Topic: Websites not working from public

[rmoria]

Hi,
I am rebuilding to SME 10. I am at the point I want to bring back the websites it was hosting.
I can not access them from the internet,but I can access them from the private side.

How can I check if the traffic is blocked by the server or if my ISP blocked port80?

[ReetP]

Please go back a few steps and tell us exactly what steps you have taken so far.

Did the sites work publicly on v9?

What mode is the server?

Do you have routers or other firewalls installed?

[rmoria]

Yes, they worked on SME9

Server and gateway

No extra routers or firewall installed. Connected to ISP by modem in bridge mode.

I have a basic index.htm in the ibay(s) now, that I can see from the private network

[ReetP]

Have you restored from a backup or done a clean start?

[Jean-Philippe Pialasse]

Code: [Select]

config show SystemMode

[rmoria]

I did  a fresh start.

systemmode:

Code: [Select]

SystemMode=servergateway

[rmoria]

It has probably something to do with the database not working for root (and others, like horde). I can also not redirect ports.

I am running a backup and tomorrow I will see if a fresh install (again) works better.

[Jean-Philippe Pialasse]

first you should not use root and its password for web application. you should create a dedicated db and user per app. If not confident with command line, use phpmyadmin contrib and connect as admin. multiple reasons, but few of them are
- if leaked you also give up your master ldap password for SME
- if leaked for one app you compromiser your whole mysql db

second, if you can see content from inside and not from outside it is very unlikely it is  a mysql issue

third can not access is as saying the car does not work and not letting the engineer with more information. Nobody will be able to help you.
How do you try your external access ? What is displayed? error? What do you expect to see? Better give us an url so we can test for you. 

Last, this is not windows, deleting and installing again is not the first solution. Investigating, understanding and fixing is the way. 

so start to tell more, this will avoid a long unhelpfull thread. 


edit

also /var/log/httpd/access_log and error_log could be helpfull to help diagnose the issue when trying to access

[rmoria]

ip-adres : 213.93.205.219
dns :  tolot.net (primary) / babshop.nl (points to ibay) / groenzwartereigers.nl (points to ibay)

with "db accounts show" I can see that all 3 Ibays are set to global access and no password

[Jean-Philippe Pialasse]

First I am assuming that the IP is really the current that has been assigned by your ISP lately and obtained by reading the config of your SME (ifconfig). If you do not have a static IP this could have changed before I checked for it. ( If I am assuming wrong correct me and there will be extra debugging steps)

I am also assuming you are restoring on the same hardware you were using for the SME9. Different hardware, could be related to other potential issues ( If I am assuming wrong correct me and there will be extra debugging steps).


Your domains seem pointing to the right IP though, so no DNS issue.
I am able to ping but that is all I can get from your IP. Nmap was unable to find one single opened port.

Also I must say that from Canada I get 2 hops with 87% loss. Tested from France and there was not routing issue.

So either you have a provider filtering your port, but from what you where saying this was working before with a SME9, either you have some issues with your local firewall/modem/router, either this is a conflict with a SME config.

1- This could be from your ISP router/modem ? I guess you did not change anything on this device?

2- I am assuming that your modem/router is set as modem gateway and is not NATing anything (acting as router), because this could be a first issue if not please correct me there will be again extra debugging to do.
this could help partly answering the question

Code: [Select]

config show ExternalInterface

3- if this is a SME configuration, we have to check :
-3a custom templates (this is the major source of issues when restoring from backup)

Code: [Select]

/sbin/e-smith/audittools/templates
-3b firewall and http services setting

Code: [Select]

config show masq
config show httpd-e-smith
- services running

Code: [Select]

systemctl status -l masq httpd-e-smith
4- any contrib installed like fail2ban, xt_geoip that could block your access? try following command to check

Code: [Select]

/sbin/e-smith/audittools/newrpms |grep ^smeserver
5- also could be hardware / software issue with network: please check

