I am running RedHat 7.1 I have managed to access my web server and web pages but there has been an intermitant problem I keep getting: "Forbidden You don''t have permission to access / on this server Apache 1.3.19 Server at 129. etc Port 80" I have solved this in the past by running ''setup'' and turning the firewall off but now this doesn''t seem to work it keeps setting itself to ''high'' and i can''t reset it I don''t know which files it sets or what it does so I can''t do it manually. Ant ideas? Cheers Mike
[This email is either empty or too large to be displayed at this time]
On Wed, Sep 05, 2001 at 12:10:45PM +0100, Mike wrote:> I am running RedHat 7.1 > > I have managed to access my web server and web pages > but there has been an intermitant problem > > I keep getting: > > "Forbidden > You don''t have permission to access / on this server > Apache 1.3.19 Server at 129. etc Port 80"Check /etc/httpd/conf/httpd.conf for the "DocumentRoot" setting and the "Directory" section which specifies the permissions the web server enforces on the directory. You''ll also want to make sure that the directory is world-readable (using "ls -ld"). HTH, Nalin
Hi all, I''m running RedHat 7.0 with Apache. I don''t use a firewall. My 80 port is open, I can telnet to it and I can see my local webpages and so can everyone on the networks that I''m routing to and from. The problem is that nobody from the outside can access my 80; they all get a "connection refused" message. I''ve checked with my provider and they assured me repeatedly that they don''t run any firewall on my IP class. I''ve checked httpd.conf and there''s no deny before any allow rule :) The problem remains: for everyone outside, 80 is a closed port, and from anyone from inside, it works. And now for the question: why? :o)
> > "Forbidden > > You don''t have permission to access / on this server > > Apache 1.3.19 Server at 129. etc Port 80" > > Check /etc/httpd/conf/httpd.conf for the "DocumentRoot" setting and > the "Directory" section which specifies the permissions the web server > enforces on the directory. You''ll also want to make sure that the > directory is world-readable (using "ls -ld"). >Thanks, yes it was indeed that the folder was not world readable. Mike
Hi, Did the people outside try accessing your site using the IP address of your sever? If the site can be accessed using ip addresses, then it''s probably a dns problem. HTH Joon ----- Original Message ----- From: Alex Deva <alxx@tisp.ro> To: <redhat-secure-server@redhat.com> Sent: Thursday, September 06, 2001 5:14 PM Subject: port 80> Hi all, > > I''m running RedHat 7.0 with Apache. I don''t use a firewall. My 80 port > is open, I can telnet to it and I can see my local webpages and so can > everyone on the networks that I''m routing to and from. The problem is > that nobody from the outside can access my 80; they all get a > "connection refused" message. I''ve checked with my provider and they > assured me repeatedly that they don''t run any firewall on my IP class. > I''ve checked httpd.conf and there''s no deny before any allow rule :) The > problem remains: for everyone outside, 80 is a closed port, and from > anyone from inside, it works. > > And now for the question: why? :o) > > > > _______________________________________________ > Redhat-secure-server mailing list > Redhat-secure-server@redhat.com > https://listman.redhat.com/mailman/listinfo/redhat-secure-server >
Joon Guillen wrote:> Did the people outside try accessing your site using the IP address of your > sever? If the site can be accessed using ip addresses, then it''s probably a > dns problem.Yes they did, and no it didn''t work. I don''t think it''s a DNS problem. Not that I don''t have other problems with the DNS :) Besides, as I said, the error that you get trying to open a socket on my 80 is "connection refused" not anything like "unable to resolve" or such. And before you ask, no, it doesn''t show in the access_log or error_log or messages, and I don''t see the attempt with tcpdump.
