routes here for this setup. As I would encode it in the DHCP I would be running too... `greg, curley95@attbi.com -- REMEMBER ED CURRY!!!`
Post #39,460 by Steven A S 5/21/02 11:14:32 PM Reply	Re: Virtual Server works behind firewall but not outside First of all the DMZ (DeMilitarized Zone) is a computer you put effectively outside of the firewall. Don't do this! Setting up the virtual server is a good way to start doing what you want to do. Also look at your router's incoming packet server, and make sure it lets outside servers have access to TCP port 80. What I did at this level was set up a policy to Deny any IP Address:Ports I didn't specify, then specified all the non-local IP addresses on port 80 were allowed past this point. Next, you need to make sure Windows 2000 isn't blocking the external addresses (I have a feeling it is). I'm afraid I can't be of much use here, as I've had no experience setting Win 2000 up for web services. One thing to think about though is that the packets retain their original IP address, so Windows see them as outside of the local network. Consider setting up a OS level firewall up on the server as well. This could give you finer control of what packets get on. An application level firewall like ZoneAlarm can also prevent programs on your computer (whether you installed it or a hacker did) from accessing the internet without your express permission. ~~~)-Steven---- "I want you to remember that no bastard ever won a war by dying for his country. He won it by making the other poor dumb bastard die for his country..." General George S. Patton
Post #39,465 by orion 5/21/02 11:53:50 PM Reply	Settings on Windows 2000 Server Show No IPSEC and no filtering for TCP/IP. So port 80 should not be blocked by the server. I had Black Ice on it, but removed it because I thought it might be blocking the server. I set the range of addresses to pass for port 80 to the known Internet (1.1.1.1 to 254.254.254.254) and still no connection. *I am free now, to choose my own destiny.*
Post #39,532 by Steven A S 5/22/02 2:07:43 PM Reply	Any outgoing filters I was able to ping your server, and when I tried accessing the web server, Netscape said it connected to the host, but was waiting for a reply (as opposed to saying "establishing connection"). This makes me wonder if the reply might be getting dropped on the way out. Have you looked for a log from your Web service? Does it show any activity? You should see my connection attempt from IP 132.10.250.4 among others. On your incoming packet filter, you may want to block the Class A-E network and loopback addresses. These are addresses that shouldn't be used on the internet, if they are, it's for spoofing poorly networked computers. See [link\|http://z.iwethey.org/forums/render/content/show?contentid=36713\|this message] for more info on these reserved IPs . ~~~)-Steven---- "I want you to remember that no bastard ever won a war by dying for his country. He won it by making the other poor dumb bastard die for his country..." General George S. Patton
Post #39,555 by orion 5/22/02 8:19:04 PM Reply	Weblog doesn't show any access so I am guessing that it is dying at the router. Only access it is showing is my local access IP numbers. Ah heck, maybe I ought to put the web pages up at Brinkster or Webhostme and hope that the pop-ups and banner ads don't look too bad to people reviewing my programs. *I am free now, to choose my own destiny.*
Post #39,560 by imric 5/22/02 8:44:49 PM Reply	Nah - it's good to have your own server.... I've had mine since dial-up days (made a deal w/ my ISP @ the time - they kicked me off first if all the lines filled up; I could use 'redial' grin). Could you indulge me in an experiment? Dunno if it's relevant, but can you put a reference in your hosts file on the webserver that points normad.homelinux.com to your local address (192.168.0.2)? Imric's Tips for Living Paranoia Is a Survival Trait Pessimists are never disappointed - but sometimes, if they are very lucky, they can be pleasantly surprised... Even though everyone is out to get you, it doesn't matter unless you let them win.