Code: [Select]

lspci |grep -i Eth

[rmoria]

2:

Code: [Select]

config show ExternalInterface

Code: [Select]

ExternalInterface=interface
    Configuration=DHCPEthernetAddress
    Driver=r8169
    Gateway=
    IPAddress=
    Name=enp3s0
    Netmask=255.255.255.0

3a: I did not do a restore to there, just data in Ibays

3b:

Code: [Select]

config show masq
masq=service
    DenylogTarget=drop
    Logging=most
    Stealth=no
    Trace=disabled
    pptp=yes
    status=enabled

Code: [Select]

config show httpd-e-smith
httpd-e-smith=service
    SSLv2=disabled
    SSLv3=disabled
    TCPPort=80
    access=public
    status=enabled


Code: [Select]

systemctl status -l masq httpd-e-smith
● masq.service - masq, the Koozali SME Server firewall script
   Loaded: loaded (/usr/lib/systemd/system/masq.service; enabled; vendor preset:                             enabled)
   Active: active (exited) since zo 2021-08-29 12:58:56 CEST; 22min ago
 Main PID: 1297 (code=exited, status=0/SUCCESS)
   Memory: 0B
   CGroup: /system.slice/masq.service

aug 29 12:58:55 nathan.tolot.net systemd[1]: Starting masq, the Koozali SME Serv                            er firewall script...
aug 29 12:58:56 nathan.tolot.net masq[1297]: Enabling IP masquerading: done
aug 29 12:58:56 nathan.tolot.net systemd[1]: Started masq, the Koozali SME Serve                            r firewall script.

● httpd-e-smith.service - httpd-e-smith The Koozali SME Server Apache HTTP Servi                            ce
   Loaded: loaded (/usr/lib/systemd/system/httpd-e-smith.service; enabled; vendo                            r preset: enabled)
   Active: active (running) since zo 2021-08-29 12:59:00 CEST; 22min ago
     Docs: man:httpd(8)
           man:apachectl(8)
 Main PID: 1846 (httpd)
   Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/s                            ec"
   Memory: 8.6M
   CGroup: /system.slice/httpd-e-smith.service
           ├─1846 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DFOREGROUND
           ├─1861 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DFOREGROUND
           ├─1862 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DFOREGROUND
           ├─1863 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DFOREGROUND
           ├─1864 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DFOREGROUND
           ├─1865 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DFOREGROUND
           ├─1866 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DFOREGROUND
           ├─1867 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DFOREGROUND
           ├─1868 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DFOREGROUND
           ├─1869 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DFOREGROUND
           └─1870 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DFOREGROUND

aug 29 12:58:56 nathan.tolot.net systemd[1]: Starting httpd-e-smith The Koozali                             SME Server Apache HTTP Service...
aug 29 12:59:00 nathan.tolot.net systemd[1]: Started httpd-e-smith The Koozali S                            ME Server Apache HTTP Service.
4:

Code: [Select]

/sbin/e-smith/audittools/newrpms |grep ^smeserver
smeserver-awstats.noarch              1.4-3.el7.sme                 @smecontribs
smeserver-dhcp-dns.noarch             1.2.0-5.el7.sme               @smecontribs
smeserver-dhcpmanager.noarch          2.0.4-12.el7.sme              @smecontribs
smeserver-letsencrypt.noarch          0.5-17                        @smecontribs
smeserver-mod_dav.noarch              1.1-7.el7.sme                 @smecontribs
smeserver-phpmyadmin.noarch           4.0.10.2-11.el7.sme           @smecontribs
smeserver-webhosting.noarch           0.0.9-12.el7.sme              @smecontribs
5:

Code: [Select]

lspci |grep -i Eth
00:19.0 Ethernet controller: Intel Corporation 82566DM-2 Gigabit Network Connection (rev 02)
03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8169 PCI Gigabit Ethernet Controller (rev 10)