On Thu, 6 Sep 2001, Alex Deva wrote:> Joon Guillen wrote: > > Did the people outside try accessing your site using the IP address of your > > sever? If the site can be accessed using ip addresses, then it''s probably a > > dns problem. > > Yes they did, and no it didn''t work. I don''t think it''s a DNS problem. > Not that I don''t have other problems with the DNS :) Besides, as I said, > the error that you get trying to open a socket on my 80 is "connection > refused" not anything like "unable to resolve" or such. And before you > ask, no, it doesn''t show in the access_log or error_log or messages, and > I don''t see the attempt with tcpdump.You are at the end of a tunnel? -- Cristian Paslaru http://devel.iasi.ro
On Thu, 6 Sep 2001, Alex Deva wrote:> Joon Guillen wrote: > > Did the people outside try accessing your site using the IP address of your > > sever? If the site can be accessed using ip addresses, then it''s probably a > > dns problem. > > Yes they did, and no it didn''t work. I don''t think it''s a DNS problem. > Not that I don''t have other problems with the DNS :) Besides, as I said, > the error that you get trying to open a socket on my 80 is "connection > refused" not anything like "unable to resolve" or such. And before you > ask, no, it doesn''t show in the access_log or error_log or messages, and > I don''t see the attempt with tcpdump.You are at the end of a tunnel? -- Cristian Paslaru http://devel.iasi.ro
Yes, this list has degraded to the point of having nothing to do with RedHat''s secure server. The only questions I''ve seen on it lately concern generic linux configuration. At the risk of encouraging this, check your httpd.conf file and see if you have any allow/deny directives that are limiting what your apache server responds to. If the message is truely a ''connection refused'' though, it''s more likely that you have ipchains (or iptables) denying outside requests to port 80. Try an ''ipchains -L'' (as root) to see what your current setup is -- I think Redhat ships with a very limiting /etc/sysconfig/ipchains file. <Steve> On Thu, 6 Sep 2001, Alex Deva wrote:> Hi all, > > I''m running RedHat 7.0 with Apache. I don''t use a firewall. My 80 port > is open, I can telnet to it and I can see my local webpages and so can > everyone on the networks that I''m routing to and from. The problem is > that nobody from the outside can access my 80; they all get a > "connection refused" message. I''ve checked with my provider and they > assured me repeatedly that they don''t run any firewall on my IP class. > I''ve checked httpd.conf and there''s no deny before any allow rule :) The > problem remains: for everyone outside, 80 is a closed port, and from > anyone from inside, it works. > > And now for the question: why? :o) > > > > _______________________________________________ > Redhat-secure-server mailing list > Redhat-secure-server@redhat.com > https://listman.redhat.com/mailman/listinfo/redhat-secure-server >-- Steve Reppucci sgr@logsoft.com | Logical Choice Software http://logsoft.com/ | =-=-=-=-=-=-=-=-=-=- My God! What have I done? -=-=-=-=-=-=-=-=-=-=
The problem is related to security in the way that firewalls are related to security. I don''t consider my problem to be off the course of this list because it deals with a possible misconfiguration in a security issue. Moreover, I have explained in the email that it''s neither a httpd.conf nor an ipchains problem (on my side). (And, to my knowledge, RedHat doesn''t ship with such a limiting /etc/sysconfig/ipchains file.) In the meanwhile another member of the list -- Mr. Cristian Paslaru -- has helped me with a tcpdump-ed route tracing and he has found the firewall that was blocking my port, just a few routers away. Thank you anyway for your trouble.
On Thu, 6 Sep 2001, Stephen Reppucci wrote:> Yes, this list has degraded to the point of having nothing to do > with RedHat''s secure server. The only questions I''ve seen on it > lately concern generic linux configuration.You are right.> At the risk of encouraging this, check your httpd.conf file and see > if you have any allow/deny directives that are limiting what your > apache server responds to. If the message is truely a ''connection > refused'' though, it''s more likely that you have ipchains (or > iptables) denying outside requests to port 80. Try an ''ipchains -L'' > (as root) to see what your current setup is -- I think Redhat ships > with a very limiting /etc/sysconfig/ipchains file.No. There was really an firewall. Look: 13:58:32.136998 193.226.103.7.44619 > 217.156.12.9.http: SWE 3827377820:3827377820(0) win 5840 <mss 1460,sackOK,timestamp 24119611 0,nop,wscale 0> (DF) [tos 0x10] 13:58:32.516998 212.146.69.253 > 193.226.103.7: icmp: 217.156.12.9 tcp port http unreachable (DF) [tos 0xc4] The firewall is at IP 212.146.69.253, before reaching 217.156.12.9.