Blocked external access (even with open ports)

natcorsi

New Member
Joined
Dec 21, 2021
Messages
7
Reaction score
1
Credits
68
Hi guys, I have some problem on my server that I can't identify.

I'm new to this subject, I have a Debian 10 server, but I can't leave it exposed to the external network, even with the proper port forwarding, so much so that I installed xampp on my work machine, and it's working normally, I can access from the neighbor's network (another provider) and from my cell phone internet, but nothing from my linux server.

I've already done these server settings on another internet service and everything worked fine, this time, the only thing different I did was insert a domain in the debian installation. I thought it was just for a "look and feel" of the server name, but I don't know if this has anything to do with the problem.

I disabled the server's firewall for testing, but it didn't work. When I ping from other machines on the LAN, it works normally.
Can anyone give me any tips? Thank you all !!
 

Attachments

  • Captura de tela de 2021-12-20 16-44-33.png
    Captura de tela de 2021-12-20 16-44-33.png
    54.9 KB · Views: 311
  • dominio.png
    dominio.png
    26 KB · Views: 357


The server name and domain name(/etc/hosts and /etc/hostname) have nothing to do if it can be accessed by the internet or not. Firewall and port-forwarding which you have already done from what I read in your post. What service are you trying to access from the internet on your home lan where your Debian server is running?
 
The server name and domain name(/etc/hosts and /etc/hostname) have nothing to do if it can be accessed by the internet or not. Firewall and port-forwarding which you have already done from what I read in your post. What service are you trying to access from the internet on your home lan where your Debian server is running?

Hi! I'm trying to access wordpress, I also have Webmin installed, but both are unresponsive. My debian server is running on my old Acer Aspire 4739Z notebook Thanks for listening! :)
 
You can only forward a port to one host, so you need to forward port 80 to the lan ip your Debian server is running. First install telnet on your Debian system and see if you can access port 80 locally, then see if you can access it on your lan and then see if you can access it using your external/wan ip.
sudo apt install ncat (From your Debian system)
nc localhost -vz 80 (From your Debian system)
nc 192.168.122.10 -vz 80(From your Debian system, replacing the ip with your lan ip of your Debian system)
nc x.x.x.x -vz 80 (From your Debian system, replacing x.x.x.x with the ip you get from ipchicken.com)
Can you connect from all 3 or do you get a connection timed of for any of them? Also share the output of the following from your Debian system.
Code:
netstat -tulpn | grep 80
 
Last edited:
You can only forward a port to one host, so you need to forward port 80 to the lan ip your Debian server is running. First install telnet on your Debian system and see if you can access port 80 locally, then see if you can access it on your lan and then see if you can access it using your external/wan ip.

Can you connect from all 3 or do you get a connection timed of for any of them? Also share the output of the following from your Debian system.
Code:
netstat -tulpn | grep 80

Output nc localhost -vz 80

Code:
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Connected to ::1:80.
Ncat: 0 bytes sent, 0 bytes received in 0.04 seconds.

And for the internal and external ip is the same result, 0 bytes sent and received

netstate comand:

Code:
root@BOX:/home/natcorsi# netstat -tulpn | grep 80
tcp6       0      0 :::80                   :::*                    OUÇA       601/apache2        
udp6       0      0 fe80::67d:7bff:feac:546 :::*                                594/dhclient

It seems that it is not connecting, but I still haven't discovered the problem, even if I disable the other ports, it still doesn't work. Thanks for the command tips, I didn't know them :)

(I don't know if it makes any difference, but my external ip is fixed)
 
Can you do do the same again except for one comman different this time.
Code:
apt install telnet
telnet localhost 80
telnet  192.168.122.10 80 (Replacing that ip with your Debian system's lan ip)
telnet x.x.x.x 80 (Replacing that ip with your external ip)
 
Can you do do the same again except for one comman different this time.
Code:
apt install telnet
telnet localhost 80
telnet  192.168.122.10 80 (Replacing that ip with your Debian system's lan ip)
telnet x.x.x.x 80 (Replacing that ip with your external ip)

Hello, all commands are having a result similar to this :(

Code:
natcorsi@BOX:~$ telnet localhost 80
Trying ::1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.

Do you know what it can be?
 