Other stuff I tried: Reset the modem and placed in bridge mode again (i keep trying to find someone at isp helpdesk that is smart enough to check if there is any firewall in the modem after I switch to bridge mode and cannot look myself). Switched local and public ethernetcards and cables (got me a new public ip adres (178.85.119.237) didn't work,so i switched back)

[Jean-Philippe Pialasse]

from what i see your SME is not getting any IP. 

i would check what was the setting from your previous SME. 

a tips when using command ifconfig you should see the external ip assigned on your external if.

another tip. usually when you reset you modem you also need to reboot the server. Some of them needs to have server already connected when rebooting it and won’t work if you change the device behind them after that. 

[rmoria]

It does get an IP, I am using the connection now.

Code: [Select]

ifconfig
enp0s25: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 213.93.205.219  netmask 255.255.255.0  broadcast 255.255.255.255
        ether 00:1e:4f:d0:d9:e1  txqueuelen 1000  (Ethernet)
        RX packets 1057158  bytes 1187269683 (1.1 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 505290  bytes 92757066 (88.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 21  memory 0xfe9e0000-fea00000

enp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.0.1  netmask 255.255.0.0  broadcast 10.0.255.255
        ether 3c:49:37:17:cd:8a  txqueuelen 1000  (Ethernet)
        RX packets 527039  bytes 93153031 (88.8 MiB)
        RX errors 0  dropped 2  overruns 0  frame 0
        TX packets 1042724  bytes 1180877850 (1.0 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 12201  bytes 1614893 (1.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 12201  bytes 1614893 (1.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[ReetP]

ExternalInterface=interface
 Name=enp3s0

enp3s0:
 inet 10.0.0.1

enp0s25:
 inet 213.93.205.219

Think you have your interfaces mixed up.

[rmoria]

Oh sorry, when I wrote that I had them switched to see if that would help. I now remade that.
(after changing in admin menu, internet (gateway) did not work. I had to do a signal-event postupgrade; signal-event reboot  after)

Now:

Code: [Select]

config show ExternalInterface
ExternalInterface=interface
    Configuration=DHCPEthernetAddress
    Driver=r8169
    Gateway=
    IPAddress=
    Name=enp3s0
    Netmask=255.255.255.0


Code: [Select]

ifconfig
enp0s25: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.0.1  netmask 255.255.0.0  broadcast 10.0.255.255
        ether 00:1e:4f:d0:d9:e1  txqueuelen 1000  (Ethernet)
        RX packets 7549  bytes 2010434 (1.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 7855  bytes 4981371 (4.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 21  memory 0xfe9e0000-fea00000

enp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 178.85.119.237  netmask 255.255.255.0  broadcast 255.255.255.255
        ether 3c:49:37:17:cd:8a  txqueuelen 1000  (Ethernet)
        RX packets 8509  bytes 5163556 (4.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 7201  bytes 1871775 (1.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 687  bytes 68256 (66.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 687  bytes 68256 (66.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
Tomorrow I will try to contact ISP and hope to get someone that actualy help me check my modem.

[ReetP]

Oh sorry, when I wrote that I had them switched to see if that would help. I now remade that.

Please be REALLY careful doing this sort of thing - it can totally confuse a situation and just wastes so much time, and then you end up getting ignored.

ping tolot.net
PING tolot.net (178.85.119.237): 56 data bytes
64 bytes from 178.85.119.237: icmp_seq=0 ttl=52 time=65.574 ms

ping babshop.nl
PING babshop.nl (178.85.119.237): 56 data bytes
64 bytes from 178.85.119.237: icmp_seq=0 ttl=52 time=75.899 ms

ping groenzwartereigers.nl
PING groenzwartereigers.nl (213.93.205.219): 56 data bytes
Request timeout for icmp_seq 0

So 178.85.119.237 responds but the the other doesn't.

So is your IP static or dynamic (from the looks of your login it is dynamic.....)? So I guess you are using this dynamic IP to login here.