> > <Steve> > > On Thu, 6 Sep 2001, Alex Deva wrote: > > > Hi all, > > > > I''m running RedHat 7.0 with Apache. I don''t use a firewall. My 80 port > > is open, I can telnet to it and I can see my local webpages and so can > > everyone on the networks that I''m routing to and from. The problem is > > that nobody from the outside can access my 80; they all get a > > "connection refused" message. I''ve checked with my provider and they > > assured me repeatedly that they don''t run any firewall on my IP class. > > I''ve checked httpd.conf and there''s no deny before any allow rule :) The > > problem remains: for everyone outside, 80 is a closed port, and from > > anyone from inside, it works. > > > > And now for the question: why? :o) > > > > > > > > _______________________________________________ > > Redhat-secure-server mailing list > > Redhat-secure-server@redhat.com > > https://listman.redhat.com/mailman/listinfo/redhat-secure-server > > > >-- Cristian Paslaru http://devel.iasi.ro
I am not sure if this might be directly relevant to this but i am sure the experts might have already experimented and found a solution that I might use. I had a RH6.2 server which masquaraded the traffic on my LAN to Internet. it worked fine. Now recently, I upgraded to RH7.1, it works fine. I have this line to do this. /sbin/iptables -A FORWARD -s 192.168.69.0/255.255.255.192 -j ACCEPT This effectively masquarades my LAN 192.168.69.0/255.255.255.192 to Internet. EXCEPT for services as this one: The ftp clients on my LAN are unable to connect to any ftp server on Internet. I think on RH6.2 machine, additional line in ipchains as /sbin/modprobe masq_ftp did the trick to allow the ftp clients to connect. My research on the subject yielded that I should be doing this: /sbin/modprobe ip_conntrack_ftp But that still does n''t work for me. Here the output of /sbin/lsmod shows the same module as unused. I am a little confused here. If somebody can direct me to an appropriate URL or mailing list, it will be a great help. Thanks, Akshay -----Original Message----- From: redhat-secure-server-admin@redhat.com [mailto:redhat-secure-server-admin@redhat.com]On Behalf Of Stephen Reppucci Sent: Thursday, September 06, 2001 4:43 PM To: redhat-secure-server@redhat.com Subject: Re: port 80 https://listman.redhat.com/mailman/listinfo/redhat-secure-server
Alex, I would like to know more about how Christian figured this out... Cheers -----Original Message----- From: redhat-secure-server-admin@redhat.com [mailto:redhat-secure-server-admin@redhat.com]On Behalf Of Alex Deva Sent: Thursday, 6 September 2001 21:20 To: redhat-secure-server@redhat.com Subject: Re: port 80 The problem is related to security in the way that firewalls are related to security. I don''t consider my problem to be off the course of this list because it deals with a possible misconfiguration in a security issue. Moreover, I have explained in the email that it''s neither a httpd.conf nor an ipchains problem (on my side). (And, to my knowledge, RedHat doesn''t ship with such a limiting /etc/sysconfig/ipchains file.) In the meanwhile another member of the list -- Mr. Cristian Paslaru -- has helped me with a tcpdump-ed route tracing and he has found the firewall that was blocking my port, just a few routers away. Thank you anyway for your trouble. _______________________________________________ Redhat-secure-server mailing list Redhat-secure-server@redhat.com https://listman.redhat.com/mailman/listinfo/redhat-secure-server
configure the ftp clients to user passive mode On Thu, 6 Sep 2001, Akshay Guleria wrote:> I am not sure if this might be directly relevant to this but i am sure the > experts might have already experimented and found a solution that I might > use. > > I had a RH6.2 server which masquaraded the traffic on my LAN to Internet. it > worked fine. > Now recently, I upgraded to RH7.1, it works fine. I have this line to do > this. > /sbin/iptables -A FORWARD -s 192.168.69.0/255.255.255.192 -j ACCEPT > This effectively masquarades my LAN 192.168.69.0/255.255.255.192 to > Internet. > > EXCEPT for services as this one: > The ftp clients on my LAN are unable to connect to any ftp server on > Internet. > > I think on RH6.2 machine, additional line in ipchains as > /sbin/modprobe masq_ftp > did the trick to allow the ftp clients to connect. > > My research on the subject yielded that I should be doing this: > > /sbin/modprobe