Post #39,573 by orion 5/22/02 10:34:51 PM Reply	Done and the server is restarting now just to be sure. *I am free now, to choose my own destiny.*
Post #39,579 by imric 5/22/02 11:27:35 PM 5/22/02 11:31:34 PM Reply	Well, it still doesn't work... So I port-scanned you. Here are the results: Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ ) Interesting ports on dsl-64-129-13-109.telocity.com (64.129.13.109): (The 1539 ports scanned but not shown below are in state: filtered) Port State Service 110/tcp closed pop-3 113/tcp closed auth 8080/tcp closed http-proxy Nmap run completed -- 1 IP address (1 host up) scanned in 154 seconds Imric's Tips for Living Paranoia Is a Survival Trait Pessimists are never disappointed - but sometimes, if they are very lucky, they can be pleasantly surprised... Even though everyone is out to get you, it doesn't matter unless you let them win. Edited by imric May 22, 2002, 11:31:34 PM EDT Expand All History
Post #39,605 by Steven A S 5/23/02 9:58:39 AM Reply	What make/model router? ~~~)-Steven---- "I want you to remember that no bastard ever won a war by dying for his country. He won it by making the other poor dumb bastard die for his country..." General George S. Patton
Post #39,673 by orion 5/23/02 2:16:03 PM Reply	Make model router DLINK DI-804 I have them on tech support by email. Told them I applied the latest firmware, they emailed me back to try the latest firmware upgrade. Duh! Jeff Daniels and Jim Carey must be running their helpdesk? *I am free now, to choose my own destiny.*
Post #39,715 by Steven A S 5/23/02 6:11:53 PM Reply	troubleshooting I looked at the manual for that model. It doesn't look like that router allows you to set up your own packet filters. I guess I just assumed it did. You'll definately want to set up a firewall on your server if there is no packet filter on the router. I've included a checklist of troubleshooting questions, please don't feel insulted by the simplicity of some of them, sometimes we all miss the little things. Is the DHCP server enabled on the router? -Yes --Did you reserve the server's IP address in the DHCP Server Settings? --Is your server set up as a DHCP client? --You might also try disabling DHCP and setting up your server with a static IP (see below) -No --Did you manually set the DNS addresses of your ISP on your server? Does your ISP for some reason block that port (and others)? They don't normally, but it is possible. ~~~)-Steven---- "I want you to remember that no bastard ever won a war by dying for his country. He won it by making the other poor dumb bastard die for his country..." General George S. Patton
Post #39,806 by orion 5/24/02 10:49:44 AM Reply	Re: troubleshooting I set up the server with the static IP 192.168.0.2 and used the ISP's DNS settings. I followed all those steps, and either the ISP is blocking port 80, or this router needs some other settings? *I am free now, to choose my own destiny.*
Post #39,854 by Steven A S 5/24/02 4:09:04 PM Reply	Have you looked at The Intrusion Detection Log? Both Imric and I have tried port scans on your IP, these should have shown up on this log if they made it to your router. Another thing you can try is connecting your server directly to the DSL modem. See if your web server shows up then. You should probably have Black Ice running to protect yourself, just make sure you can open up port 80. Also make sure your security updates are current. ~~~)-Steven---- "I want you to remember that no bastard ever won a war by dying for his country. He won it by making the other poor dumb bastard die for his country..." General George S. Patton
Post #39,857 by n3jja 5/24/02 5:05:07 PM Reply	DSL or Cable? either the ISP is blocking port 80 Verizon has done exactly this on the East Coast. Anyone that had DSL before the merger with GTE may not be blocked, but everyone else using Verizon ADSL is probably hosed. I'd suggest switching to port 8080 and see if things magically start working.
Post #39,917 by orion 5/25/02 5:04:16 PM Reply	DSL DirectTV (I joined when they were Telocity). Do they bloack port 80? If so, they never told me that they did. *I am free now, to choose my own destiny.*
Post #39,504 by tseliot 5/22/02 11:59:28 AM Reply	end-user level answers sheesh, guys, he doesn't need the grad-level stuff. Your server shouldn't worry about any of the routing, just make sure its default gateway is set to the internal address of the router, and DNS points to your ISP's DNS servers. If you can look at www.google.com on the server then this all works right. I would guess you should use 0.0.0.0 instead of 1.x - 254.x in your web server settings. The router: * You don't need DMZ. * You don't need RIP settings. * Set port 80 in Virtual Servers to point to your server's IP. Can you email me your public IP? Pinging the address you gave doesn't work for me: Pinging normad.homelinux.com [64.129.13.109] with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. --------------------------------- Many fears are born of stupidity and ignorance - Which you should be feeding with rumour and generalisation. BOfH, 2002 "Episode" 10
Post #39,556 by orion 5/22/02 8:21:35 PM Reply	Send your email address to ngking at telocity.com That IP in normad.homelinux.com is my DSL IP address. I will set the router to your settings. The DSL can surf just fine, uses the ISP's DNS servers, etc. *I am free now, to choose my own destiny.*
Post #40,634 by orion 5/30/02 9:10:21 PM Reply	Update Give it a try at [link\|http://normad.homelinux.com/\|http;//normad.homelinux.com] I put it as the DMZ server, as the virtual servers apparently did not work. Please don't try and crack into my server, I've disabled the guest account, C$ and D$ shares, and have the latest MS updates for Windows 2000 Server. Any other things I should do to keep crackers out? *I am free now, to choose my own destiny.*
Post #40,666 by Steve Lowe 5/31/02 12:30:26 AM Reply	Looks like it works from here. I like the irony, though...a Win2K server sitting on an homelinux.com domain.. :) Ya know, I think I saw something the other day about an ASP module for Apache... ----- Steve
Post #40,670 by orion 5/31/02 1:21:06 AM Reply	Don't worry I can always switch in my Linux server to the DMZ when I get the Linux server configured properly on the other machine. Just a test for now. *I am free now, to choose my own destiny.*
Post #40,680 by Meerkat 5/31/02 3:51:30 AM Reply	Yup, it's working! On and on and on and on, and on and on and on goes John.
