monit – can't connect from browser

I'm teaching myself networking by building an internet server. I am
running Debian Linux 3.1 on host jupiter.obliqueuniverse.org (a Dell
Dimension 4100 desktop). This host (192.168.2.2) is part of my LAN,
which is connected to the Internet through a Dell Truemobile 2300
Broadband Router (which does NAT). My domain is obliqueuniverse.org,
and I have the static IP address 207.237.37.110.

Many thanks to Chris Davies, Bit Twister, and a number of others who
have helped me get this far!

On jupiter, I have installed apache 2.0.54 and ISPConfig.

I installed and configured monit 4.5, and created the certificate
using this guide: http://howtoforge.com/server_monitoring_monit_munin_p2.
(For the moment, on my training server, I am committed to Debian 3.1,
and 4.5 is prescribed release of monit.)

From Firefox on the Windows XP host (192.16.2.3) on my LAN, I can
connect to the apache server:

http://192.168.2.2:80

and I can connect to ISPConfig:

http://192.168.2.2:81

However, when I try to connect to the Monit Server Manager

https://192.168.2.2:2812

I get the following error message:
- - - - - - - - - - - - - - - - - - - - - - - -
Server Connection Failed
192.168.2.2 uses an invalid security certificate
The certificate is not trusted because it is self-signed.
The certificate is valid only for jupiter.obliqueuniverse.org
(Error code: sec_error_ca_cert_invalid)
- - - - - - - - - - - - - - - - - - - - - - - -

There ia an "Alert!" pop-up that says:

The certificate is only valid for <a id="cert_domain_link"
title="jupiter.obliqueuniverse.org">jupiter.obliqu euniverse.org</a>

The Windows XP Firewall is disabled. I have configured the Dell
Truemobile Router to forward any traffic directed to port 2812 at
207.237.37.110 to port 2812 on 192.168.2.2. (However, on the LAN side
of my router, I don't think this should make any difference.)

ps and "monit status" indicates that monit is running, but that
"Connection failed" for apache:

monit status | sed –n '57,70p'

Process 'apache'
status Connection failed
monitoring status monitored
pid -1
parent pid -1
uptime 0m
childrens 0
memory kilobytes 0
memory kilobytes total 0
memory percent 0.0%
memory percent total 0.0%
cpu percent 0.0%
cpu percent total 0.0%
port response time -1.000s to www.obliqueuniverse.org:80/monit/token
[HTTP]

# monit validate

/etc/monit/monitrc:414: Warning: TOTALMEMORY statement does not work
properly on Linux
'MB'
HTTP error: Server returned status 404
'apache' failed protocol test [HTTP] at INET[www.obliqueuniverse.org:
80].
'apache' trying to restart
'apache' stop: /etc/init.d/apache2
'apache' start: /etc/init.d/apache2

# cat /etc/monit/monitrc | sed –n '414p'

if totalmem > 500 MB for 5 cycles then restart

Inspection reveals that there are 6 instances of apache2 running:

ps-aux | awk 'NR==1 || $11 ~/apache2/'

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 5291 1.6 2.5 23044 9776 ? Ss 21:03 0:00 /usr/
sbin/apache2 -k start -DSSL
www-data 5295 0.0 2.5 23044 9796 ? S 21:03 0:00 /usr/
sbin/apache2 -k start -DSSL
www-data 5296 0.0 2.5 23044 9796 ? S 21:03 0:00 /usr/
sbin/apache2 -k start -DSSL
www-data 5297 0.0 2.5 23044 9796 ? S 21:03 0:00 /usr/
sbin/apache2 -k start -DSSL
www-data 5298 0.0 2.5 23044 9796 ? S 21:03 0:00 /usr/
sbin/apache2 -k start -DSSL
www-data 5299 0.0 2.5 23044 9796 ? S 21:03 0:00 /usr/
sbin/apache2 -k start –DSSL

If I kill one of these processes another is spawned, keeping the total
at 6.

/var/log/syslog shows that monit tries to restart apache2 about every
60 seconds.

