LAN clients get connection denied by Apache

[rhonneil]

Hi Gurus out there could you pls help me with my problem. Iam running a newly installed Apache-2.x on my RH9.0 Server. My problem was everytime my LAN client want to access my Apache they are being refused to make connections. But when I turn off my firewall clients can freely access webpages.

#telnet 192.168.0.1 80
Trying 192.168.0.1...
telnet: connect to address 192.168.0.1: Connection refused

Im quite sure the problem was with my firewall rule. Could anyone pls help me what rule should allow my LAN to access my apache server?

My other services like Squid Proxy, Ftp and other services are running ok and my clients can freely access those services without any problem. Also, I use this as Gateway to my LAN.

My Apache IP: 192.168.0.1 ----eth1

Here's some part of my firewall script:


IPADDR=`ifconfig eth0 | fgrep -i inet | cut -d : -f 2 | cut -d " " -f 1`
IPADDR2=`ifconfig eth0 | fgrep -i inet | cut -d : -f 2 | cut -d " " -f 1`

EXTERNAL_INTERFACE="eth0"
LOOPBACK_INTERFACE="lo"
LOCAL_INTERFACE_1="eth1" # Internal LAN interface
INTRANET="192.168.0.0/16" # Private IP Addr Range
PRIMARY_NAMESERVER="203.x.x.3"
SECONDARY_NAMESERVER="203.x.x.4"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:"

SSH_LOCAL_PORTS="1022:65535"
SSH_REMOTE_PORTS="513:65535"

TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"

iptables -F
iptables -F -t nat
iptables -X

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT

# Unlimited traffic within the local network.
iptables -A INPUT -i $LOCAL_INTERFACE_1 -s $INTRANET -j ACCEPT
iptables -A OUTPUT -o $LOCAL_INTERFACE_1 -d $INTRANET -j ACCEPT

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -i $LOCAL_INTERFACE_1 -s ! $INTRANET -j DROP

# Allow all internal packets out of our network.
iptables -A FORWARD -m state --state NEW,ESTABLISHED \
-i $LOCAL_INTERFACE_1 -s $INTRANET -j ACCEPT

# Allow the associated packets with those connections back in.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED \
-i $EXTERNAL_INTERFACE -s ! $INTRANET -j ACCEPT

iptables -A POSTROUTING -t nat -o $EXTERNAL_INTERFACE -j MASQUERADE

iptables -A FORWARD -i $EXTERNAL_INTERFACE -m state \
--state NEW,INVALID -j REJECT


# ------------------------------------------------------------------
# HTTP client (80)
# ------------------------------------------------------------------

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 80 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 80 -j ACCEPT

iptables -A INPUT -i $LOCAL_INTERFACE -p tcp ! --syn \
--source-port 80 \
-d $IPADDR2 --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $LOCAL_INTERFACE -p tcp \
-s $IPADDR2 --source-port $UNPRIVPORTS \
--destination-port 80 -j ACCEPT

# ------------------------------------------------------------------
# HTTPS client (443)
# ------------------------------------------------------------------

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 443 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 443 -j ACCEPT

# ------------------------------------------------------------------
# WWW-CACHE client
# ------------------------------------------------------------------

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 3128 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 3128 -j ACCEPT

# ------------------------------------------------------------------
# TRANSPARENT PROXY client
# ------------------------------------------------------------------

iptables -t nat -A PREROUTING -i $LOCAL_INTERFACE_1 -p tcp \
--destination-port 80 -j REDIRECT --to-port 3128

Any suggestions? Pls help.

rhonneil