Network accessibility problem

I have a Fedora Core 2 server running in a
network behind a firewall. I need access to ports
22 and 80 from outside but the firewall
administration is not under my control. I have
requested this access to be opened and the
administrator says it is already open, yet I
still cannot access it from outside.

I have run a few tests and this is what I found:

(Filtering tables are flushed with iptables -F,
on the server, prior to the tests)

I can ping to/from it from/to any place, whether
it is inside or outside the office.

I can ssh to it from any place *inside*, but not
from outside. A ssh -v from a computer outside
succeeds up to the "entering event loop" message
(which means it has presumably connected but the
dialog does not proceed beyond this point).
Viceversa, attempting a ssh session past the
firewall results in an instantaneous 'Connection
refused' message. The same connection from
another computer succeeds, proving a ssh server
was indeed running at the other end.

telneting to port 80 produces this result:

Trying 207.284.xxx.yyy...
Connected to 207.248.xxx.yyy.
Escape character is '^]'.

when attempted from the (outside) ip authorized
to access the computer. Any other ip just gets to
the 'Trying...' line. This is correct and what
should be happening, yet a browser reports
'request sent' and proceeds no further when
pointed to the address. (The Apache installation
index page should be displayed).

The administrator argues that some 'service'
within my server is blocking packets, but I don't
know that SSH can be configured to restrict
access to specific ip segments. It can restrict
access to *accounts*. Nor that there is such a
service, except the firewall, whose tables I have
already flushed.

Am I missing something? What other tests do you
suggest?

Thanks,
Gerardo




Searching for the best free email? Try MetaCrawler Mail, from the #1 metasearch service on the Web, http://www.metacrawler.com
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: Network accessibility problem

gerardo juarez-mondragon wrote:

> Am I missing something? What other tests do you
> suggest?

Use a packet logger such as tcpdump or ethereal to observe what is
actually being sent and received.

--
Glynn Clements
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: Network accessibility problem

gerardo juarez-mondragon wrote:

>I have a Fedora Core 2 server running in a
>network behind a firewall. I need access to ports
>22 and 80 from outside but the firewall
>administration is not under my control. I have
>requested this access to be opened and the
>administrator says it is already open, yet I
>still cannot access it from outside.
>
>I have run a few tests and this is what I found:
>
>(Filtering tables are flushed with iptables -F,
>on the server, prior to the tests)
>
>I can ping to/from it from/to any place, whether
>it is inside or outside the office.
>
>I can ssh to it from any place *inside*, but not
> from outside. A ssh -v from a computer outside
>succeeds up to the "entering event loop" message
>(which means it has presumably connected but the
>dialog does not proceed beyond this point).
>Viceversa, attempting a ssh session past the
>firewall results in an instantaneous 'Connection
>refused' message. The same connection from
>another computer succeeds, proving a ssh server
>was indeed running at the other end.
>
>telneting to port 80 produces this result:
>
>Trying 207.284.xxx.yyy...
>Connected to 207.248.xxx.yyy.
>Escape character is '^]'.
>
>when attempted from the (outside) ip authorized
>to access the computer. Any other ip just gets to
>the 'Trying...' line. This is correct and what
>should be happening, yet a browser reports
>'request sent' and proceeds no further when
>pointed to the address. (The Apache installation
>index page should be displayed).
>
>The administrator argues that some 'service'
>within my server is blocking packets, but I don't
>know that SSH can be configured to restrict
>access to specific ip segments. It can restrict
>access to *accounts*. Nor that there is such a
>service, except the firewall, whose tables I have
>already flushed.
>
>Am I missing something? What other tests do you
>suggest?
>
>Thanks,
>Gerardo
>
>

Dear Gerardo:

You mention only trying one port (ssh:22) from the 'outside'
and that the ssh attempt failed.

You did not mention that the 'Fedora Core 2 server" (FC2S)
has a routeable IP address. What ports of the FC2S are
reachable from the outside?

HTH, Chuck

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: Network accessibility problem