It means that your port-forwarding is setup correctly since you can connect to port 80 on your external ip. How are you trying to access your wordpress website? Are you entering your external ip in the web-browser or you connecting to a dns name which is pointing to your external ip?
 
Also what does your apache configuration look like for your wordpress website?
 
It means that your port-forwarding is setup correctly since you can connect to port 80 on your external ip. How are you trying to access your wordpress website? Are you entering your external ip in the web-browser or you connecting to a dns name which is pointing to your external ip?

Hi! I'm accessing the site through firefox browser, I can access the internal network both through the ip and through my noip.com domain, both work correctly on the lan, but neither works with the external network.

About apache, it came with the debian installation, it's version 2.4.38.
I used these two commands, one of them seems to display some kind of error

Code:
[root@BOX ~]# apache2 -v
Server version: Apache/2.4.38 (Debian)
Server built:   2021-09-30T03:50:49

[root@BOX ~]# apache2ctl -t
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
Syntax OK

I use nextcloud on the server too, on the same port as wordpress, the desktop client shows that the server version 127.0.1.1 is not supported, would it have something to do with it?
 
Hmm, it seems you're running into multiple issues here; first lets start with the last one, apache2.

Before talking about conflicting/ports/ip's, and applications, lets confirm one item:
  • For your apache2.conf (or httpd.conf depending on how you set it up), did you set the fqdn globally in your default configuration?
    • This should look like: ServerName 127.0.0.1
  • Next cloud and Wordpress would conflict if you're on the same port.
    • Consider updating your configuration in Apache2 and host both from the same domain vhosts
 
Hmm, it seems you're running into multiple issues here; first lets start with the last one, apache2.

Before talking about conflicting/ports/ip's, and applications, lets confirm one item:
  • For your apache2.conf (or httpd.conf depending on how you set it up), did you set the fqdn globally in your default configuration?
    • This should look like: ServerName 127.0.0.1
  • Next cloud and Wordpress would conflict if you're on the same port.
    • Consider updating your configuration in Apache2 and host both from the same domain vhosts

Hi! I made the virtual host settings as shown in the tutorial to configure both domains on the server, about the apache2.conf configuration, I can't say if the fqdn is configured, I'm still a beginner in this part. Currently my

my apache2.conf file is configured like this:

Code:
#
# The directory where shm and other runtime files will be stored.
#

DefaultRuntimeDir ${APACHE_RUN_DIR}

#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars
#
PidFile ${APACHE_PID_FILE}

#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300

#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On

#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100

#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 5


# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}

#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off

# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog ${APACHE_LOG_DIR}/error.log

#
# LogLevel: Control the severity of messages logged to the error_log.
# Available values: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the log level for particular modules, e.g.
# "LogLevel info ssl:warn"
#
LogLevel warn

# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf

# Include list of ports to listen on
Include ports.conf


# Sets the default security model of the Apache2 HTTPD server. It does
# not allow access to the root filesystem outside of /usr/share and /var/www.
# The former is used by web applications packaged in Debian,
# the latter may be used for local directories served by the web server. If
# your system is serving content from a sub-directory in /srv you must allow
# access here, or in any related virtual host.
<Directory />
    Options FollowSymLinks
    AllowOverride none
    Require all denied
</Directory>

<Directory /usr/share>
    AllowOverride None
    Require all granted
</Directory>

<Directory /var/www/>
    Options Indexes FollowSymLinks
    AllowOverride all
    Require all granted
</Directory>

#<Directory /srv/>
#    Options Indexes FollowSymLinks
#    AllowOverride None
#    Require all granted
#</Directory>




# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives.  See also the AllowOverride
# directive.
#
AccessFileName .htaccess

#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
    Require all denied
</FilesMatch>


#
# The following directives define some format nicknames for use with
# a CustomLog directive.
#
# These deviate from the Common Log Format definitions in that they use %O
# (the actual bytes sent including headers) instead of %b (the size of the
# requested file), because the latter makes it impossible to detect partial
# requests.
#
# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
# Use mod_remoteip instead.
#
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.

