How to put a web site on a dynamic IP?

[crossposted to comp.os.linux.networking,alt.os.linux.slackware. Please
crosspost the first followup, but set your folloups-to to your own NG,
thanks]

I have DSL with a dynamic IP from Verizon, and want to put a web site up.

Right at the moment, I've got two basic Slack 10.0 boxen plugged into a
hub at the modem, and one of these computers, ops, is at 4.11.176.118,
and the other, daphne, is at 4.11.176.232. Apparently, Verizon's got a lot
of slack in this block, because the same IP has been getting renewed for
quite some time.

DSL ---- HUB ---+---- Daphne = 4.11.176.232
|
+---- Ops = 4.11.176.118

On daphne, I have ordinary IP masquerading, and it's also routing for
thunderbird from 192.168.0.1:

4.11.176.232 - Daphne - 192.168.0.1 - 192.168.0.199 - Thunderbird

And Ops has a 4-port "router" card at 10.0.0.1, serving a LAN:

4.11.176.118 - ops - 10.0.0.1 --+-- 10.0.0.199 entheos
+-- 10.0.0.198 abi-ofc1
+-- 10.0.0.197 boogeyman
and a few more

ops is in use by the company, so I don't want to break it, but I can do
anything I want to to daphne; it's my development box.

And everything is working properly, with a couple of exceptions, which
are the important bit, I'm pretty sure. When I sit at thunderbird I can
browse daphne at 192.168.0.1 _or_ 4.11.176.232. When I sit at entheos I
can browse ops at 10.0.0.1 _or_ 4.11.176.118.

Daphne has masquerading straight out of the HOWTO:
------------------
root@daphne:/etc/rc.d# cat /usr/local/sbin/masq-on
modprobe ipt_MASQUERADE # If this fails, try continuing anyway
iptables -F; iptables -t nat -F; iptables -t mangle -F
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
iptables -P INPUT DROP #only if the first two are succesful
iptables -A FORWARD -i eth0 -o eth0 -j REJECT
root@daphne:/etc/rc.d# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@daphne:/etc/rc.d#
-----------------------------
when I do netstat -tap on daphne, I get:
-------------
root@daphne:/etc/rc.d# netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:time *:* LISTEN 133/inetd
tcp 0 0 *:submission *:* LISTEN 156/sendmail: accep
tcp 0 0 *:sunrpc *:* LISTEN 127/rpc.portmap
tcp 0 0 *:http *:* LISTEN 168/httpd
tcp 0 0 *:auth *:* LISTEN 133/inetd
tcp 0 0 192.168.0.1:domain *:* LISTEN 140/named
tcp 0 0 wbar5-lax1-4-11-:domain *:* LISTEN 140/named
tcp 0 0 localhost:domain *:* LISTEN 140/named
tcp 0 0 *:ssh *:* LISTEN 136/sshd
tcp 0 0 *:smtp *:* LISTEN 156/sendmail: accep
tcp 0 0 localhost:953 *:* LISTEN 140/named
tcp 0 0 192.168.0.1:ssh 192.168.0.199:32778 ESTABLISHED 842/sshd: rich [pri
root@daphne:/etc/rc.d#
-----------------------------------------

Ops has the same masquerading scriptlet, plus rc.firewall:
#!/bin/bash
#
# rc.firewall Linux Firewall version 2.0rc9 -- 05/02/03
# http://projectfiles.com/firewall/
#
# Copyright (C) 2001-2003 Scott Bartlett <(E-Mail Removed)>
#
<snip>
PERMIT="10.0.0.0/16"

# List internal (private) interfaces here to allow this machine to act as a
# router. All interfaces NOT listed here are considered external (public)
# and will be automatically protected by the firewall.
# Example: INTERNAL_INTERFACES="eth1 eth2 brg0"

INTERNAL_INTERFACES="eth1"

# List dial-up and other interfaces without a static IP address here.
# Interfaces configured to obtain an IP address automatically (DHCP) do not
# need to be listed here unless for some reason your DHCP client does not
# receive the same address each time it renews the lease.
# Example: DYNAMIC_INTERFACES="ppp0"

DYNAMIC_INTERFACES=""

# Most users do not need to change anything below this point.

########################################
# -- Advanced Configuration Options -- #
########################################

# ** DO NOT ** modify anything below unless you know what you are doing!!
# See online documentation at: http://projectfiles.com/firewall/config.html

DENY_OUTBOUND=""
ALLOW_INBOUND=""
BLACKLIST="129.250.134.115"
STATIC_INSIDE_OUTSIDE=""
--------- snip to end

Other than the "PERMIT" line, internal interfaces, and that one BLACKLIST
entry, it's exactly as downloaded. I don't want to post it, because it's
73K.