Nov 24 20:06:30 jupiter monit[2655]: 'apache' failed protocol test
[HTTP] at INET[www.obliqueuniverse.org:80].
Nov 24 20:06:31 jupiter monit[2655]: 'apache' trying to restart
Nov 24 20:06:31 jupiter monit[2655]: 'apache' stop: /etc/init.d/
apache2
Nov 24 20:06:32 jupiter monit[2655]: 'apache' start: /etc/init.d/
apache2
Nov 24 20:07:37 jupiter monit[2655]: 'apache' failed protocol test
[HTTP] at INET[www.obliqueuniverse.org:80].
Nov 24 20:07:37 jupiter monit[2655]: 'apache' trying to restart
Nov 24 20:07:37 jupiter monit[2655]: 'apache' stop: /etc/init.d/
apache2
Nov 24 20:07:38 jupiter monit[2655]: 'apache' start: /etc/init.d/
apache2
Nov 24 20:08:43 jupiter monit[2655]: 'apache' failed protocol test
[HTTP] at INET[www.obliqueuniverse.org:80].
Nov 24 20:08:43 jupiter monit[2655]: 'apache' trying to restart
Nov 24 20:08:43 jupiter monit[2655]: 'apache' stop: /etc/init.d/
apache2
Nov 24 20:08:44 jupiter monit[2655]: 'apache' start: /etc/init.d/
apache2
Nov 24 20:09:49 jupiter monit[2655]: 'apache' failed protocol test
[HTTP] at INET[www.obliqueuniverse.org:80].
Nov 24 20:09:49 jupiter monit[2655]: 'apache' trying to restart
Nov 24 20:09:49 jupiter monit[2655]: 'apache' stop: /etc/init.d/
apache2
Nov 24 20:09:50 jupiter monit[2655]: 'apache' start: /etc/init.d/
apache2
Nov 24 20:10:55 jupiter monit[2655]: 'apache' failed protocol test
[HTTP] at INET[www.obliqueuniverse.org:80].
Nov 24 20:10:55 jupiter monit[2655]: 'apache' trying to restart
Nov 24 20:10:55 jupiter monit[2655]: 'apache' stop: /etc/init.d/
apache2
Nov 24 20:10:56 jupiter monit[2655]: 'apache' start: /etc/init.d/
apache2
Nov 24 20:12:01 jupiter monit[2655]: 'apache' failed protocol test
[HTTP] at INET[www.obliqueuniverse.org:80].
Nov 24 20:12:01 jupiter monit[2655]: 'apache' trying to restart
Nov 24 20:12:01 jupiter monit[2655]: 'apache' stop: /etc/init.d/
apache2
Nov 24 20:12:02 jupiter monit[2655]: 'apache' start: /etc/init.d/
apache2
Nov 24 20:13:07 jupiter monit[2655]: 'apache' failed protocol test
[HTTP] at INET[www.obliqueuniverse.org:80].

A thread in the archives
http://www.nabble.com/-monit--Monit-...d13377005.html
suggests that there is a bug in monit < 4.9: the error flag is not
cleared when monit restarts a process, even though the process is
restarted correctly. Hence, it keeps spawning the process (subject to
the constraints in monitrc, which I don't fully understand).

However, I don't see a suggested remedy. I can set apache to "mode
passive" in monitrc, but presumably that means that monit won't
restart apache when it *really needs* to be restarted.

I am guessing (hoping) that the 2 problems are related: I can't
connect to monit because monit thinks apache is not running.
(However, I *can* connect to ISPConfig and apache itself.)

Thanks for having read all of the above! As always, interested to
hear your thoughts.

Best Regards,
Vwaju
New York City

Am Sat, 29 Nov 2008 15:07:12 -0800 schrieb Vwaju:


> https://192.168.2.2:2812
^^^^^^^^^^^
> I get the following error message:
> - - - - - - - - - - - - - - - - - - - - - - - -
> Server Connection Failed
> 192.168.2.2 uses an invalid security certificate
> The certificate is not trusted because it is self-signed.
> The certificate is valid only for jupiter.obliqueuniverse.org
> (Error code: sec_error_ca_cert_invalid)
> - - - - - - - - - - - - - - - - - - - - - - - -

Your CN in the certificate doesn't match with the name in the addressbar
of your browser.
You can force the browser to accept it, you can change the CN in your
certificate or you connect to the valid name (juniper..)


> The Windows XP Firewall is disabled. I have configured the Dell
> Truemobile Router to forward any traffic directed to port 2812 at
> 207.237.37.110 to port 2812 on 192.168.2.2. (However, on the LAN side
> of my router, I don't think this should make any difference.)

It has nothing to do with the xp firewall.


> ps and "monit status" indicates that monit is running, but that
> "Connection failed" for apache:

How is your check for apache in monit.conf?


> # monit validate
>
> /etc/monit/monitrc:414: Warning: TOTALMEMORY statement does not work
> properly on Linux

there is obviously a error mit totalmemory in your config, remove it it.
It seems you use a old monit version, I haven't any trouble with mem
checks.


> HTTP error: Server returned status 404

You try to connect to a non existing file, place an index file in the
documentroot directory if you check only for /, otherwise you need to
write alos the filenam in your configfile.

> 'apache' failed protocol test [HTTP] at INET[www.obliqueuniverse.org:
> 80].
> 'apache' trying to restart
> 'apache' stop: /etc/init.d/apache2
> 'apache' start: /etc/init.d/apache2

Sure, the webserver works not correct (status 404) monit do the right
thing.


> if totalmem > 500 MB for 5 cycles then restart

see above and check your syslog
> USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
> root 5291 1.6 2.5 23044 9776 ? Ss 21:03 0:00 /usr/

How much memory has your machine? You'are using 2.5% with one process,
ypu should check your apache conf, it depends on the modules you need but
usually I've never seen a parent process it's using more than 10 to 12 MB.

> If I kill one of these processes another is spawned, keeping the total
> at 6.

apache.conf prefork, works correctly. One child dies the parent process
open it again.


> /var/log/syslog shows that monit tries to restart apache2 about every
> 60 seconds.

If your check intervall is 1 minute, monit works correct.

> Thanks for having read all of the above! As always, interested to
> hear your thoughts.