You say you tried bridged mode. What instructions does your ISP give you to set it up? At least we can then work out what to do. What sort of router or modem is it? You said you had it in bridge mode on v9 so where are the settings for that?

A look at this might help once you have figured out what modem mode you should be in.

https://wiki.koozali.org/SME_Server:Documentation:Administration_Manual:Chapter5#Server_and_Gateway_Mode_-_Dedicated

If you have a dynamic IP you will need also need another contrib to fix the DNS as well.

Lots of questions with no real answers.

Please, go back, start again, and just do it one step at a time. You are just thrashing around trying different things and not being methodical here.


I strongly suggest having a read through this - ignore the Rocket specific bits, but read the generic stuff on reporting bugs effectively.

https://gist.github.com/reetp/a66149d5f060f260643a353ca7067a98#how-to-ask-for-help

Specifically use these to try and organise yourself to help us.

https://www.chiark.greenend.org.uk/~sgtatham/bugs.html
http://www.catb.org/esr/faqs/smart-questions.html

[Jean-Philippe Pialasse]

you got back again this new ip 178.85.119.237
and looking at ReetP test just up to this post, you only got part of your domains updated to the new ip

take ti,e to answer and follow ReetP suggestions

also I would add, you can check SME logs when trying to connect

tail -f /var/log/iptables/denylog.log

you have certainly a phone with LTE, this is your best friend to test you connection from "outside world"

[rmoria]

I am seeing almost everything being denied:

Aug 31 16:15:50 nathan denylog: IN=enp3s0 OUT= MAC=3c:49:37:17:cd:8a:54:67:51:55:f3:37:08:00 SRC=109.38.153.152 DST=178.85.119.237 LEN=60 TOS=00 PREC=0x00 TTL=54 ID=31029 DF PROTO=TCP SPT=19666 DPT=80 SEQ=4235366483 ACK=0 WINDOW=65535 SYN URGP=0 MARK=0


Aug 31 16:17:19 nathan denylog: IN=enp3s0 OUT= MAC=3c:49:37:17:cd:8a:54:67:51:55:f3:37:08:00 SRC=109.38.153.152 DST=178.85.119.237 LEN=88 TOS=00 PREC=0x00 TTL=249 ID=17589 DF PROTO=TCP SPT=18060 DPT=8181 SEQ=3235150611 ACK=0 WINDOW=0 ACK RST URGP=0 MARK=0
(port 8181 is a connection to another machine)

[Jean-Philippe Pialasse]

i know you told you did not restored custom-templates but please give us output of

Code: [Select]

/sbin/e-smith/audittools/templates

also denylog.log as it states will output denied connection
it is not normal that your server will deny port 80 unless a custom template or a contribs has asked so or you changed httpd-e-smith access to private.

also while ifconfig is showing your external ip, it is not shown in config db and it should be seen in two places

Code: [Select]

config get ExternalIP
config getprop ExternalInterface IPAddress

[rmoria]

sbin/e-smith/audittools/templates gives no response (fresh install)

Code: [Select]

config get ExternalIP
config getprop ExternalInterface IPAddressAlso gives no output

[ReetP]

This is turning into a XY problem.

https://xyproblem.info/

sbin/e-smith/audittools/templates gives no response (fresh install)

You are missing a '/'

Code: [Select]

/sbin/e-smith/audittools/templates
Then:

Also gives no output

So what have you done differently?

Please, go back, read again the pages on how to report issues correctly, and then document each step and paste it somewhere like pastebin so we can see what you are doing. Remember - we are effectively blind here. We are not mind readers either.

At the minute you are still racing round in a desperate attempt to make something work and getting nowhere, and wasting lots of everyones time.

You have done a clean install. And? Then what? Exactly what did you do during set up? What options? Every little step.

If you can't be methodical and accurate and provide clear information we can't help you.

