疎通確認
ローカルからの確認
サーバのローカルからtelnetで80ポート(httpdのlistenポート)に接続してhrmlをgetできたので、listenはOK。
[root@linux38 etc]# telnet 192.168.10.38 80 Trying 192.168.10.38... Connected to linux38 (192.168.10.38). Escape character is '^]'. GET /index.html HTTP/1.0 HTTP/1.1 200 OK Date: Mon, 23 Oct 2006 11:14:33 GMT Server: Apache/2.2.2 (Fedora) Last-Modified: Mon, 23 Oct 2006 10:37:54 GMT ETag: "689832-51-bdc6480" Accept-Ranges: bytes Content-Length: 81 Connection: close Content-Type: text/html; charset=UTF-8kari index.html Connection closed by foreign host.
リモートからの疎通
これがうまくいかなかったけど解決しました。
結局のところ原因1:iptablesがFireWallしてて、外からのアクセスを弾いてました。
顛末記
windowsからブラウザでhttp://192.168.10.38にアセクスしてもサーバが見つかりません。
teratermで192.168.10.38:80にコネクトしようとすると、しばらくconnecting・・・が続いたのち「Cannnot connect the host」と出て失敗する。
考えられる原因1
#iptables -L [root@linux38 etc]# iptables -L -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 4039 301K RH-Firewall-1-INPUT all -- any any anywhere anywhere Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 RH-Firewall-1-INPUT all -- any any anywhere anywhere Chain OUTPUT (policy ACCEPT 3833 packets, 994K bytes) pkts bytes target prot opt in out source destination Chain RH-Firewall-1-INPUT (2 references) pkts bytes target prot opt in out source destination 48 3930 ACCEPT all -- lo any anywhere anywhere 0 0 ACCEPT icmp -- any any anywhere anywhere icmp any 0 0 ACCEPT ipv6-crypt-- any any anywhere anywhere 0 0 ACCEPT ipv6-auth-- any any anywhere anywhere 15 2216 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:mdns 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:ipp 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ipp 3761 257K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 2 96 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh 213 37976 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
最終行のREJECTを削除してみる。
[root@linux38 etc]# iptables -D RH-Firewall-1-INPUT 10 [root@linux38 etc]# iptables -L -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 4103 307K RH-Firewall-1-INPUT all -- any any anywhere anywhere Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 RH-Firewall-1-INPUT all -- any any anywhere anywhere Chain OUTPUT (policy ACCEPT 3883 packets, 1000K bytes) pkts bytes target prot opt in out source destination Chain RH-Firewall-1-INPUT (2 references) pkts bytes target prot opt in out source destination 48 3930 ACCEPT all -- lo any anywhere anywhere 0 0 ACCEPT icmp -- any any anywhere anywhere icmp any 0 0 ACCEPT ipv6-crypt-- any any anywhere anywhere 0 0 ACCEPT ipv6-auth-- any any anywhere anywhere 15 2216 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:mdns 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:ipp 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ipp 3811 260K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 2 96 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
[root@linux38 conf]# /etc/init.d/iptables 使い方: /etc/init.d/iptables {start|stop|restart|condrestart|status|panic|save} [root@linux38 conf]# /etc/init.d/iptables restart ファイアウォールルールを適用中: [ OK ] チェインポリシーを ACCEPT に設定中filter [ OK ] iptables モジュールを取り外し中 [ OK ] iptables ファイアウォールルールを適用中: [ OK ] iptables モジュールを読み込み中ip_conntrack_netbios_ns [ OK ] [root@linux38 conf]#
この段階でも、まだ外部ブラウザからアクセスできません。ちょっと待て、REJECTが復活してる。REJECTの削除がきちんと保存されていない???
[root@linux38 conf]# iptables -L -v 1 78 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
/etc/init.d/iptablesは/etc/sysconfig/iptablesに書かれたルールを見てテーブルの初期設定をするので、/etc/sysconfig/iptablesを直接編集してやった。
[root@linux38 sysconfig]# pwd /etc/sysconfig [root@linux38 sysconfig]# ls -la iptables -rw------- 1 root root 802 10月 23 21:02 iptables
# Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
windowsのブラウザからアクセスできた!!
考えられる原因2
xinetd関係
この周辺
#cd /etc/xinetd.d
考えられる原因3
/etc/hosts.allow, /etc/hosts.deny
全部OK、とういか制限無しにしている。
[root@linux38 etc]# more /etc/hosts.allow # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # #rsync: 127.0.0.1 #rsync: 192.168.10.37 #ALL: ALL
[root@linux38 etc]# more /etc/hosts.deny # # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # The portmap line is redundant, but it is left to remind you that # the new secure portmap uses hosts.deny and hosts.allow. In particular # you should know that NFS uses portmap! #rsync: ALL #ALL: ALL
考えられる原因4
apacheのホスト認証
denyを書いていないので、全部OK。
#cd /etc/httpd/conf/httpd.conf# # Possible values for the Options directive are "None", "All", # or any combination of: # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews # # Note that "MultiViews" must be named *explicitly* --- "Options All" # doesn't give it to you. # # The Options directive is both complicated and important. Please see # http://httpd.apache.org/docs/2.2/mod/core.html#options # for more information. # Options Indexes FollowSymLinks # # AllowOverride controls what directives may be placed in .htaccess files. # It can be "All", "None", or any combination of the keywords: # Options FileInfo AuthConfig Limit # AllowOverride None # # Controls who can get stuff from this server. # Order allow,deny Allow from all