Try the following:
Place an index.html in documentroot (apache) or enable Options +Index
in your apache.config.

Check your monitrc file should be similar like that:

check process apache2 with pidfile $PATH_TO_APACHAES_PID
start program = "/etc/init.d/apache2 start"
stop program = "/etc/init.d/apache2 stop"
if failed host $IP_APACHE_IS_LISTENING port $PORT
protocol http and request "/" then restart

You also could use protocol http and request "/YOURFILE" then restart
YOURFILE has to be in your documentroot.

cheers

Hi, Burkhard --

Thanks for your thoughtful observations!

> >https://192.168.2.2:2812

> > I get the following error message:
> > - - - - - - - - - - - - - - - - - - - - - - - -
> > Server Connection Failed
> > 192.168.2.2 uses an invalid security certificate
> > The certificate is not trusted because it is self-signed.
> > The certificate is valid only for jupiter.obliqueuniverse.org
> > (Error code: sec_error_ca_cert_invalid)
> > - - - - - - - - - - - - - - - - - - - - - - - -
>
> Your CN in the certificate doesn't match with the name in the addressbar
> of your browser.
> You can force the browser to accept it, you can change the CN in your
> certificate or you connect to the valid name (juniper..)

I can't connect with the canonical name:

https://jupiter.obliqueuniverse.org:2812

"Failed to Connect"
"Firefox can't established a connection to the server at
jupiter.obliqueuniverse.org:2812"

I notice that I *also* can't connect to the FTP server, Apache, or
ISPConfig using the FQDN.
I can connect *only* using the NAT address 192.168.2.2 (whether from
the Windows machine (192.168.2.3) or another computer running Linux
(192.168.2.5) on my LAN.)

This makes me think I have an underlying problem with domain name
resolution. However, if query the DNS servers using
DNSWatch http://www.dnswatch.info/ I find both the forward and reverse
queries give the right answer

Forward Query

Domain Type TTL Answer
obliqueuniverse.org. NS 10800 jupiter.obliqueuniverse.org.
obliqueuniverse.org. SOA 10800

MName RName Serial No. Refresh Retry Expire MinTTL
jupiter.obliqueuniverse.org. root.localhost. 2008100701 28800 7200
604800 86400

Reverse Query

Domain Type TTL Answer
110.37.237.207.in-addr.arpa. PTR 86400 obliqueuniverse.org.

The browsers on all the hosts on my LAN can resolve arbitrary domain
names. This would indicate that there is_no_problem with domain name
resolution.

What do you think?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - -
>> How is your check for apache in monit.conf?

Do you mean monitrc?

cat -n monitrc | sed -n '406,417p'

check process apache with pidfile /var/run/apache2.pid
group www
start program = "/etc/init.d/apache2 start"
stop program = "/etc/init.d/apache2 stop"
if failed host www.obliqueuniverse.org port 80 protocol http
and request "/monit/token" then restart
if cpu is greater than 60% for 2 cycles then alert
if cpu > 80% for 5 cycles then restart
if totalmem > 500 MB for 5 cycles then restart
if children > 250 then restart
if loadavg(5min) greater than 10 for 8 cycles then stop
if 3 restarts within 5 cycles then timeout
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - -
> > # monit validate
>
> > /etc/monit/monitrc:414: Warning: TOTALMEMORY statement does not work
> > properly on Linux

> there is obviously a error mit totalmemory in your config, remove it it.
> It seems you use a old monit version, I haven't any trouble with mem
> checks.

Can I just *remove* the line: "if totalmem > 500 MB for 5 cycles
then restart"
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - -
> > HTTP error: Server returned status 404
>
> You try to connect to a non existing file, place an index file in the
> documentroot directory if you check only for /, otherwise you need to
> write also the filename in your configfile. *

Excuse my ignorance, but how do I identify the document root?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - -
> > USER * * * PID %CPU %MEM * VSZ *RSS TTY * * *STAT START* TIME COMMAND
> > root * * *5291 *1.6 *2.5 23044 9776 ? * * * *Ss * 21:03 * 0:00 /usr/
>
> How much memory has your machine? You'are using 2.5% with one process,
> ypu should check your apache conf, it depends on the modules you need but
> usually I've never seen a parent process it's using more than 10 to 12 MB..

My machine has a total of 384MB RAM
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - -

Thanks for your helpful observations!

Best Regards,

Vwaju
New York City

Am Sun, 30 Nov 2008 11:42:07 -0800 schrieb Vwaju:

> Thanks for your thoughtful observations!

No problem at all.

> I can't connect with the canonical name:
> https://jupiter.obliqueuniverse.org:2812

You don forward this port, I conected to you public IP and receive your
Apache welcome page. (http://207.237.37.110/apache2-default/ DNS works
also)

> "Failed to Connect"
> "Firefox can't established a connection to the server at
> jupiter.obliqueuniverse.org:2812"

As I said you haven't open this port on your public IP.
You'll probably still need a DNAT rule in your iptables configuration.


