ports open?

Discussion in 'Server Operation' started by ubuntu server newbie, Aug 10, 2006.

  1. This is my first attempt at getting either linux or a server running, I'm using ubutnu server 6.06 but I had to get gnome as I wasn't getting very far with only a shell.

    I'm having trouble getting Apache2 working.

    I get the apache default page when I point firefox to the lan ip using another computer on my lan so I assume it's running ok. I get a connection refused message when I use my wan ip with port 80 (ISP block maybe?) and a firefox couldn't establish a connection error with port 280 (I chose post 280 at random), firefox seems to come up with the error message far too quickly to actually be checking it.

    I'm not running a firewall on my PC or router. I'm pretty sure that I've forwarded the ports at my router as I'm running emule sucessfully on another computer with ports forwarded ok. Apache2 is listening on 80 and 280 and it's been restarted since I've updated ports.conf.

    whatsmyip.org tells me that my port 280 is open but port scan in the network tool applet says it's closed.

    I don't get it, can anyone help?

  2. Ben

    Ben ISPConfig Developer ISPConfig Developer

    what you could do is to check if your machine retrieves packets e.g. on port 80 / 280 run the following on the shell while trying to reach your machine from outside:

    tcpdump dst port 80

    if you do not see any packets check
    iptales -L to verify no iptables is running.

    Can you find sth. in the router log?
  3. tcpdump dst port 280 output

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
    16:07:29.494367 IP > myip.myip.myip.myip.280: S 227089780:227089780(0) win 5840 <mss 1460,sackOK,timestamp 5943429 0,nop,wscale 2>
    16:07:29.668747 IP > myip.myip.myip.myip.280: S 229892125:229892125(0) win 5840 <mss 1460,sackOK,timestamp 5943446 0,nop,wscale 2>

    I thought the problem might have been something to do with my router so I got an old one out but had the same problem. Obviously the request is getting through so the obvious question is why's it being refused?

    Here's the some of the output for netstat -lp

    tcp6 0 0 *:www *:* LISTEN 30433/apache2
    tcp6 0 0 *:60213 *:* LISTEN 30433/apache2
    tcp6 0 0 *:280 *:* LISTEN 30433/apache2
    tcp6 0 0 *:281 *:* LISTEN 30433/apache2
    tcp6 0 0 *:https *:* LISTEN 30433/apache2
    tcp6 0 0 *:1180 *:* LISTEN 30433/apache2

    Why is the protocol tcp6? The other entries are just tcp?

    I saw on another forum that someone who had a similar problem had a DNS issue with their router (their router didn't know where to forward the request to in the LAN) but the tcpdump show that the request is getting through right?

    Thanks for your help
  4. Ben

    Ben ISPConfig Developer ISPConfig Developer

    Sorry my fault, pls try tcpdump without "dst", that we can see if the traffic gets back to the router.

    The router does not care about DNS in case of forwarding.
  5. tcpdump port 80 output

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
    17:22:07.668256 IP > palo5.pacific.net.th.www: S 668177623:668177623(0) win 5840 <mss 1460,sackOK,timestamp 6391246 0,nop,wscale 2>
    17:22:07.697672 IP palo5.pacific.net.th.www > S 220399697:220399697(0) ack 668177624 win 5792 <mss 1360,sackOK,timestamp 439737840 6391246,nop,wscale 0>
    17:22:07.697815 IP > palo5.pacific.net.th.www: . ack 1 win 1460 <nop,nop,timestamp 6391249 439737840>
    17:22:07.701892 IP > palo5.pacific.net.th.www: P 1:423(422) ack 1 win 1460 <nop,nop,timestamp 6391249 439737840>
    17:22:07.738700 IP palo5.pacific.net.th.www > . ack 423 win 6432 <nop,nop,timestamp 439737844 6391249>
    17:22:09.550681 IP palo5.pacific.net.th.www > . 1:1349(1348) ack 423 win 6432 <nop,nop,timestamp 439738024 6391249>
    17:22:09.550771 IP > palo5.pacific.net.th.www: . ack 1349 win 2184 <nop,nop,timestamp 6391434 439738024>
    17:22:09.552264 IP palo5.pacific.net.th.www > P 1349:1424(75) ack 423 win 6432 <nop,nop,timestamp 439738024 6391249>
    17:22:09.552335 IP > palo5.pacific.net.th.www: . ack 1424 win 2184 <nop,nop,timestamp 6391434 439738024>

    and 280

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
    17:24:06.914667 IP > palo5.pacific.net.th.280: S 787567821:787567821(0) win 5840 <mss 1460,sackOK,timestamp 6403171 0,nop,wscale 2>
    17:24:06.943900 IP palo5.pacific.net.th.280 > R 0:0(0) ack 787567822 win 0
    17:24:07.015253 IP > palo5.pacific.net.th.280: S 785698767:785698767(0) win 5840 <mss 1460,sackOK,timestamp 6403181 0,nop,wscale 2>
    17:24:07.043171 IP palo5.pacific.net.th.280 > R 0:0(0) ack 785698768 win 0