Post #40,683 by Steven A S 5/31/02 6:41:33 AM Reply	Run a Firewall on your server But I'm sure you already figured that out ~~~)-Steven---- "I want you to remember that no bastard ever won a war by dying for his country. He won it by making the other poor dumb bastard die for his country..." General George S. Patton
Post #40,686 by pwhysall 5/31/02 8:14:42 AM Reply	Norm!!! You didn't REALLY use FrontPage for one link and one image, did you? ...did you? Peter [link\|http://www.debian.org\|Shill For Hire] [link\|http://www.kuro5hin.org\|There is no K5 Cabal]
Post #40,708 by Steven A S 5/31/02 10:44:21 AM Reply	Doesn't look like it You usually see a lot of useless font tags in a FrontPage document. Maybe he just copied the header. ~~~)-Steven---- "I want you to remember that no bastard ever won a war by dying for his country. He won it by making the other poor dumb bastard die for his country..." General George S. Patton
Post #40,742 by orion 5/31/02 2:15:46 PM Reply	I created the blank page with FP then added in the link and image by hand in the "View HTML" part. *I am free now, to choose my own destiny.*
Post #40,795 by n3jja 5/31/02 9:41:08 PM Reply	Get Thee to a Firewall I count 23 ports open.
Post #40,806 by orion 5/31/02 10:57:53 PM Reply	Sygate Help! I installed Sygate, but now the server does not work! I told it to open up port 80, now it seems to be blocking everything. I don't see a setting for IIS and I see one for IE, but even IE doesn't work now despite me telling it to. The "Block All" is not on, and the documentation doesn't seem to be helping me any. I've never used this Firewall software before. *I am free now, to choose my own destiny.*
Post #40,811 by orion 5/31/02 11:17:00 PM Reply	Dammit dammit dammit dammit! All the Help and Document pages are web based, and Sygate is blocking port 80 despite me telling it not to. I am really ticked off about this! It says in the log that it is blocking, despite everything I set so that port 80 would work! I tried the Virtual Server on port 80, and got nothing. Does a web server need more than port 80 open in order to work? I put it back on DMZ with Sygate. *I am free now, to choose my own destiny.*
Post #40,880 by Steven A S 6/1/02 9:58:27 PM Reply	Had no trouble with the ME version Did your ISP set you up through a proxy? That seems to me to be a reasonable cause for the problems your having. ~~~)-Steven---- "I want you to remember that no bastard ever won a war by dying for his country. He won it by making the other poor dumb bastard die for his country..." General George S. Patton
Post #40,883 by orion 6/1/02 10:51:19 PM Reply	No proxy, direct DSL access I have a static IP, I am allowed to run servers, and it works without Sygate, yet fails to work when Sygate is loaded. When I exit Sygate, everything works, but the system is unprotected. Maybe I'll have better like with Black Ice or something else? This is Windows 2000, so maybe the network connection is different somehow than your ME? *I am free now, to choose my own destiny.*
Post #40,912 by imric 6/2/02 5:50:40 PM Reply	Hmm. Are you using the personal firewall? If so, did you... Allow the webserver [link\|http://soho.sygate.com/support/documents/spf_help/allowing_applications.htm\|access to the network card]? Configure it to act as a server in the [link\|http://soho.sygate.com/support/documents/spf_help/advanced_application_configuration.htm\|advanced configuration menu?] Check [link\|http://soho.sygate.com/support/documents/spf_help/ports_and_protocols.htm\|the rules] to make sure that nothing is blocking you there... They do seem to have [link\|http://forums.sygatetech.com/index.php\|support fora], too. Realistically, I dunno how much more help I can be here, really - I don't actually use Sygate products for anything... grin Maybe trying something else, at least for now, really isn't such a bad idea... Imric's Tips for Living Paranoia Is a Survival Trait Pessimists are never disappointed - but sometimes, if they are very lucky, they can be pleasantly surprised... Even though everyone is out to get you, it doesn't matter unless you let them win.
Post #40,966 by orion 6/3/02 12:37:07 PM Reply	Yes I am and it is still blocking it. I got so fustrated that I switched the server off after shutting it down. Sygate is going away, maybe Black Ice will work better? I may just have to get an older system to run as a Linux server behind the DMZ and then use Linux to run to the Windows 2000 Server Web Server. The Linux server will then be the Firewall. I got an old Pentium MMX 200 and Pentium II 266Mhz machines to try and get Linux working on them. A friend is going to burn me a copy of Red Hat 7.3, because apparently these machines do not like CDRs burned from my CD Burner? Media Errors on 1X burned CDR disks, bah! *I am free now, to choose my own destiny.*

Welcome to IWETHEY!