This are your reachable ports from outside:

20/tcp closed ftp-data
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http


> I notice that I *also* can't connect to the FTP server, Apache, or
> ISPConfig using the FQDN.
> I can connect *only* using the NAT address 192.168.2.2 (whether from
> the Windows machine (192.168.2.3) or another computer running Linux
> (192.168.2.5) on my LAN.)

check via host or nslookup your name entries it should be similar like
this:

host jupiter.obliqueuniverse.org
jupiter.obliqueuniverse.org has address 207.237.37.110

Try traceroute to 207.237.37.110 you should usually see that your
packet goes via your gateway to your server outside, otherwise you nee to
check your /etc/hosts and/or your local DNS if available.


> This makes me think I have an underlying problem with domain name
> resolution. However, if query the DNS servers using
> DNSWatch http://www.dnswatch.info/ I find both the forward and reverse
> queries give the right answer

You need to perform this check local not via a website.


> The browsers on all the hosts on my LAN can resolve arbitrary domain
> names. This would indicate that there is_no_problem with domain name
> resolution.

check via host/dig/nslookup not with calling a domain in a browser.

>>> How is your check for apache in monit.conf?
>
> Do you mean monitrc?

Sure, I compile and package monit by myself since I added some extra
features for my environment and I use /etc/monit/monit.conf. But in the
regular configure script they use monitrc if no other option is given.


> cat -n monitrc | sed -n '406,417p'
>
> check process apache with pidfile /var/run/apache2.pid
> group www
> start program = "/etc/init.d/apache2 start"
> stop program = "/etc/init.d/apache2 stop"
> if failed host www.obliqueuniverse.org port 80 protocol http
> and request "/monit/token" then restart
> if cpu is greater than 60% for 2 cycles then alert
> if cpu > 80% for 5 cycles then restart
> if totalmem > 500 MB for 5 cycles then restart
> if children > 250 then restart
> if loadavg(5min) greater than 10 for 8 cycles then stop
> if 3 restarts within 5 cycles then timeout

> Can I just *remove* the line: "if totalmem > 500 MB for 5 cycles then
> restart"

Yes you can then the error should disappear.


> Excuse my ignorance, but how do I identify the document root? - - - - -

cat /etc/apache2/sites-enabled/001-default | grep DocumentRoot

As I see you use debian you it should be /var/www but if you didn't touch
the rewrite rule then you'll bee redireted to /var/www/apache2-default.


> My machine has a total of 384MB RAM

Ok, the the value is ok.

> Thanks for your helpful observations!
No problem at all, have fun on your computers.

cheers

Gutten Abend, Burkhard --

> > I can't connect with the canonical name:
> >https://jupiter.obliqueuniverse.org:2812
>
> You don't forward this port, I connected to you public IP and receive your
> Apache welcome page. (http://207.237.37.110/apache2-default/DNS works
> also)

I have my Dell Truemobile 2300 router configured to forward
207.237.37.110:2812 to 192.168.2.2:2812

> > "Failed to Connect"
> > "Firefox can't established a connection to the server at
> > jupiter.obliqueuniverse.org:2812"
>
> As I said you haven't open this port on your public IP.
> You'll probably still need a DNAT rule in your iptables configuration.

This is my first encounter with iptables. I looked at the man page,
and the learning curve looks steep. Without further study, I can't
tell what the command to create the rule should look like.

Can you advise me on this?

Is there a tutorial on how to use iptables that is perhaps more
descriptive than the man page?
>
> This are your reachable ports from outside:
>
> 20/tcp closed ftp-data
> 21/tcp open * ftp
> 22/tcp open * ssh
> 53/tcp open * domain
> 80/tcp open * http
>
All of these ports are listed in the port forwarding table for the
Dell router. I'm not sure why port 20 shows as "closed", since I have
both ports 20 and 21 forwarded from 207.237.37.110 to the ftp server
on 192.168.2.2.

Does this also have to do with a DNAT rule in iptables?

> > I notice that I *also* *can't connect to the FTP server, Apache, or
> > ISPConfig using the FQDN.
> > I can connect *only* using the NAT address 192.168.2.2 (whether from
> > the Windows machine (192.168.2.3) or another computer running Linux
> > (192.168.2.5) on my LAN.)
>
> check via host or nslookup your name entries it should be similar like
> this:
>
> host jupiter.obliqueuniverse.org
> jupiter.obliqueuniverse.org has address 207.237.37.110

- - - - - - - - - - - - - - - - - - - - - - - - - - -
On my Windows machine (192.168.2.3), which *does not know* about the
DNS server on 192.168.2.2:

> nslookup 207.237.37.110

Server: ns2.dns.rcn.net
Address: 207.172.3.9

Name: obliqueuniverse.org
Address: 207.237.37.110

> nslookup obliqueuniverse.org

Server: ns2.dns.rcn.net
Address: 207.172.3.9

Non-authoritative answer:
Name: obliqueuniverse.org
Address: 207.237.37.110
- - - - - - - - - - - - - - - - - - - - - - - - - - -
On jupiter (192.168.2.2) itself:

# hostname
jupiter.obliqueuniverse.org

# nslookup 207.237.37.110

Server: 192.168.2.2
Address: 192.168.2.2#53

110.37.237.207.in-addr.arpa name = obliqueuniverse.org.

