Re: [leaf-user] Can't connect to weblet from internet

[Jeff N. <jdn...@dc...>]

On Wed, 28 May 2003 al...@at... wrote:

> I added a rule alloing net2fw conection on tcp port 80.
> 
> Added in sh-httpd.conf 
> CLIENT_ADDRS="192.168.1. My.IP.Net."
> I tryed also to change the SERVER_NAME/ADDR to ppp0_IP
> 
> In hosts.allow I added
> sh-httpd: My.IP.Net.0/255.255.255.0
> I tryed also to uncomment in hosts.deny the PARANOID
> 
> restarted inetd

inetd doesn't look at hosts.allow, though it usually invokes tcpd which
does. Since tcpd gets re-invoked for every new connection, simply editing
hosts.allow and saving should be enough to activate that change.

> 
> but still can't connect to weblet and no log in shorewall.log.
> 
> What am I missing to get weblet listen on the external interface (for me ppp0) ?

I don't know, but this is what I would check:

a) no firewall blockage: sounds like you have looked through shorewall
files, but you may not have used "shorewall status" and looked for
relevant lines in the firewall rules.

b) no port 80 redirection: No DNAT to an internal server.  Again, checking
"shorewall status" should confirm this.

Note that a) and b) can be eliminated as potential problem sources if you
"shorewall clear" for testing.

c) /etc/inetd.conf file has appropriate entry to activate weblet:
www  stream tcp nowait   sh-httpd  /usr/sbin/tcpd   /usr/sbin/sh-httpd

d) /etc/hosts.allow has appropriate entry: you have obscured the entry
above, but it does seem odd that you appear to want to expose it on the
external interface _and not the internal interface_. Why exclude internal
access?

e) sh-httpd is executable:

------
# ls -l /usr/sbin/sh-httpd
-rwxr-xr-x    1 root     root         8028 May 27  2001 /usr/sbin/sh-httpd
------

f) confirm that you can connect to it... use telnet from a host in the
appropriate source network.  Note response to attempted connection ...
this can be a clue to where the problem is.

-------
$ telnet myrouter 80
Trying 192.168.0.1...
Connected to myrouter.my.localnet.
Escape character is '^]'.
GET / HTTP/1.0

{http response should start here}
--------

Remember the extra blank line after you type the GET command.

g) try looking in the logfile (/var/sh-log/sh-httpd.log) for indications
of connection attempts.

---------------------------------------------------------------------------
Jeff Newmiller                        The     .....       .....  Go Live...
DCN:<jdn...@dc...>        Basics: ##.#.       ##.#.  Live Go...
                                      Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
/Software/Embedded Controllers)               .OO#.       .OO#.  rocks...2k
---------------------------------------------------------------------------