  6. Ben

    Ben ISPConfig Developer ISPConfig Developer

    So I'd say that looks good.
    Do you see anything in the apache access logs while accessing? Normally you should.
    What you could do is saving the output of tcpdump to a capture file and take a look with ethereal at the packets content to see what the apache returned.
    tcpdump port 80 -W /tmp/youcapturefile.cap

    What I' wondering is, why your client does not get anything. Does the router have any logs where you could take a look at?
  7. falko

    falko Super Moderator ISPConfig Developer

    What's the output of
    iptables -L
    Do you use a domain or an IP address to connect to your server from outside your LAN?
    Last edited: Aug 12, 2006
  8. I apologise for the long post in advance.

    My iptables were empty (the same as now, see below) so I thought that I'd do a clean install just in case I'd changed something (to aviod needle in a haystack) as I'm only using this pc to learn linux so I'm not losing anything.

    My current (new) OS is Ubuntu server 6.06 LAMP option with ubuntu desktop, amule, build-essential packages, I've also run update and upgrade.

    I bought a new ethernet PCI card which I'm using now.

    I still have the same problem so back to basics seemed the best way so I've tried to cover every step
    • I'm running emule ok (High id) on another pc on my lan and amule on this computer (also High id) with ports 4662 and 4672 open so I'm happy that port forwarding with my router is ok
    • The fact that amule can act as server (it's uploading files) from this setup also means that tcp data can get out past my router
    • Apache2 seems to be working to some extent as it's serving the default page to another computer on my lan (I entered an internal ip into firefox on another computer)
    • Since amule can use 4662 I tried to get apache to use it by adding 'Listen 4662 to ports.conf for apache2 and restarted it, still no joy
    • I get output for tcpdump dst port 80 and tcpdump port 80 when requesting from external IP so I thought I'd try to run amule on port 80, doesn't work even though the amule test page says that 80's open (anomily ?)
    • At all times when trying to request a page I'm using IP address, not FQDN or any other domain name.
    • Maybe the IP address(s) I'm using are wrong? portforward.com and myip.dk both give me what I believe to be my extrenal IP address, however whatsmyip.org and amule are a showing different IP address – one that I believe is the IP of my router on my ISP's lan. When I try this IP I get my router's set up page.

    • My ip tables are empty (only headers), see below
      Router log only lists boot, connection etc – nothing useful
    Router seems to be ok (amule works)
    apache seems to be ok (can serve to lan IP)
    ISP doesn't appear to be blocking access to post 80 (amule test page says port open)
    I get a connection refused (111) error on port 80, even though I see output on tcpdump, but error 'Firefox can't establish a connection to the server' on any other port. The errors come up pretty quickly, quicker than I see the tcpdump output and not slow enough for a genuine timeout/server not responding.

    The most obvious thing to me is that the protocol for apache2 is tcp6, not tcp – why is that? Can my ISP handle tcp6? (they won't tell me as I'm sure they don't know themselves, I only have the choice of 1 ISP and they're useless) Can I change it to tcp to eliminate it? All I did to install the new ethernet card was put it in and boot – could there be a problem with the driver? Can I follow the packets (how)?

    netstat -lp
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 localhost:36230 *:* LISTEN 4302/hpiod
    tcp 0 0 localhost:mysql *:* LISTEN 4596/mysqld
    tcp 0 0 *:4662 *:* LISTEN 6721/amule
    tcp 0 0 localhost:ipp *:* LISTEN 5373/cupsd
    tcp 0 0 localhost:60314 *:* LISTEN 4308/python
    tcp6 0 0 *:www *:* LISTEN 6642/apache2
    tcp6 0 0 *:81 *:* LISTEN 6642/apache2
    udp 0 0 *:4665 *:* 6721/amule
    udp 0 0 *:4672 *:* 6721/amule

    amule output

    tcpdump dst -i2 port 4662
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
    01:09:00.601442 IP 195-150-178-66.jtb.pl.distcc > P 984866779:984866862(83) ack 457039173 win 65300
    01:09:00.648000 IP > F 360434971:360434971(0) ack 3118294436 win 1728 <nop,nop,timestamp 243550 4338418>
    01:09:00.651018 IP 195-150-178-66.jtb.pl.distcc > P 83:138(55) ack 1 win 65300
    01:09:00.757998 IP > dslb-088-073-052-050.pools.arcor-ip.net.4662: P 455262406:455262428(22) ack 1978081104 win 1728 <nop,nop,timestamp 243561 2745896>
    01:09:00.789720 IP > . ack 3253590533 win 1460 <nop,nop,timestamp 243564 202607>
    ^F^X01:09:00.955511 IP > . ack 460441369 win 65217