# nslookup obliqueuniverse.org

Server: 192.168.2.2
Address: 192.168.2.2#53

Name: obliqueuniverse.org
Address: 207.237.37.110
- - - - - - - - - - - - - - - - - - - - - - - - - - -

> Try traceroute to 207.237.37.110 you should usually see that your
> packet goes via your gateway to your server outside, otherwise you nee to
> check your /etc/hosts and/or your local DNS if available.

On 192.168.2.2:

# traceroute 207.237.37.110
1 obliqueuniverse.org (207.237.37.110) 0.778 ms 0.726 ms
0.654 ms

# traceroute obliqueuniverse.org
1 obliqueuniverse.org (207.237.37.110) 0.800 ms 0.721 ms
0.648 ms

It looks like you can't run traceroute from Windows XP (or else I just
don't know how).
- - - - - - - - - - - - - - - - - - - - - - - - - - -

> cat /etc/apache2/sites-enabled/001-default | grep DocumentRoot
>
> As I see you use debian you it should be /var/www but if you didn't touch
> the rewrite rule then you'll bee redireted to /var/www/apache2-default.

I put an index.html file in /var/www and restarted apache, but I still
get the "Test Page for Apache installation" . I moved the index.html
to /var/www/apache2-default, and I still get the test page. I looked
at apache2.conf to see if there is something I need to reconfigure,
but I can't see anything.

Thanks again for your help!

Best Regards,
Vwaju

Am Mon, 01 Dec 2008 19:20:57 -0800 schrieb Vwaju:

> I have my Dell Truemobile 2300 router configured to forward
> 207.237.37.110:2812 to 192.168.2.2:2812
> This is my first encounter with iptables. I looked at the man page,
> and the learning curve looks steep. Without further study, I can't
> tell what the command to create the rule should look like.
> Can you advise me on this?
> Is there a tutorial on how to use iptables that is perhaps more
> descriptive than the man page?

Yup, man iptables or google for iptables, but I think I didn't fully
understand what you're trying top do.

I assume that you want juniper routes your packets for port 2812 to your
router and masquerade the src ip, right.

(any:juniper:2812)->juniper->(juniperip:router:2812)->192.168.2.2 ...

Is it correct? If so I then I can write you more detailed informations on
which machine you have to take action.

> All of these ports are listed in the port forwarding table for the
> Dell router. I'm not sure why port 20 shows as "closed", since I have
> both ports 20 and 21 forwarded from 207.237.37.110 to the ftp server
> on 192.168.2.2.

Port 20 is the datachannel, your forward is correct.
You'll find more information about ftp vai google.


> On my Windows machine (192.168.2.3), which *does not know* about the
> DNS server on 192.168.2.2:

DNS looks ok.

> On 192.168.2.2:
>
> # traceroute 207.237.37.110
> 1 obliqueuniverse.org (207.237.37.110) 0.778 ms 0.726 ms
> 0.654 ms

Do you have 207.237.37.110 beside 192.168.2.0/24 ?
Ususally I miss here a router or gateway which is makes the NAT for
192.168.2.3.


How is you network infrastruture?

juniper->(internet)->router->192.168.2.0/24 ?

Could you please confirm or correct this?

> I put an index.html file in /var/www and restarted apache, but I still
> get the "Test Page for Apache installation" . I moved the index.html
> to /var/www/apache2-default, and I still get the test page. I looked
> at apache2.conf to see if there is something I need to reconfigure,
> but I can't see anything.

Yep, you have a rewrite rule in 000-default that say's rewrite the url to
/var/www/apache2-default. If you comment this line and restart apache then
your index.html in /var/www will be shown. You also will find logfile in
/var/log/apache2 or similar. You'll have an access and an error log there
you can find wich files are accessed (path either),status codes etc.

> Thanks again for your help!

No problem at all.

Guten Tag, Burkhard

> Do you have 207.237.37.110 beside 192.168.2.0/24 ?
> Ususally I miss here a router or gateway which is makes the NAT for
> 192.168.2.3.
>
> How is you network infrastruture?
>
> jupiter->(internet)->router->192.168.2.0/24 ?

> Could you please confirm or correct this?

Is "jupiter->(internet)->router->192.168.2.0/24" a DNAT rule? How do
you translate it?

I have a static IP address (207.237.37.110) from RCN (my ISP) and 4
computers on my LAN. My Dell Truemobile 2300 Broadband Router does
NAT as follows:

192.168.2.1 (the router itself )
192.168.2.2 (jupiter.obliqueuniverse.org, running Debian 3.1)
192.168.2.3 Windows XP machine
192.168.2.4 Windows XP machine
192.168.2.5 (ganymede.obliqueuniverse.org, running Slackware 12.0)

> I assume that you want jupiter to route your packets for port 2812 to your
> router and masquerade the src ip, right.

Packets incoming from the Internet, addressed to
jupiter.obliqueuniverse.org:2812 (207.237.37.110:2812) should be
routed to jupiter.obliqueuniverse.org:2812 (192.168.2.2:2812). I
believe that the port-forwarding table on the router takes care of
this. Am I right?