I've added a line to daphne:/etc/inetd.conf, which I got while STFW
yesterday (I've been reading all day and all night, and still can't find
an answer on my own):
----
# web server
http stream tcp nowait root /usr/sbin/tcpd
----
The rest of it is right out of the box.

But when I'm sitting at entheos, and try to surf daphne at 4.11.176.232, I
get:
An error occurred while loading http://4.11.176.232/:

Timeout on server
Connection was to 4.11.176.232 at port 80
-----

Which seems to tell me I'm missing something. I haven't changed inetd.conf
on ops at all, because I'm afraid to break it, because it's in daily use,
which is why I wanted to get this going on daphne first.

So, either there's some other thing I need to do to open that port, or
Verizon is blocking port 80 for dynamic IPs. I talked to the guy at
Verizon, and asked him, If I go ahead and configure a bind server here,
and tell register.com to use it for the nameserver, am I allowed to do
that? Apparently, it's the first time anybody's ever asked such a thing,
so they don't have a rule against it.

I'm trying to save the $20.00 a month more that a static IP costs.

But I want to make sure I'm not missing something before I call them and
ask if they've got port 80 blocked, if they haven't.

Something else I've noticed in my plowing through docs is that people have
mentioned opening the port using iptables, and I don't know how to do that.
And interestingly, all of the posts & websites I've found seem to be
focused on _closing_ port 80.

So is there a line I can put in iptables - I don't even know the
terminology - give it another chain? That will let external requests
reach Apache?

Or, whatever else I haven't yet gotten to in my reading.

Once I do that (if it's actually possible) then I'll see about letting
http requests through rc.firewall.

Just for completeness, rc.firewall on ops does this:
--------------
root@ops:/etc# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere web.tickle.com
DROP all -- web.tickle.com anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 10.0.0.0/8 anywhere state NEW
ACCEPT udp -- anywhere anywhere state NEW udp dpt:bootps
ACCEPT all -- anywhere anywhere state NEW
TRUSTED all -- anywhere anywhere state NEW

Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere web.tickle.com
DROP all -- web.tickle.com anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 10.0.0.0/8 anywhere state NEW
TRUSTED all -- anywhere anywhere state NEW

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere web.tickle.com
DROP all -- web.tickle.com anywhere
ACCEPT icmp -- anywhere 10.0.0.0/8
DROP icmp -- anywhere anywhere state INVALID

Chain TRUSTED (2 references)
target prot opt source destination
ACCEPT all -- 10.0.0.0/16 anywhere
ACCEPT icmp -- anywhere wbar5-lax1-4-11-176-118.dsl-verizon.net icmp echo-request
ACCEPT icmp -- anywhere ops.dsl-verizon.net icmp echo-request
DROP icmp -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
root@ops:/etc#
------------------

I hope this makes sense.

Bottom line, what do I need to do here to either open port 80 or confirm
that I've got it open but Verizon blocks it?

Thanks,
Rich




Rich Grise

The connection times out, which suggests that the inbound works, but
outbound is blocked.

Read your web log and see if connections occur, but no page requests happen,
if so, then outbound is blocked.

"Rich Grise" <(E-Mail Removed)> wrote in message
news(E-Mail Removed)...
> I hope this makes sense.
>
> Bottom line, what do I need to do here to either open port 80 or confirm
> that I've got it open but Verizon blocks it?
>
> Thanks,
> Rich
>
>

On Tue, 21 Dec 2004 20:32:31 +0000, PC wrote:

> The connection times out, which suggests that the inbound works, but
> outbound is blocked.
>
Now, I think we're getting somewhere!
----<snippage of previous>
[Mon Dec 20 12:20:15 2004] [notice] Apache/1.3.31 (Unix) configured -- resuming normal operations
[Mon Dec 20 12:20:16 2004] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Mon Dec 20 12:39:55 2004] [notice] caught SIGTERM, shutting down
[Mon Dec 20 12:41:18 2004] [notice] Apache/1.3.31 (Unix) configured -- resuming normal operations
[Mon Dec 20 12:41:18 2004] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Mon Dec 20 12:57:27 2004] [notice] caught SIGTERM, shutting down
[Mon Dec 20 12:58:49 2004] [notice] Apache/1.3.31 (Unix) configured -- resuming normal operations
[Mon Dec 20 12:58:49 2004] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Mon Dec 20 14:31:43 2004] [notice] caught SIGTERM, shutting down
[Mon Dec 20 14:33:07 2004] [crit] (98)Address already in use: make_sock: could not bind to port 80
[Mon Dec 20 14:35:11 2004] [crit] (98)Address already in use: make_sock: could not bind to port 80
[Mon Dec 20 14:38:48 2004] [crit] (98)Address already in use: make_sock: could not bind to port 80
[Mon Dec 20 14:43:47 2004] [notice] Apache/1.3.31 (Unix) configured -- resuming normal operations
[Mon Dec 20 14:43:47 2004] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Tue Dec 21 09:35:34 2004] [error] [client 192.168.0.199] File does not exist: /var/www/htdocs/favicon.ico
[Tue Dec 21 10:00:51 2004] [error] [client 192.168.0.199] File does not exist: /var/www/htdocs/favicon.ico
[Tue Dec 21 10:46:33 2004] [notice] caught SIGTERM, shutting down
[Tue Dec 21 10:48:19 2004] [crit] (98)Address already in use: make_sock: could not bind to port 80
root@daphne:/var/log/apache#

I have no idea what that means, although I have a vague recollection of
other questioners with the "port in use", but I didn't look much deeper
because I had no idea.

So, now where should I look?

Thanks!
Rich


> Read your web log and see if connections
occur, but no page requests
> happen, if so, then outbound is blocked.
>
> "Rich Grise" <(E-Mail Removed)> wrote in message
> news(E-Mail Removed)...
>> I hope this makes sense.
>>
>> Bottom line, what do I need to do here to either open port 80 or
>> confirm that I've got it open but Verizon blocks it?
>>
>> Thanks,
>> Rich
>>
>>

On Tue, 21 Dec 2004 23:02:40 +0000, Rich Grise wrote:

> On Tue, 21 Dec 2004 20:32:31 +0000, PC wrote:
>
>> The connection times out, which suggests that the inbound works, but
>> outbound is blocked.
>>
> Now, I think we're getting somewhere!
> ----<snippage of previous>
> [Mon Dec 20 12:20:15 2004] [notice] Apache/1.3.31 (Unix) configured -- resuming normal operations
> [Mon Dec 20 12:20:16 2004] [notice] Accept mutex: sysvsem (Default: sysvsem)
> [Mon Dec 20 12:39:55 2004] [notice] caught SIGTERM, shutting down
> [Mon Dec 20 12:41:18 2004] [notice] Apache/1.3.31 (Unix) configured -- resuming normal operations
> [Mon Dec 20 12:41:18 2004] [notice] Accept mutex: sysvsem (Default: sysvsem)
> [Mon Dec 20 12:57:27 2004] [notice] caught SIGTERM, shutting down
> [Mon Dec 20 12:58:49 2004] [notice] Apache/1.3.31 (Unix) configured -- resuming normal operations
> [Mon Dec 20 12:58:49 2004] [notice] Accept mutex: sysvsem (Default: sysvsem)
> [Mon Dec 20 14:31:43 2004] [notice] caught SIGTERM, shutting down
> [Mon Dec 20 14:33:07 2004] [crit] (98)Address already in use: make_sock: could not bind to port 80
> [Mon Dec 20 14:35:11 2004] [crit] (98)Address already in use: make_sock: could not bind to port 80
> [Mon Dec 20 14:38:48 2004] [crit] (98)Address already in use: make_sock: could not bind to port 80
> [Mon Dec 20 14:43:47 2004] [notice] Apache/1.3.31 (Unix) configured -- resuming normal operations
> [Mon Dec 20 14:43:47 2004] [notice] Accept mutex: sysvsem (Default: sysvsem)
> [Tue Dec 21 09:35:34 2004] [error] [client 192.168.0.199] File does not exist: /var/www/htdocs/favicon.ico
> [Tue Dec 21 10:00:51 2004] [error] [client 192.168.0.199] File does not exist: /var/www/htdocs/favicon.ico
> [Tue Dec 21 10:46:33 2004] [notice] caught SIGTERM, shutting down
> [Tue Dec 21 10:48:19 2004] [crit] (98)Address already in use: make_sock: could not bind to port 80
> root@daphne:/var/log/apache#
>

I did a little searching, and someone mentioned too many services, so I
commented out the http line in inetd.conf, gave sig HUP to inetd, and
restarted apache, and the two last entries in error_log are just another
[notice] Apache ...configured...
[notice] Accept mutex...
but time-stamped.

