LAN clients get connection denied by Apache

**rhonneil** · 11-08-2003, 06:46 AM

[quote author=vvx link=board=4;threadid=8072;start=0#msg73528 date=1068236595]
[quote author=Master Copy link=board=4;threadid=8072;start=0#msg73463 date=1068102856]
So you can't get to the server at all from outside? Is that what you are saying? I'm sorry for all the questions, just throwing some stuff out that might shed some light on both of us.

From what I've collected, you can access from the internal private network. correct?

Please excuse my rusty iptable knowledge. Doesn't the "! --syn" disallow a syn flag? Have you tried passing SYN and ACK to that port from $EXTERNAL to the server?

Just some last minute ideas. I'll read it more carefully tomorrow when I'm awake. ;D

[/quote]

Yeah, that was confusing me, "LAN clients" I would take to mean the internal network but if that can connect okay even when firewall is running it's gotta be the external stuff he's having probs with?
[/quote]

Yes, as of this moment the remaining problem was for the external clients or those who are in the Internet.

I was able to resolve the problem for my LAN by applying the above mentioned additional firewall rule in my scripts.

thanks

**Kernel_Killer** · 11-08-2003, 07:05 AM

I should stay half awake more often. :P

**rhonneil** · 11-10-2003, 02:09 AM

Why is that this rule does not provide my Internet clients to access our site? My friends are using the same without a problem?

Any comment?

# ------------------------------------------------------------------
# HTTP client (80)
# ------------------------------------------------------------------

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 80 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 80 -j ACCEPT

**Kernel_Killer** · 11-11-2003, 06:53 AM

You need the SYN flag to make a syncronization with the server, or any service for that matter. Your friends might not have it set on the interface it's coming in on. I'll try to think of some other reason it would have worked, but I'm not half asleep yet. :

**rhonneil** · 11-12-2003, 11:28 AM

[quote author=Master Copy link=board=4;threadid=8072;start=0#msg73682 date=1068533607]
You need the SYN flag to make a syncronization with the server, or any service for that matter. Your friends might not have it set on the interface it's coming in on. I'll try to think of some other reason it would have worked, but I'm not half asleep yet. :

[/quote]

I shall wait for you then : )