-1

I hope this isn't above the scope of ServerFault. If the question doesn't work here, some direction would be helpful.

We've got an Ubuntu development server with 2 nics. One has a public IP and one is internal. Everything works fine internally, whether we set our host files to use the internal or public IP. The DNS settings seem to be accurate at GoDaddy but we cannot access our website from outside our network. We've tried several things with iptables to no avail. Nothing shows up in /var/log/nginx/error.log. Right now, we're using iptables-persistant and if we run iptables -L -n -v, we get the following:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 6300 5345K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
  446 19640 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    8   480 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    4   220 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
   23  1264 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80
    8   416 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:6081
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:8080
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:8000
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:225
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1581
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2123
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2124
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:32869
 435K   43M REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 7064 packets, 2805K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            64.224.199.0/27      tcp dpt:1500
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            69.0.166.0/27        tcp dpt:1500
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            66.40.60.0/27        tcp dpt:1500
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            83.222.224.32/28     tcp dpt:1500
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            209.15.255.224/27    tcp dpt:1500
eisaacson
  • 525
  • 3
  • 8
  • 20
  • 1
    Can the server get out on the external nic? Or is the issue solely on access from the outside? – Colyn1337 Oct 11 '13 at 20:51
  • Are you trying to hit the server from the outside or the inside? (some routers don't allow you to hit external sites that point back to an internal site). Try to actually hit the server from outside (e.g. 3G cellphone connection). – DavidGamba Oct 11 '13 at 21:25
  • @Colyn1337 I am able to access the outside from the server. – eisaacson Oct 11 '13 at 21:32
  • @DavidG I'm trying to hit the server from the outside. We are able to access the site internally regardless of which of the two IP addresses we use. – eisaacson Oct 11 '13 at 21:33
  • I am now wondering if this is a question regarding iptables closing a port or router/firewall settings. Can you access the server from the outside if you flush the iptables settings? (after saving them off course). – DavidGamba Oct 11 '13 at 21:37
  • @DavidG That was my starting point that I've returned to many times. I cannot access the server even with a flushed iptables. – eisaacson Oct 11 '13 at 21:38
  • Does `tcpdump -ni port 80` even show you receiving packets from the public interface? – Matthew Ife Oct 11 '13 at 22:43
  • There is no point in creating iptables rules if you can't access the server without them. Flush all tables and focus on the router/company firewall (not server firewall) settings. Make sure you have proper port redirection (e.g. redirect port 80 to the internal static ip of your server). – DavidGamba Oct 14 '13 at 05:21
  • @MIfe whether inside or out, I do see traffic. I'm not very familiar with packet tracking. Locally, I see several acknowledgments which I don't see if the traffic is coming from the outside. Ex: `ack 1, win 65472, length 0` – eisaacson Oct 14 '13 at 15:04
  • @DavidG This is actually bypassing our company firewall completely at the moment. – eisaacson Oct 14 '13 at 15:05

1 Answers1

1

As none of your iptables rules match based on interface, it's pretty easy to rule that out... you'd see the same problems from inside. Your problem isn't with iptables.

Note that the output you posted is only from the filter table, there are also nat and mangle tables. You can check them with:

iptables -L -v -n -t mangle
iptables -L -v -n -t nat

The next step is to check if the problem is the packets arriving from outside or the responses to them. Add (before the end) an iptables rule that will just match them, but not take action. You can then check the counter (far left column) to see if the packets are getting in:

iptables -I -i eth0 -p tcp --dport 22

where eth0 is the name of your internet-facing interface.

Incidentally, those OUTPUT rules look a bit strange. You explicitly allow traffic to select subnets with tcp traffic targetting port 1500, and then allow all other traffic as well... you'd get the same effect (with less work) to have an empty OUTPUT table.

TheAmigo
  • 189
  • 1
  • 9