Access log shows only accesses from the LAN - no indication that it
hears anything from outside.

I'll keep looking, but I'm open to any suggestions as to how to learn to
fix this.

Thanks!
Rich

Rich Grise <(E-Mail Removed)> wrote
news(E-Mail Removed):
> root@daphne:/etc/rc.d# cat /usr/local/sbin/masq-on
> modprobe ipt_MASQUERADE # If this fails, try continuing anyway
> iptables -F; iptables -t nat -F; iptables -t mangle -F
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> echo 1 > /proc/sys/net/ipv4/ip_forward

insert this line to open the http port on the external interface :

iptables -A INPUT -s 0.0.0.0/0 -d 4.11.176.232/32 --dport 80 -j ACCEPT

> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
> iptables -P INPUT DROP #only if the first two are succesful
> iptables -A FORWARD -i eth0 -o eth0 -j REJECT

(note: use ' iptables -L -vn ' to give more information)


Regards

On Tue, 21 Dec 2004 23:57:10 +0000, Antoine EMERIT wrote:

> Rich Grise <(E-Mail Removed)> wrote
> news(E-Mail Removed):
>> root@daphne:/etc/rc.d# cat /usr/local/sbin/masq-on
>> modprobe ipt_MASQUERADE # If this fails, try continuing anyway
>> iptables -F; iptables -t nat -F; iptables -t mangle -F
>> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> insert this line to open the http port on the external interface :
>
> iptables -A INPUT -s 0.0.0.0/0 -d 4.11.176.232/32 --dport 80 -j ACCEPT

Excellent! Except I got an error; it didn't recognize --ddport. So
according to man iptables, I had to modify it a little:

iptables -A INPUT -s 0.0.0.0/0 -d 4.11.176.232/32 --protocol tcp --dport
80 -j ACCEPT
(it doesn't wrap in the script)

Working like a champ!

It's a keeper!

Now, to see why dhcpcd-eth0.exe seems to have no effect:
#!/bin/sh
echo "(dhcpcd) IP address changed to $1" | logger
echo "(dhcpcd) IP address changed to $1"
IPADDR=`cat dhcpcd-eth0.info | grep IPADDR | cut -c8-`
export IPADDR

The first line is from the box, but I don't see the line in any of my logs
in /var/log, and the next 3 lines I've added just now, just to see if I
can get it to do something, to no avail.

And _then_, study rc.firewall, and see if it's safe to either do that line
or...

Yeah! Right at the top. PERMIT="80/tcp"

Cool! Thanks 10^9!

Oh, yeah - back to dhcpcd-eth0.exe - any suggestions how to track down
what it's doing? That's all I need for dynamic DNS at zoneedit.com.

And Then, find out how to do pop3 mail. ;-)

Cheers!
Rich


>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>> iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT iptables -P
>> INPUT DROP #only if the first two are succesful iptables -A FORWARD
>> -i eth0 -o eth0 -j REJECT
>
> (note: use ' iptables -L -vn ' to give more information)
>
>
> Regards

Rich Grise <(E-Mail Removed)> wrote
news(E-Mail Removed):
> iptables -A INPUT -s 0.0.0.0/0 -d 4.11.176.232/32 --protocol tcp --
dport 80 -j ACCEPT

That's right, a port is only valid according a protocol (tcp or udp).

> what it's doing? That's all I need for dynamic DNS at zoneedit.com.

You coul try one of the DD client software, which will set the proper ip,
or read the following :

"From one of our customers: It's very easy to update the dynamic zoneedit
entries on UNIX with either of these two command lines (if you have wget
or lynx installed):

lynx -source -auth=usernameassword
'http://dynamic.zoneedit.com/auth/dynamic.html?host=www.mydomain.com'

wget -O - --http-user=username --http-passwd=password
'http://dynamic.zoneedit.com/auth/dynamic.html?host=www.mydomain.com'

PPP users should place one of the above commands (or a perl client) in
the file /etc/ppp/ip-up or /etc/ppp/ppp.linkup, which are called whenever
a ppp connection is made.

Users of dhcpcd may place these commands in the file /etc/dhcpc/dhcpcd-
eth0.exe or /etc/dhcpc/dhcpcd-eth1.exe which are executed whenever a new
dynamic IP address is acquired.
"

> And Then, find out how to do pop3 mail. ;-)

Do the same as for your wab site, using port 110 (pop3) instead of 80.

Regards