    6 packets captured
    584 packets received by filter
    462 packets dropped by kernel

    iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Output when using exteral IP address to request

    tcpdump dst -i2 port 80
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
    01:19:58.426512 IP > pppBKK-150-132.pacific.net.th.www: S 1156142549:1156142549(0) win 5840 <mss 1460,sackOK,timestamp 309327 0,nop,wscale 2>
    01:19:58.872206 IP > pppBKK-150-132.pacific.net.th.www: . ack 4028938538 win 1460 <nop,nop,timestamp 309372 459915587>
    01:19:58.872383 IP > pppBKK-150-132.pacific.net.th.www: P 0:422(422) ack 1 win 1460 <nop,nop,timestamp 309372 459915587>
    01:19:59.293302 IP > pppBKK-150-132.pacific.net.th.www: . ack 1349 win 2184 <nop,nop,timestamp 309414 459915628>
    01:19:59.294867 IP > pppBKK-150-132.pacific.net.th.www: . ack 1430 win 2184 <nop,nop,timestamp 309414 459915628>
    5 packets captured
    10 packets received by filter
    0 packets dropped by kernel

    tcpdump -i2 port 80
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
    01:21:58.270402 IP > pppBKK.www: S 1284248063:1284248063(0) win 5840 <mss 1460,sackOK,timestamp 321312 0,nop,wscale 2>
    01:21:58.909341 IP pppBKK.www > S 4162375405:4162375405(0) ack 1284248064 win 5792 <mss 1360,sackOK,timestamp 459927591 321312,nop,wscale 0>
    01:21:58.909454 IP > pppBKK.www: . ack 1 win 1460 <nop,nop,timestamp 321376 459927591>
    01:21:58.918413 IP > pppBKK.www: P 1:423(422) ack 1 win 1460 <nop,nop,timestamp 321377 459927591>
    01:21:59.568870 IP pppBKK.www > . ack 423 win 6432 <nop,nop,timestamp 459927657 321377>
    01:21:59.700681 IP pppBKK.www > . 1:1349(1348) ack 423 win 6432 <nop,nop,timestamp 459927669 321377>
    01:21:59.700750 IP > pppBKK.www: . ack 1349 win 2184 <nop,nop,timestamp 321455 459927669>
    01:21:59.701899 IP pppBKK.www > P 1349:1430(81) ack 423 win 6432 <nop,nop,timestamp 459927669 321377>
    01:21:59.701957 IP > pppBKK.www: . ack 1430 win 2184 <nop,nop,timestamp 321455 459927669>
    9 packets captured
    18 packets received by filter
    0 packets dropped by kernel

    amule porttest webpage successful on port 80

    tcpdump -i2 port 80
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
    01:41:59.871814 IP > P 2507444376:2507444865(489) ack 1083300088 win 1728 <nop,nop,timestamp 441471 460043888>
    01:42:00.242375 IP > . ack 489 win 7504 <nop,nop,timestamp 460047729 441471>
    01:42:01.016957 IP > P 1:824(823) ack 489 win 7504 <nop,nop,timestamp 460047805 441471>
    01:42:01.017027 IP > . ack 824 win 2140 <nop,nop,timestamp 441586 460047805>
    01:42:16.745726 IP > F 1086988376:1086988376(0) ack 2503559107 win 6432 <nop,nop,timestamp 460049379 437246>
    01:42:16.778008 IP > . ack 1 win 1728 <nop,nop,timestamp 443163 460049379>
    01:42:17.044069 IP > P 2501251009:2501251496(487) ack 1084090170 win 1996 <nop,nop,timestamp 443189 460044712>
    01:42:17.376210 IP > . ack 487 win 8816 <nop,nop,timestamp 460049442 443189>
    01:42:18.531348 IP > P 1:677(676) ack 487 win 8816 <nop,nop,timestamp 460049557 443189>
    01:42:18.531417 IP > . ack 677 win 2334 <nop,nop,timestamp 443338 460049557>
    01:42:23.118435 IP > F 1:1(0) ack 1 win 1728 <nop,nop,timestamp 443797 460049379>
    01:42:23.667918 IP > . ack 2 win 6432 <nop,nop,timestamp 460050071 443797>
    12 packets captured
    24 packets received by filter
    0 packets dropped by kernel
  9. falko

    falko Super Moderator ISPConfig Developer

    Can you post your Listen directives from your Apache configuration here?
    Also have a look here: http://httpd.apache.org/docs/2.0/mod/mpm_common.html#listen
  10. I'm trying to use apache2 on a xp computer on my lan to see if I can run a web server with my ISP

    Also I'm trying apache 1.3 on my ubuntu server 6.06 LAMP ubuntu-desktop config to see if that works.

