Hi Keith. I use 9.2 pro as well. I had a similar problem with my Speedtouch 4 port ADSL router. I don't use SuSE Firewall, so I cannot really comment on your FW settings you have shown, but have written my own bash script to program IPTables packet filtering directly. I had to open port 80 in the script to the outside world. On the Speedtouch router, I had to set up NAT, to forward requests for port 80 directly to my ethernet card IP address of 10.0.0.1:80. So any http requests for my website actual get forwarded by the router to the eth0 interface (local IP address 10.0.0.1) that Apache listens on for connection attempts from the outside world. To test that you have opened port 80 so it can be accessed from the outside, you could go to http://www.grc.com, and use the ShieldsUp security scanner. Click on the common ports box, and this will then test your server and report whether, amongst others, port 80 is open or not. Once you are sure that port 80 is opened, you could have a look at your router settings to set up NAT - Network Address and Port Translation - usually available via a web browser GUI, and an address like http://10.0.0.xxx. HTH Keith Roberts In theory, theory and practice are the same; in practice they are not. more below... On Thu, 13 Jul 2006, Keith Hopper wrote:
To: suse-security@suse.com From: Keith Hopper
Subject: [suse-security] Impenetrable firewall - SuSE 9.2 Greetings, I have a small home network of machines connected through the internal ethernet port of my SuSE linux server (192.168.42.xxx). The external ethernet port is connected to a LinkSys dsl modem (192.168.1.2 on the server to 192.168.1.1 - the modem). I have a fixed IP and the domain name asgard.org.nz to go with it - in the /etc/hosts file against the sever machine name srv too. I set up the firewall so that the local net could access the internet - but not vice versa. All has worked very well for months. By the way the HOSTNAME file appears to contain srv.asgard.org.nz correctly!
Needing to publish a small web site now, I have set up apache 2.0.55 suitably configured - which works well on the local network. However, despite the fact that the host (called server.asgard.org.nz on the modem port) has the same name as the Apache ServerName and I appear to have the correct firewall settings as far as my reading of the config file and the examples tells me -
------- # 1 FW_QUICKMODE="no" #2 FW_DEV_EXT="eth-id-00:90:27:a7:d3:d2" #3 FW_DEV_INT="eth-id-00:50:8b:62:08:e6" #4 FW_DEV_DMZ="" #5 FW_ROUTE="yes" #6 FW_MASQUERADE="yes" #6a FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0" #7 FW_PROTECT_FROM_INTERNAL="no" #8 FW_AUTOPROTECT_SERVICES="yes" #9 FW_SERVICES_EXT_TCP="5801 5901 domain http https" FW_SERVICES_EXT_UDP="domain isakmp" FW_SERVICES_EXT_IP="" FW_SERVICES_EXT_RPC="" FW_SERVICES_DMZ_TCP="http https 80" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_DMZ_RPC="" FW_SERVICES_INT_TCP="ftp http https 80" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="esp" FW_SERVICES_INT_RPC="mountd nfs nfs_acl ftp nlockmgr status" FW_SERVICES_DROP_EXT="" FW_SERVICES_REJECT_EXT="0/0,tcp,113" #9a FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" #10 FW_TRUSTED_NETS="" #11 FW_ALLOW_INCOMING_HIGHPORTS_TCP="" FW_ALLOW_INCOMING_HIGHPORTS_UDP="" #13 FW_FORWARD="" #14 FW_FORWARD_MASQ="" #15 FW_REDIRECT="" #16 FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG_LIMIT="" FW_LOG="" #17 FW_KERNEL_SECURITY="yes" #17a FW_ANTISPOOF="no" #18 FW_STOP_KEEP_ROUTING_STATE="no" #19 FW_ALLOW_PING_FW="yes" #19a FW_ALLOW_PING_DMZ="no" #19b FW_ALLOW_PING_EXT="yes"
## # END of /etc/sysconfig/SuSEfirewall2 ##
# EXPERT OPTIONS - all others please don't change these!
#20 FW_ALLOW_FW_TRACEROUTE="yes" #21 FW_ALLOW_FW_SOURCEQUENCH="yes" #22 FW_ALLOW_FW_BROADCAST="int" FW_IGNORE_FW_BROADCAST="no" #23 FW_ALLOW_CLASS_ROUTING="no" #25 FW_CUSTOMRULES="" #26 FW_REJECT="no" #27 FW_HTB_TUNE_DEV="" #28 FW_IPv6="" #28a FW_IPv6_REJECT_OUTGOING="yes" #29 FW_IPSEC_TRUST="int" --------------------------------
I cannot seem to get any local browser to access the web server with the external (srv.asgard.org.nz) IP address. I have tried external port scanners and they seem to see no open ports at all.
You cannot access your own IP address directly over the internet from that same IP address - IP protocol doesn't work like that. If you want to access your own web server over the internet, you will have to use a proxy browser, so it appears that the request is coming from an external source, which it would be. You access the proxy server, and the proxy server then accesses your own server on your machine on your behalf, then returns the website back to you on your machine. You might like to try http://proxybrowsing.com/ to see if this helps. I use the above proxy for testing access to my own site. (I have set up name based virtual hosting with Apache 2.2.0, but I cannot get it to work, as all the proxy browsers I have found only support HTTP/1.0 protocol, and name based virtual hosting requires HTTP/1.1 for this to work.) first you need to make sure that Apache is up and running, and you can access it locally, from something like: http://localhost/ or http://127.0.0.1 Once that is working OK, you need to set up your firewall so that port 80 is open to the outside world. Next check and make sure that NAPT is set-up in your router correctly. Any connections to your static IP address need to be forwarded by your router to the interface that Apache is listening on.
Having spent two days getting nowhere - but learning a lot, I feel I need to humbly ask for help. It's probably something obvious to you experts - sorry, I don't see what might be wrong.
Help, please!
Keith Hopper
-- Sky Development