Forum OpenACS Q&A: need help -- iptables, port forwarding, openacs/aolserver

I have been struggling with this for a couple weeks now and think
that I have tried all combinations of things I can think of so now I
am asking for help.

I have a system - my firewall - attached to the Internet through a
DSL connection. This firewall system has a static IP address assigned
by the DSL provider. I don't have a registered domain name for this
static IP address. The firewall system uses iptables to control
access to/from a private network and a DMZ network (it has 3 NICs).
The DMZ network has a system with openacs/aolserver/postgresql
running on it - my web server. I can access openacs from my internal
private network (I run a local private DNS and I can use the private
IP address of the web server or its DNS name and both of these work).
When I try to access the web server from outside my network, the
iptables script forwards incoming tcp packets to a web server on the
DMZ (I have tried both ports 80 and 8000) running
aolserver/openacs/postgresql. Using tcpdump, I can see the packets on
the web server so I know that they are getting to the web server.
However, aolserver doesn't (or can't) respond. I have tried many
combinations of "set hostname" based on other material in these
forums. Just to make sure that the DSL provider isn't blocking http,
I ran Apache on this system and its been able to serve pages just
fine.

I suspect that I have some configuration file not set up correctly
and am looking for guidance. Is there a way to have aolserver tell me
why it is rejecting the connection? (Given that my tcp packets ARE
showing up on the web server, I suspect it is declining to respond.)
Has anyone delt with this problem before? Does anyone have a similar
setup to this that would be willing to share their configuration
files?

Thanks,

Ted Swoyer
(mailto:tswoyer@speakeasy.net)

You could do a tail -f of your ~nsadmin/log/ access log, and see if Aolserver is actually returning a request from outside your network. If it is, then the firewall is just not letting the packets back out.

If you're using iptables but aren't totally sure you know what you're doing, you might look into NARC, a series of scripts that set up iptables for Linux according to an easy to set up configuration file. It also handles DMZs, and is easy to set up. It's currently at version 0.5.1 I think.

If it isn't receiving the request from outside the network, but tcpdump is still receiving the packets, then Aolserver may be set up wrong. I'm not sure what to suggest there.

I have a simple suggestion that I use on a development server in the serverx.tcl file:

set hostname 123.456.78.90

I use the IP address rather than a domain name....and of course, access the server with http://123.456.78.90

-Bob

Jade:

I double checked my firewall rules and then implemented NARC anyway, just in case. I am pretty good with iptables...but I will try anything. Also, I didn't think it was my firewall because apache can serve pages through it. After NARC (nicely done, by the way, thanks!), it works the same openacs/aolserver nothing...apache OK.

I looked for the access log to see if aolserver is returning a request as you suggested and I have some questions. I used the RH7.1 RPMs to install my setup and I don't have logs where you suggested they would be. I can find a log titled /var/lib/aolserver/...defaultacs.log (the ... represent more path which I can't remember and I have the machine turned off) but this doesn't seem to have any access information. If this isn't the log you were refering to, how do I turn logging on?

In an unrelated question, how do I get aolserver to respond with its default aolserver page instead of the openacs stuff (in other words, I would like aolserver to behave like apache -- without loading all the openacs stuff)?

Anyway, you help is much appreciated but the problem must be somewhere else.

Bob:

I have done the "set hostname 192.168.32.2" in the nsd.tcl file (is there somewhere else I have to set this?) and can access openacs internally by specifying http://192.168.32.2:8000 but I still can't get connected specifying http://myexternalipaddress (which is my static IP address provided by the DSL provider AND I have port 80 forwarded to 192.168.32.2:8000 -- which works for apache).

So,

How do I find out what hostname aolserver thinks it is responding to?

Did you try this?

set address internal_IP_address
set hostname externa_IP_address

Hi Ted, you could post your AOLserver startup messages. If you're not shure where the logfiles are, just start AOLserver in foreground mode ("./nsd -f ...") from the console and redirect the output into a file. The access log could be at:

/usr/local/aolserver/YOURservername/modules/nslog/access.log

Peter.
Gilbert,

Interesting suggestion. I tried it and I can now see the login page from outside my network but inside my network, I can't get to it anymore. Also, after logging in or registering externally, I get an error message and can't see any other pages. Closer!

Peter,

Didn't try your suggestion yet -- forgot that I could start aolserver in the foregroung -- thanks!

Set ForceHostP 0 in your parameters/mysite.tcl
Well, lets see...

David's suggestion to "set ForceHostP 0" seems to have mostly done the trick. Now, with "set hostname 192.168.32.2" or "set hosthame myStaticAddress and "set address 192.168.32.2", I can see the openacs web site from my internal network using either htttp://192.168.32.2:8000 or http://internalDNSname:8000. I can also see the login page externally by typing http://myStaticAddress. The problem now is that after I type a name and password on the login page, I can't see subsequent pages, getting "The page cannot be displayed" messages. I double checked my firewall settings by deleting all chains and setting all policies to ACCEPT.

I really appreciate the response so far. Any more ideas?