ip_conntrack_ftp > > But that still does n''t work for me. > > Here the output of /sbin/lsmod shows the same module as unused. > > I am a little confused here. If somebody can direct me to an appropriate URL > or mailing list, it will be a great help. > > Thanks, > Akshay > > > -----Original Message----- > From: redhat-secure-server-admin@redhat.com > [mailto:redhat-secure-server-admin@redhat.com]On Behalf Of Stephen > Reppucci > Sent: Thursday, September 06, 2001 4:43 PM > To: redhat-secure-server@redhat.com > Subject: Re: port 80 > > > https://listman.redhat.com/mailman/listinfo/redhat-secure-server > > > > _______________________________________________ > Redhat-secure-server mailing list > Redhat-secure-server@redhat.com > https://listman.redhat.com/mailman/listinfo/redhat-secure-server >-- \|||/ (@@) ooO_(_ )_Ooo _____|_____|_____|_____ __|____|_____|_____|__ Have a nice day Wycliffe Bahati Corporate support engineer Bsc Computer Science,CCNA CCDP Kenyaweb.com www.kenyaweb.com
ipchains vs. iptables: http://netfilter.samba.org/unreliable-guides/NAT-HOWTO/NAT-HOWTO.linuxdoc-4.html iptables HOWTO''s: http://netfilter.samba.org/unreliable-guides/ example iptables firewall scripts and etc.: http://www.linuxguruz.org/iptables/ one other possible gotcha: rhl7.1 appears to load the ipchains modules by default (assume for backward compatibility with 6.2). this is handled by /etc/rc.d/init.d/ipchains and /etc/rc.d/init.d/iptables, the upshot being that i had to ''rmmod ipchains'' before i could use the iptables commands. Hope this helps. sorry about the off-topic comments. Akshay Guleria wrote:> I am not sure if this might be directly relevant to this but i am sure the > experts might have already experimented and found a solution that I might > use. > > I had a RH6.2 server which masquaraded the traffic on my LAN to Internet. it > worked fine. > Now recently, I upgraded to RH7.1, it works fine. I have this line to do > this. > /sbin/iptables -A FORWARD -s 192.168.69.0/255.255.255.192 -j ACCEPT > This effectively masquarades my LAN 192.168.69.0/255.255.255.192 to > Internet. > > EXCEPT for services as this one: > The ftp clients on my LAN are unable to connect to any ftp server on > Internet. > > I think on RH6.2 machine, additional line in ipchains as > /sbin/modprobe masq_ftp > did the trick to allow the ftp clients to connect. > > My research on the subject yielded that I should be doing this: > > /sbin/modprobe ip_conntrack_ftp > > But that still does n''t work for me. > > Here the output of /sbin/lsmod shows the same module as unused. > > I am a little confused here. If somebody can direct me to an appropriate URL > or mailing list, it will be a great help. > > Thanks, > Akshay > > -----Original Message----- > From: redhat-secure-server-admin@redhat.com > [mailto:redhat-secure-server-admin@redhat.com]On Behalf Of Stephen > Reppucci > Sent: Thursday, September 06, 2001 4:43 PM > To: redhat-secure-server@redhat.com > Subject: Re: port 80 > > https://listman.redhat.com/mailman/listinfo/redhat-secure-server > > _______________________________________________ > Redhat-secure-server mailing list > Redhat-secure-server@redhat.com > https://listman.redhat.com/mailman/listinfo/redhat-secure-server
Hi!. Your hardware can do this too,I have a ADSL line and my router by default rejects connections for the ports 23 and 80,my ISP configure routers as this,do You have a router or a modem? Josep>> >> I''m running RedHat 7.0 with Apache. I don''t use a firewall. My 80 port >> is open, I can telnet to it and I can see my local webpages and so can >> everyone on the networks that I''m routing to and from. The problem is >> that nobody from the outside can access my 80; they all get a >> "connection refused" message. I''ve checked with my provider and they >> assured me repeatedly that they don''t run any firewall on my IP class. >> I''ve checked httpd.conf and there''s no deny before any allow rule :) The >> problem remains: for everyone outside, 80 is a closed port, and from >> anyone from inside, it works. >> >> And now for the question: why? :o) >> >> >> >> _______________________________________________ >> Redhat-secure-server mailing list >> Redhat-secure-server@redhat.com >> https://listman.redhat.com/mailman/listinfo/redhat-secure-server >> > >-- >Steve Reppucci sgr@logsoft.com | >Logical Choice Software http://logsoft.com/ | >=-=-=-=-=-=-=-=-=-=- My God! What have I done? -=-=-=-=-=-=-=-=-=-> > > >_______________________________________________ >Redhat-secure-server mailing list >Redhat-secure-server@redhat.com >https://listman.redhat.com/mailman/listinfo/redhat-secure-server