Packets from jupiter.obliqueuniverse.org:2812 (192.168.2.2:2812)
should go to the router (192.168.2.1 on my LAN) and would appear to
the Internet to come from 207.237.37.110:2812. Am I right that *this*
is where you need the DNAT rule in iptables?

Similarly ports 20,21,22,80, and 81

> (any:jupiter:2812)->jupiter->(jupiter:router:2812)->192.168.2.2 ...

Given the network infrastructure described above: Does this rule route
from 192.168.2.2:2812 to 192.168.2.1 (the router) and translate it to
207.237.37.110:2812?

> > I put an index.html file in /var/www and restarted apache, but I still
> > get the "Test Page for Apache installation" . *I moved the index.html
> > to /var/www/apache2-default, and I still get the test page. *I looked
> > at apache2.conf to see if there is something I need to reconfigure,
> > but I can't see anything.
>
> Yep, you have a rewrite rule in 000-default that say's rewrite the url to
> /var/www/apache2-default. If you comment this line and restart apache then
> your index.html in /var/www will be shown. You also will find logfile in
> /var/log/apache2 or similar. You'll have an access and an error log there
> you can find wich files are accessed (path either),status codes etc.

Yes! I have now published my Oblique Universe home page.

From inside my LAN, I can access it with http://192.168.2.2:80

Can you access is with http://207.237.37.110:80 ?

However, when I try http://obliqueuniverse.org from inside my LAN, I
get an error screen that says:

"Duplicate Administrator
This device is managed by 192.168.2.2 currently!!"

What do you get?

Danke Schon

Best Regards,
Vwaju

Am Tue, 02 Dec 2008 10:16:33 -0800 schrieb Vwaju:

> Guten Tag, Burkhard

Hi Vwaju, you're alos learning German? :-)

> Is "jupiter->(internet)->router->192.168.2.0/24" a DNAT rule? How do
> you translate it?

Nope, I was wondering about your route (tracroute) and would make sure
where the webserver is located because I thought it is outside your LAN,
but htis is no problem either.

> I have a static IP address (207.237.37.110) from RCN (my ISP) and 4
> computers on my LAN. My Dell Truemobile 2300 Broadband Router does
> NAT as follows:
>
> 192.168.2.1 (the router itself )
> 192.168.2.2 (jupiter.obliqueuniverse.org, running Debian 3.1)
> 192.168.2.3 Windows XP machine
> 192.168.2.4 Windows XP machine
> 192.168.2.5 (ganymede.obliqueuniverse.org, running Slackware 12.0)

Ok, that clear the situation.
I shortly explain which way packets to the webserver flows.

If you reach the webserver via 192.168.2.2 then the packets goes via your
nic directly to your webserver, there is no hop between because you are in
the same subnet.
Your routing table looks like that:

192.168.2.0 0.0.0.0 255.255.255.0 eth0
0.0.0.0 192.168.2.1 eth0

That means you will reach IP's from 192.168.2.1-254 directly in your
subnet.
If you would have the network 10.10.10.0/24 connectrd to your router, then
the packets would send every packet for the IP 10.0.0.1.254 to your router
because it's your default gateway and this network is not directly
connected to your 192.168.2.0/24.
That is exactely what happend if you sent your packets to the webserver
to 207.237.37.110.
Your packet goes straight to your router and the router forward it to your
webserver.
Usually the router will send an redirect to your computer that you can
access the webserver directly via 192.168.2.2, but it depends on the
router software config.

So if I try to reach your webserver I come from outside the lan, pass some
internet routers and will be routed to your router and if the router has a
forward entry for port 2812. he will forward this packet to your webserver.
On the webserver comes now an IP from outside (an IP in germany), on the
webserver the default gateway is used to send the answer and that is your
router, he also has to route it to his default gateway because he has my
ip not on a local port, the answer passes now some internetrouter and will
reach my router, computer etc.

That means you only need a port forward on your router to port 2812.
You don't need a iptable rule on your webserver.

btw with iptables it could look like this:
iptables -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp --dport 2812 -j dnat
--to-destination 192.168.2.2

The rule say every packet which is for port 2812 on my external interface
with destination port 2812, replace the destination IP with 192.168.2.2.
(with -d 207.237.37.110 you could specify the external address)

You obviously did it correct with port 80 because I see your yellow page
with all the names. I also can reach port 2812 there comes a htaccess and
ask me for usernam and password via ssl.


>> I assume that you want jupiter to route your packets for port 2812 to your
>> router and masquerade the src ip, right.
>
> Packets incoming from the Internet, addressed to
> jupiter.obliqueuniverse.org:2812 (207.237.37.110:2812) should be
> routed to jupiter.obliqueuniverse.org:2812 (192.168.2.2:2812). I
> believe that the port-forwarding table on the router takes care of
> this. Am I right?

yep, and it works either.


> Packets from jupiter.obliqueuniverse.org:2812 (192.168.2.2:2812)
> should go to the router (192.168.2.1 on my LAN) and would appear to
> the Internet to come from 207.237.37.110:2812. Am I right that *this*
> is where you need the DNAT rule in iptables?