    The ports.conf output was

    Listen 80
    Listen 81
    Listen 280
    Listen 10080


    Listen (whatever port I'm trying)

    Great post about the perfect ubuntu 6.06 server setup, that's where I leart most of what little I know.

  11. falko

    falko Super Moderator ISPConfig Developer

    Looks ok. And this is from the correct server (not that you mixed up your servers... ;) ).
    What's the output of
    netstat -tap
  12. I tried Apache 2.2.3 (or wahtever that latest version is) on XP and had exactly the same problem.

    I've uninstalled apache2 (2.2.3 ? or whatever) and am running apache 1.3.7 (or whatever the latest v1.3.x is) on ubuntu server 6.0.6 - still same problem (when external IP entered into firefox ISP generated error on port 80, firefox cannot find server on any other port)

    I can understand that ISPs don't want people to run a web server so block external requests to my port 80 (obviously allowing web browsing ie. requests from port 80) but is it possible that an ISP could filter packets for every port? Surely this would be impossible without slowing traffic to a standstill?

    I can't run a simple webserver to the outside world on any port even though I can on my lan and run other types of server to outside (emule for example), what mechanism could my ISP be employing to stop me? Or maybe I'm ignorant and missing something obvious?

    What's the default for any IP or I want to try Listen etc.

    netstat -tap output

    netstat -tap
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 *:2080 *:* LISTEN 5245/httpd
    tcp 0 0 localhost:53285 *:* LISTEN 4287/python
    tcp 0 0 localhost:mysql *:* LISTEN 4576/mysqld
    tcp 0 0 *:www *:* LISTEN 5245/httpd
    tcp 0 0 *:20080 *:* LISTEN 5245/httpd
    tcp 0 0 *:10000 *:* LISTEN 4882/perl
    tcp 0 0 *:81 *:* LISTEN 5245/httpd
    tcp 0 0 localhost:ipp *:* LISTEN 4336/cupsd
    tcp 0 0 *:280 *:* LISTEN 5245/httpd
    tcp 0 0 localhost:33689 *:* LISTEN 4282/hpiod
    tcp 0 0 peterserv:48078 ESTABLISHED5271/firefox-bin
    tcp 0 0 peterserv:48076 ESTABLISHED5271/firefox-bin
    tcp 0 0 peterserv:48075 ESTABLISHED5271/firefox-bin
    tcp 0 0 peterserv:48086 ESTABLISHED5271/firefox-bin
    tcp 0 0 peterserv:48085 ESTABLISHED5271/firefox-bin
    tcp 0 0 peterserv:48083 ESTABLISHED5271/firefox-bin
    tcp 1 0 peterserv:48082 CLOSE_WAIT 5271/firefox-bin
    tcp 0 0 peterserv:48081 ESTABLISHED5271/firefox-bin
    tcp 0 0 peterserv:48080 ESTABLISHED5271/firefox-bin
    tcp 0 0 localhost:35518 localhost:33689 ESTABLISHED4287/python
    tcp 0 0 localhost:33689 localhost:35518 ESTABLISHED4282/hpiod
  13. falko

    falko Super Moderator ISPConfig Developer

    Please ask your ISP if and which ports they block.
  14. Update

    I read somewhere that with NAT you cannot view your own webserver from an external IP, if you try you will only get your router's setup page because it's also running on port 80. The reason is something about a conflict within your router and NAT.

    You can resolve this by adding dns records somewhere (I don't know where) or by other means.

    I'm posting this because I was testing to see if my webserver was working and thought that it wasn't. What complicated my issue was that portforward.com was showing my IP address as different to whatsmyip.org and I was sure that portforward.com was the correct IP. I believe that the IP address displayed by portforward.com is my ISP's IP and whatsmyip.org displays the IP address of my router on my ISP's LAN.

    I haven't fully tested this yet but have am sure that this was my problem, many places tell you to enter your 'outside' ip addres to test your webserver, if you don't get the page you expect you think something's wrong. This may only effect certain brands of router.

