From mboxrd@z Thu Jan 1 00:00:00 1970 From: chuck gelm Subject: Re: Network accessibility problem Date: Fri, 07 Apr 2006 11:18:31 +0000 Message-ID: <44364A87.6010808@gelm.net> References: <0AE15BC76B45A2544A679DA133285E53@gjuarezmondragon.metacrawler.com> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <0AE15BC76B45A2544A679DA133285E53@gjuarezmondragon.metacrawler.com> Sender: linux-admin-owner@vger.kernel.org List-Id: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: gerardo juarez-mondragon Cc: linux-admin@vger.kernel.org gerardo juarez-mondragon wrote: >I have a Fedora Core 2 server running in a >network behind a firewall. I need access to ports >22 and 80 from outside but the firewall >administration is not under my control. I have >requested this access to be opened and the >administrator says it is already open, yet I >still cannot access it from outside. > >I have run a few tests and this is what I found: > >(Filtering tables are flushed with iptables -F, >on the server, prior to the tests) > >I can ping to/from it from/to any place, whether >it is inside or outside the office. > >I can ssh to it from any place *inside*, but not > from outside. A ssh -v from a computer outside >succeeds up to the "entering event loop" message >(which means it has presumably connected but the >dialog does not proceed beyond this point). >Viceversa, attempting a ssh session past the >firewall results in an instantaneous 'Connection >refused' message. The same connection from >another computer succeeds, proving a ssh server >was indeed running at the other end. > >telneting to port 80 produces this result: > >Trying 207.284.xxx.yyy... >Connected to 207.248.xxx.yyy. >Escape character is '^]'. > >when attempted from the (outside) ip authorized >to access the computer. Any other ip just gets to >the 'Trying...' line. This is correct and what >should be happening, yet a browser reports >'request sent' and proceeds no further when >pointed to the address. (The Apache installation >index page should be displayed). > >The administrator argues that some 'service' >within my server is blocking packets, but I don't >know that SSH can be configured to restrict >access to specific ip segments. It can restrict >access to *accounts*. Nor that there is such a >service, except the firewall, whose tables I have >already flushed. > >Am I missing something? What other tests do you >suggest? > >Thanks, >Gerardo > > Dear Gerardo: You mention only trying one port (ssh:22) from the 'outside' and that the ssh attempt failed. You did not mention that the 'Fedora Core 2 server" (FC2S) has a routeable IP address. What ports of the FC2S are reachable from the outside? HTH, Chuck