Yes because your external IP 207.237.37.110 is terminated locally on your
router and if there is 2812 open then the device sends usually port
icmp not reachable.
With DNAT it takes care of the ip for the answer packet but replaces it
192.168.2.2 and send it into your LAN. On the way back he does the same
but replaces 192.168.2.2 again.

I guess you forward today every port to 192.168.2.2, because I can also
reach ssh and your dns.

> Similarly ports 20,21,22,80, and 81

Port 20 and 21 are a little special because ftp works a little different.

> Given the network infrastructure described above: Does this rule route
> from 192.168.2.2:2812 to 192.168.2.1 (the router) and translate it to
> 207.237.37.110:2812?

Nope, it doesn't and you don't nedd that in case of DNAT.


> Yes! I have now published my Oblique Universe home page.

Yes I already watched it :-).


> From inside my LAN, I can access it with http://192.168.2.2:80
>
> Can you access is with http://207.237.37.110:80 ?

Yep.

> However, when I try http://obliqueuniverse.org from inside my LAN, I
> get an error screen that says:
> "Duplicate Administrator
> This device is managed by 192.168.2.2 currently!!"

I have never seen such a stupid message but I think it's the icmp redirect
I described above.

I also have a hint for you install on your computer tcpdump or better
wireshark and sniff the connection while you try to access the external
IP.
You will see an icmp redirect packet (should be the second or third).

Where have you seen the "Duplicate Administrator" error message, I bet on
the router itself then it would be a weird translation for an icmp
redirect but anyway.

Everything seems to be working so far, now you need to make it secure :-).


cheers

Guten Tag, Burkhard

> Hi Vwaju, you're also learning German? :-)

I would love to learn German, but I only know a few words. Am I right
that your native language is German? (You speak English very well!)

> If you reach the webserver via 192.168.2.2 then the packets goes via your
> nic directly to your webserver, there is no hop between because you are in
> the same subnet.
> Your routing table looks like that:
>
> 192.168.2.0 0.0.0.0 255.255.255.0 eth0
> 0.0.0.0 192.168.2.1 eth0

Yes, that's what I have:

# route

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref
Use Iface
192.168.2.0 * 255.255.255.0 U 0
0 0 eth0
default 192.168.2.1 0.0.0.0 UG 0
0 0 eth0

> Usually the router will send a redirect to your computer that you can
> access the webserver directly via 192.168.2.2, but it depends on the
> router software config.

It seems that it does send a redirect, because I can reach the
webserver directly with 192.168.2.2 (from inside my LAN).
What I *cannot* do is reach the webserver from inside my LAN with
Internet address 207.237.37.110.

> That means you only need a port forward on your router to port 2812.
> You don't need a iptable rule on your webserver.

Excellent!

> btw with iptables it could look like this:
> iptables -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp --dport 2812 -j dnat
> --to-destination 192.168.2.2

> The rule say every packet which is for port 2812 on my external interface
> with destination port 2812, replace the destination IP with 192.168.2.2.
> (with -d 207.237.37.110 you could specify the external address)

Thank you for this explication. It will help me to understand the
cryptic man page for iptables!

> You obviously did it correct with port 80 because I see your yellow page
> with all the names. I also can reach port 2812 there comes a htaccess and
> ask me for usernam and password via ssl.

Good! I will try this from outside the LAN!

Inside the LAN, I still cannot get a connection at 2812. Working
Hypothesis: This is a result of a IMCP redirect at the router
interface.

Is that right?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Just to summarize for reference purposes: my results in Firefox on
192.168.2.3 (from inside my LAN):

http://192.168.2.2
index.html of obliqueuniverse.org, as expected

http://192.168.2.2:80
index.html of obliqueuniverse.org, as expected

http://192.168.2.2:81
http://192.168.2.2:81/login.php (login screen for ISPConfig) as
expected

http://obliqueuniverse.org
prompted for id/password for Dell Truemobile 2300 Broadband Router
web-based administration tool
when I login, I get:
"Duplicate Administrator
This device is managed by 192.168.2.2 currently!!"
If I hit ENTER again, it takes me to the web-based router
administration tool

http://207.237.37.110
same as previous

https://192.168.2.2:2812
Secure Connection Failed
192.168.2.2 uses an invalid security certificate
The certificate is not trusted because it is self-signed.
The certificate is valid only for jupiter.obliqueuniverse.org
(Error code: sec_error_ca_cert_invalid)

https://obliqueuniverse.org:2812
Failed to Connect

https://jupiter.obliqueuniverse.org:2812
Failed to Connect

I still don't understand this last 3 results!
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

> > Can you access is with http://207.237.37.110:80 ?

> Yep.

> > However, when I try http://obliqueuniverse.orgfrom inside my LAN, I
> > get an error screen that says:
> > "Duplicate Administrator
> > This device is managed by 192.168.2.2 currently!!"
>
> I have never seen such a stupid message but I think it's the icmp redirect
> I described above.

> I also have a hint for you install on your computer tcpdump or better
> wireshark and sniff the connection while you try to access the external
> IP.