gerardo juarez-mondragon wrote:
> I have a Fedora Core 2 server running in a
> network behind a firewall. I need access to ports
> 22 and 80 from outside but the firewall
> administration is not under my control. I have
> requested this access to be opened and the
> administrator says it is already open, yet I
> still cannot access it from outside.
>
> I have run a few tests and this is what I found:
>
> (Filtering tables are flushed with iptables -F,
> on the server, prior to the tests)
>
> I can ping to/from it from/to any place, whether
> it is inside or outside the office.
>
> I can ssh to it from any place *inside*, but not
> from outside. A ssh -v from a computer outside
> succeeds up to the "entering event loop" message
> (which means it has presumably connected but the
> dialog does not proceed beyond this point).
> Viceversa, attempting a ssh session past the
> firewall results in an instantaneous 'Connection
> refused' message. The same connection from
> another computer succeeds, proving a ssh server
> was indeed running at the other end.
>
> telneting to port 80 produces this result:
>
> Trying 207.284.xxx.yyy...
> Connected to 207.248.xxx.yyy.
> Escape character is '^]'.
>
> when attempted from the (outside) ip authorized
> to access the computer. Any other ip just gets to
> the 'Trying...' line. This is correct and what
> should be happening, yet a browser reports
> 'request sent' and proceeds no further when
> pointed to the address. (The Apache installation
> index page should be displayed).
>
> The administrator argues that some 'service'
> within my server is blocking packets, but I don't
> know that SSH can be configured to restrict
> access to specific ip segments. It can restrict
> access to *accounts*. Nor that there is such a
> service, except the firewall, whose tables I have
> already flushed.
>
> Am I missing something? What other tests do you
> suggest?
>
> Thanks,
> Gerardo
>
>
>
>
> Searching for the best free email? Try MetaCrawler Mail, from the #1 metasearch service on the Web, http://www.metacrawler.com
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
Hello Gerardo...
The problem that you are experience it's coming from the Servers'
Iptables Rules, you really should check with your server Admin. Maybe
the port 22 and 80 are block from connections coming from an IP outside
the range of your local network. If you can log into a the server from
within the network and not from outside it is probably a rule from
Iptables blocking outside connections.

Saludos
AKC
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: Network accessibility problem

Am I missing something? What other tests do you
> suggest?
The first thing i'd do is to analyse apache logs. You should find
something related to apache/httpd in /var/log. There is an error.log and
an access.log. I would look into the error.log to see if it's somehow
apache who's faulting.
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re:Network accessibility problem

> I have a Fedora Core 2 server running in a
> network behind a firewall. I need access to ports
> 22 and 80 from outside but the firewall
> administration is not under my control. I have
> requested this access to be opened and the
> administrator says it is already open, yet I
> still cannot access it from outside.
>
> I have run a few tests and this is what I found:
>
> (Filtering tables are flushed with iptables -F,
> on the server, prior to the tests)
>
> I can ping to/from it from/to any place, whether
> it is inside or outside the office.
>
> I can ssh to it from any place *inside*, but not
> from outside. A ssh -v from a computer outside
> succeeds up to the "entering event loop" message
> (which means it has presumably connected but the
> dialog does not proceed beyond this point).
> Viceversa, attempting a ssh session past the
> firewall results in an instantaneous 'Connection
> refused' message. The same connection from
> another computer succeeds, proving a ssh server
> was indeed running at the other end.
>
> telneting to port 80 produces this result:
>
> Trying 207.284.xxx.yyy...
> Connected to 207.248.xxx.yyy.
> Escape character is '^]'.
>
> when attempted from the (outside) ip authorized
> to access the computer. Any other ip just gets to
> the 'Trying...' line. This is correct and what
> should be happening, yet a browser reports
> 'request sent' and proceeds no further when
> pointed to the address. (The Apache installation
> index page should be displayed).
>
> The administrator argues that some 'service'
> within my server is blocking packets, but I don't
> know that SSH can be configured to restrict
> access to specific ip segments. It can restrict
> access to *accounts*. Nor that there is such a
> service, except the firewall, whose tables I have
> already flushed.
>
> Am I missing something? What other tests do you
> suggest?
>
> Thanks,
> Gerardo

Hi, I am not very good at this (still learning), but I was thinking hat maybe you could use traceroute to see what is the last machine that you can reach outside of your server network. If I am not mistaken, you can specify a port to traceroute. However, I think that the problem is the firewall (maybe a error of the admin?), since your machine accept incoming requests.

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: Network accessibility problem

chuck gelm wrote:
> Dear Gerardo:
>
> You mention only trying one port (ssh:22) from the 'outside'
> and that the ssh attempt failed.
>
> You did not mention that the 'Fedora Core 2 server" (FC2S)
> has a routeable IP address. What ports of the FC2S are
> reachable from the outside?
>
> HTH, Chuck
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
Chuck, I think that he metioned that only 22 and 80 are accesable from
outside, but the 22 I doubt it.

Cheers

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: Re:Network accessibility problem

Thanks everyone, it does seem to be a problem
with the firewall administration, but we are at a
bureaucratic level discussion right now. As soon
as I have a result that might be of technical
relevance I will post it. Thanks again.

Gerardo


Searching for the best free email? Try MetaCrawler Mail, from the #1 metasearch service on the Web, http://www.metacrawler.com
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html