    Sorry for the vagueness, I will confirm when I've sucessfully test my webserver.
  15. falko

    falko Super Moderator ISPConfig Developer

    It can only display your router's public IP address, but not your router's internal IP address - it's impossible.

    You need to forward port 80 from your router to your server then.
  16. bevok

    bevok New Member

    You'll need to get a couple of things working, configuration and terminology of which will depend on your router. What kind have you got?

    Firstly you'll need your server to be natted out to the external IP address via port 80. Secondly you'll need to make sure that connections inbound aren't being blocked by the router's builtin firewall.

    Its fairly simple for ISPs to block ports and they often do so especially to block things like file sharing etc. You'll have to ask them obviously to find out what they do and don't block.

    You definately won't be able to access your webserver from your LAN via the outside IP address due to NAT, you'll need to test that from elsewhere. Some of my collegues (sad but true) use the pornalyzer website to test with! I've found dnsstuff.com to be an accurate source of your external IP.

    Good luck!
  17. I got someone to test my webserver using an IP address that I gave them and it worked! It's not a big deal for me now that I know that it's working, I just wanted to test it - I've looked at so many tutorials, how to's etc and they all say that you can test your webserver by entering your external IP address into your web browser. Well I can't and it's taken me weeks to work out that I don't actually have a problem (thanks to Falko for all of the help anyway).

    I'm now running direct update, a DDNS client, and I now realise that in my case there seems there seems some considerable confusion about what my IP address actually is. Direct update uses around 15+ servers alternately to check the current IP address, 13 odd show one address and only 2 show another. The address shown by 2 servers is the one that I've used to confirm that my webserver is working, I haven't been able get someone else to test the other address yet, I don't think that it will work (but what do I know?).

    What's interesting is that I thought that you only have 1 IP address, simple - no confusion right? Why do different servers show different addresses? I assume that it's just an anomaly particular to me (and my Dlink dsl-504T with Australian firmware). I get an IP address that can access my webserver from whatsmyip.org and something totally different from portforward.com. I'll test the portforward.com address asap.

    You think your connection is bad (Off subject)?

    I live in Phuket, my ADSL connection is up and down more often that a whore's draws!

    I installed direct update last night to dynamically update my IP address, when I checked the log I saw that my IP address changes as often as every 10 minutes, more usually every hour or so. The breaks in service are usually so brief that you wouldn't notice during web surfing but often it's down for an hour or more here and there. Apparently wind blowing the lines is enough to break connectivity.

    Last night approx 1am there was a huge thunderstorm very close (less then a quarter of a second between lightening and thunder), I got up in the dark to let my dogs in the house. While I was walking through the house I saw a flash of light that came from close to my computer and then thunder that sounded like a bomb. I pulled the plug immediately to save more damage. My house wasn't actually hit but somewhere not for away was.

    Today my modem/router doesn't work (I guess that was the flash), so I'm back to my old single port modem for now. Last time something similar happened I had to buy a new PSU and that time (only a couple of months ago) I was thankful that it wasn't my motherboard. Today I bought a surge protector for my phone line, a little late! UPS's are on sale here that apparently protect from lightening I haven't seen any by a brand that I've heard of. Do they even work? I thought that lightening protection was very hit and miss anyway?

    What I would do for the (usually) poor service offered by the average European ISP!!!!!
  18. My ISP says that they don't block any ports but I wouldn't believe then regardless of what they said, when I call them they automatically assume I have a problem when all I want is info and they just read from a script. They don't know anything that's not on the script. I sometimes wonder if these people have ever actually used the internet.

    dnsstuff.com gives me what I believe is an incorrect IP address (same as portforward.com). Obviously the address is somehow related to me, I'm curious to understand how but it doesn't really matter much.

    When I run tracert from windows I get only 1 hop in less than 1 ms for my IP and 5 slower hops for the other IP.

    Does anyone else get differing IPs? (whatsmyip.org vs dnsstuff.com)
  19. falko

    falko Super Moderator ISPConfig Developer

    I get the same IP address on both web sites. Maybe your internet connection changed between your visits to both sites?
  20. I switched back and forth refreshing firefox to see if the IPs changed, they didn't. I think this a quirk specific to my ISP. It's not really a problem, you just have to get someone else to check every possible IP address, not an ideal solution but it's not an ideal world.

    I enquired about the price of a static IP address, 3 times what I currently pay for a much slower connection - they do say that it's much more reliable though.

    I'm moving house next week, to an area that's covered by the other ISP on the island. Hopefully I'll get a more continuous service. but maybe that will throw up a whole new set of problems.

    Have a good weekend all.

Share This Page