I haven't heard about wireshark. You prefer this to tcpdump? Where
do you get it?

> You will see an icmp redirect packet (should be the second or third).

If I were to find this packet, how would I correct the redirect?

> Where have you seen the "Duplicate Administrator" error message, I bet on
> the router itself then it would be a weird translation for an icmp
> redirect but anyway.

I assume this is a message, as you say, from the router itself, since
in some cases, when I hit ENTER again, I get the web interface to the
router administration tool.

Thank you again. Your observations are *extremely* helpful!

Best Regards,
Vwaju

Am Wed, 03 Dec 2008 07:03:20 -0800 schrieb Vwaju:

> Guten Tag, Burkhard
>
>> Hi Vwaju, you're also learning German? :-)
>
> I would love to learn German, but I only know a few words. Am I right
> that your native language is German? (You speak English very well!)

Yes it is and Thank you for the compliment, I travel very often to the US
and Canada, I know it's not perfect but I use every time to practice it as
often as I can.

>> Usually the router will send a redirect to your computer that you can
>> access the webserver directly via 192.168.2.2, but it depends on the
>> router software config.
>
> It seems that it does send a redirect, because I can reach the
> webserver directly with 192.168.2.2 (from inside my LAN).
> What I *cannot* do is reach the webserver from inside my LAN with
> Internet address 207.237.37.110.

I think it's an bug in the router software, maybe not really a bug because
the router knows the better way would be to go via the 192.1682.0/24
network.
What you could try is to figure out you probably can disable to send icmp
redirects (just for testing purposes), it makes more sense to connect
directly so the router has nothing to do.


> Thank you for this explication. It will help me to understand the
> cryptic man page for iptables!

It's just practice, you could try firewallbuilder for the first time there
you can build your objects and playing around with iptables, it can also
produce a shell script then you see the whole syntax, maybe it makes it
more clearly. (apt.get install fwbuilder)


> Good! I will try this from outside the LAN!
>
> Inside the LAN, I still cannot get a connection at 2812. Working
> Hypothesis: This is a result of a IMCP redirect at the router
> interface.
>
> Is that right?

I guess your forward rule in the router say forward
packets for port 2812 to 192.168.2.2:443, if this is the case than it is
the redirect.
Did you check that the port on the webserver handles ssl on port 2812,
(netstat -ntlp) if not then you need to check your ssl.conf (/etc/apache2
....), search inside the configfile for a Listen 443 and write above or
underneath this line Listen 2812, restart apache and check with netstat if
now is this port listening.


> http://obliqueuniverse.org
> prompted for id/password for Dell Truemobile 2300 Broadband Router
> web-based administration tool
> when I login, I get:
> "Duplicate Administrator
> This device is managed by 192.168.2.2 currently!!"
> If I hit ENTER again, it takes me to the web-based router
> administration tool

ok, it doesn't sounds like icmp redirect did you login from your webserver
to the router or have you a check which connects to the router from the
webserver? It sounds like you, a service or sombody logged in.



> https://192.168.2.2:2812
> Secure Connection Failed
> 192.168.2.2 uses an invalid security certificate
> The certificate is not trusted because it is self-signed.
> The certificate is valid only for jupiter.obliqueuniverse.org
> (Error code: sec_error_ca_cert_invalid)
>
> https://obliqueuniverse.org:2812
> Failed to Connect
>
> https://jupiter.obliqueuniverse.org:2812
> Failed to Connect
>
> I still don't understand this last 3 results!

The first thing is in your certificate the common name section has
jupiter.obliqueuniverse.org in your addressbar is 192.168.2.2, the browser
cheks both entries and detects it's not the same therefore he is yelling
about.

For 2 and 3 first check if you have a listening port 2812 on jupiter who
is able to speak ssl (i described above how to do that).

Then add the following line to /etc/hosts on your machine:

192.168.2.2 jupiter.obliqueuniverse.org

(you're faster with echo "192.168.2.2 jupiter.obliqueuniverse.org"
>>/etc/hosts)


Now the browser will (should) first check /etc/hosts to resolv
jupiter.obliqueuniverse.org and will connect directly but now you have the
correct name in your addressbar that matches to your certificate.

(you can also check the common name woth openssl x509 -in $YOURCERT -noout
-subject | grep "CN" then you should see jupiter.obliqueuniverse.org)


> I haven't heard about wireshark. You prefer this to tcpdump? Where
> do you get it?

You can use the sniffer you prefer but at the beginning you should start
with wireshark or similar, it shows the protocol stack very nice etc.

apt-get install wireshark should work or you download it at wireshark.org,
afaik they have also windows binaries.
tcpdump is just another sniffer.


> If I were to find this packet, how would I correct the redirect?

The redirect is correct and it also make sense, because would you drive
downtown if the grocery store is right at the next corner.
Why using a router if the webserver is right beside in your subnet.

> I assume this is a message, as you say, from the router itself, since in
> some cases, when I hit ENTER again, I get the web interface to the
> router administration tool.

I think now you have a login left on the webinterface or somthing similar,
but it could also be an router software issue, did you logout correctly
when you leave the admin panel (logout button or something)?

Have a great day