# Include generic snippets of statements
IncludeOptional conf-enabled/*.conf

# Include the virtual host configurations:
IncludeOptional sites-enabled/*.conf

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

I search in the google about it but couldn't find still nothin.
Thanks a lot for the help! i still didn't know about these virtual host settings, the strange thing is that on another server I had (same computer, different operator) it was working correctly, with the same configuration I made, in the main folder of www/html/wordpres and www/html/wordpres/BOX (nextcloud)
 
Hi! I made the virtual host settings as shown in the tutorial to configure both domains on the server, about the apache2.conf configuration, I can't say if the fqdn is configured, I'm still a beginner in this part. Currently my

my apache2.conf file is configured like this:

Code:
#
# The directory where shm and other runtime files will be stored.
#

DefaultRuntimeDir ${APACHE_RUN_DIR}

#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars
#
PidFile ${APACHE_PID_FILE}

#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300

#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On

#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100

#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 5


# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}

#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off

# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog ${APACHE_LOG_DIR}/error.log

#
# LogLevel: Control the severity of messages logged to the error_log.
# Available values: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the log level for particular modules, e.g.
# "LogLevel info ssl:warn"
#
LogLevel warn

# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf

# Include list of ports to listen on
Include ports.conf


# Sets the default security model of the Apache2 HTTPD server. It does
# not allow access to the root filesystem outside of /usr/share and /var/www.
# The former is used by web applications packaged in Debian,
# the latter may be used for local directories served by the web server. If
# your system is serving content from a sub-directory in /srv you must allow
# access here, or in any related virtual host.
<Directory />
    Options FollowSymLinks
    AllowOverride none
    Require all denied
</Directory>

<Directory /usr/share>
    AllowOverride None
    Require all granted
</Directory>

<Directory /var/www/>
    Options Indexes FollowSymLinks
    AllowOverride all
    Require all granted
</Directory>

#<Directory /srv/>
#    Options Indexes FollowSymLinks
#    AllowOverride None
#    Require all granted
#</Directory>




# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives.  See also the AllowOverride
# directive.
#
AccessFileName .htaccess

#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
    Require all denied
</FilesMatch>


#
# The following directives define some format nicknames for use with
# a CustomLog directive.
#
# These deviate from the Common Log Format definitions in that they use %O
# (the actual bytes sent including headers) instead of %b (the size of the
# requested file), because the latter makes it impossible to detect partial
# requests.
#
# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
# Use mod_remoteip instead.
#
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.

# Include generic snippets of statements
IncludeOptional conf-enabled/*.conf

# Include the virtual host configurations:
IncludeOptional sites-enabled/*.conf

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

I search in the google about it but couldn't find still nothin.
Thanks a lot for the help! i still didn't know about these virtual host settings, the strange thing is that on another server I had (same computer, different operator) it was working correctly, with the same configuration I made, in the main folder of www/html/wordpres and www/html/wordpres/BOX (nextcloud)

Hey, if it works, great!

If you're using a host based configuration, just try putting your domain name & IP in /etc/hosts. I assume this is for your internal network exclusively.

Cheers.
 
Hey, if it works, great!

If you're using a host based configuration, just try putting your domain name & IP in /etc/hosts. I assume this is for your internal network exclusively.

Cheers.

Hi! I delete the wordpress and nextcloud folder from the server, now webmin is working on port 10000 on the external network, but the web server still doesn't appear, I can only access it if I type the external ip + the webmin port, otherwise, no answer.

my hosts file is configured like this

Code:
127.0.0.1    localhost
127.0.1.1    BOX
xxx.xxx.xxx.xxx    www.corsisdesign.com.br    localhost (my external ip)

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

# Ensure that Apache listens on port 80
Listen 80
<VirtualHost *:80>
    DocumentRoot "/www/html/BOX"
    ServerName www.box.com

    # Other directives here
</VirtualHost>

<VirtualHost *:80>
    DocumentRoot "/www/html/corsisdesign"
    ServerName www.corsisdesign.com.br

    # Other directives here
</VirtualHost>

My server is answering the ping to www.corsisdesign.com.br, but I can't access the external network, nor domain, nor external ip, only the internal ip, I'm getting close to the problem, thank you for your attention, do you have any more idea of what it can be?
 
Natcorsi,
The host file was solely for internal addresses…not really needed in this configuration.

Regarding DNS, did you create an A record for your domain?

Be sure to lock down your site appropriately.

Have a Merry Christmas.
 

Members online


Top