[Jean-Philippe Pialasse]

John we are getting there.

please can you post the output of

config show wan

/sbin/e-smith/audittools/events


also
grep ip-change /var/log/message*

[rmoria]

Code: [Select]

config show wan
wan=service
    status=enabled

Code: [Select]

/sbin/e-smith/audittools/events
First the next command gave no output.I did signal-event IP-Change and this came:

Code: [Select]

grep ip-change /var/log/message*
/var/log/messages:Sep  2 20:01:53 nathan esmith::event[4821]: Processing event: ip-change
/var/log/messages:Sep  2 20:01:53 nathan esmith::event[4821]: Running event handler: /etc/e-smith/events/ip-change/S03set-external-ip
/var/log/messages:Sep  2 20:01:53 nathan esmith::event[4821]: S03set-external-ip=action|Event|ip-change|Action|S03set-external-ip|Start|1630605713 751506|End|1630605713 835274|Elapsed|0.083768|Status|65280
/var/log/messages:Sep  2 20:01:55 nathan esmith::event[4821]: generic_template_expand=action|Event|ip-change|Action|generic_template_expand|Start|1630605713 835553|End|1630605715 870966|Elapsed|2.035413
/var/log/messages:Sep  2 22:02:13 nathan esmith::event[4821]: adjust-services=action|Event|ip-change|Action|adjust-services|Start|1630605715 871293|End|1630612933 614584|Elapsed|7217.743291
/var/log/messages.20210902194842:Sep  2 20:01:53 nathan esmith::event[4821]: Processing event: ip-change
/var/log/messages.20210902194842:Sep  2 20:01:53 nathan esmith::event[4821]: Running event handler: /etc/e-smith/events/ip-change/S03set-external-ip
/var/log/messages.20210902194842:Sep  2 20:01:53 nathan esmith::event[4821]: S03set-external-ip=action|Event|ip-change|Action|S03set-external-ip|Start|1630605713 751506|End|1630605713 835274|Elapsed|0.083768|Status|65280
/var/log/messages.20210902194842:Sep  2 20:01:55 nathan esmith::event[4821]: generic_template_expand=action|Event|ip-change|Action|generic_template_expand|Start|1630605713 835553|End|1630605715 870966|Elapsed|2.035413
/var/log/messages.20210902194842:Sep  2 22:02:13 nathan esmith::event[4821]: adjust-services=action|Event|ip-change|Action|adjust-services|Start|1630605715 871293|End|1630612933 614584|Elapsed|7217.743291
To rule out a hardware failure,i am going to switch a network card tomorrow.
I also tried stuff on the modem, like remove the bridgemode and forwarding all ports. Just to be sure it is not blocked there. It didnt help denylog still filling up.
Switched around the networkcables again.External IP 213.93.205.219 (and changed DNS redirect to current IP)

[Jean-Philippe Pialasse]

issue seems that ip is not propagated to the config database.

the result is that the firewall filtering on the wan ip is mot aware of what is the wan ip will simply refuse any http connexions.

try
signal-event ip-change yourcurrentip

then we will need to investigate what is causing that.

[rmoria]

signal-event ip-change yourcurrentip
That has worked. I am getting in. Sites are reachable, port forwarding is working.

Now that I have a monitor hooked up to the server again, I see errors coming from the enp0s25 networkcard (Hardware unit hang). This is the card for the local network. But maybe it is not detected correctly and it puts the server in this weird state. That would explain why the problem happened after the fresh install. The external IP db entry was good in SME9 when I changed to this card (a few month ago) and it stayed that way.

[bunkobugsy]

5:

Code: [Select]

lspci |grep -i Eth
03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8169 PCI Gigabit Ethernet Controller (rev 10)


Try this:

wget http://elrepo.reloumirrors.net/elrepo/el7/x86_64/RPMS/kmod-r8168-8.049.02-1.el7_9.elrepo.x86_64.rpm
yum localinstall kmod-r8168-8.049.02-1.el7_9.elrepo.x86_64.rpm

and reboot