4

I'm working on setting up Apache on my router (on which I've installed Tomato, a custom linux-based firmware package). I have succeeded with installing Apache, and believe I have configured it correctly, but cannot get the default "It works!" page to load.

Running netstat, I can see the value in the "Recv-Q" column increment every time I attempt to access the served file via the browser, but its as if Apache won't or can't respond to the request. Tailing the Apache error_log also yields nothing.

Does anyone see anything obvious, or have some suggestions for things to try in order to get things working? Can I provide any additional info that would help?

Sample netstat output (see the 5th entry with the address ":::www":

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
tcp        0      0 0.0.0.0:domain          0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      
tcp        0      0 localhost:52698         0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:1338            0.0.0.0:*               LISTEN      
tcp        4      0 :::www                  :::*                    LISTEN      
tcp        0      0 :::domain               :::*                    LISTEN      
tcp        0      0 :::ssh                  :::*                    LISTEN      
tcp        0      0 :::telnet               :::*                    LISTEN      
tcp        0      0 localhost:52698         :::*                    LISTEN      
tcp        0      0 :::1338                 :::*                    LISTEN      
udp        0      0 localhost:38032         0.0.0.0:*                           
udp        0      0 0.0.0.0:5038            0.0.0.0:*                           
udp        0      0 0.0.0.0:domain          0.0.0.0:*                           
udp        0      0 0.0.0.0:bootps          0.0.0.0:*                           
udp        0      0 0.0.0.0:60648           0.0.0.0:*                           
udp        0      0 0.0.0.0:49518           0.0.0.0:*                           
udp        0      0 0.0.0.0:38000           0.0.0.0:*                           
udp        0      0 :::domain               :::*                                
raw        0      0 0.0.0.0:255             0.0.0.0:*               255         
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node Path
unix  2      [ ACC ]     STREAM     LISTENING      13850 /opt/var/apache2/run/cgisock.1325

Apache error_log contents:

[Wed Feb 13 16:05:16 2013] [notice] Digest: generating secret for digest authentication ...
[Wed Feb 13 16:05:16 2013] [notice] Digest: done
[Wed Feb 13 16:05:16 2013] [info] APR LDAP: Built with OpenLDAP LDAP SDK
[Wed Feb 13 16:05:16 2013] [info] LDAP: SSL support available
[Wed Feb 13 16:05:16 2013] [info] mod_unique_id: using ip addr 192.168.253.1
[Wed Feb 13 16:05:17 2013] [notice] Apache/2.2.20 (Unix) DAV/2 configured -- resuming normal operations

Update: It looks like the firewall is blocking the incoming requests, even though I've opened up port 80 (and 443).

Firewall messages (scrubbed address info, x = local, y = remote):

Feb 13 16:53:15 UBERnet user.warn kernel: DROP IN=vlan2 OUT= MACSRC=xx:xx:xx:xx:xx:xx MACDST=yy:yy:yy:yy:yy:yy MACPROTO=0800 SRC=yyy.yyy.yyy.yyy DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x20 TTL=57 ID=48272 DF PROTO=TCP SPT=43229 DPT=80 SEQ=3727060622 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (0204056404020000) 

iptables -L output:

Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            state INVALID 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
shlimit    tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW 
shlimit    tcp  --  anywhere             anywhere            tcp dpt:1338 state NEW 
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere            udp spt:bootps dpt:bootpc 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:1337 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:1338 
logdrop    all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www 

Chain FORWARD (policy DROP)
target     prot opt source               destination         
           all  --  anywhere             anywhere            account: network/netmask: 192.168.253.0/255.255.255.0 name: lan 
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            state INVALID 
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 
monitor    all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
wanin      all  --  anywhere             anywhere            
wanout     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain logdrop (2 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere            state NEW limit: avg 1/sec burst 5 LOG level warning tcp-sequence tcp-options ip-options macdecode prefix `DROP ' 
DROP       all  --  anywhere             anywhere            

Chain logreject (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere            limit: avg 1/sec burst 5 LOG level warning tcp-sequence tcp-options ip-options macdecode prefix `REJECT ' 
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset 

Chain monitor (1 references)
target     prot opt source               destination         
RETURN     tcp  --  anywhere             anywhere            WEBMON --max_domains 1000 --max_searches 1000 

Chain shlimit (2 references)
target     prot opt source               destination         
           all  --  anywhere             anywhere            recent: SET name: shlimit side: source 
logdrop    all  --  anywhere             anywhere            recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source 

Update: As a side note, I was able to get lighttpd working with just the iptables adjustment, so it does appear that it was an issue specific to Apache's configuration.

Wilco
  • 355
  • 5
  • 17
  • 5
    Would someone mind clarifying why this question is off-topic? Also, if you think it would be more appropriate on another stack exchange site, feel free to mention that as well (SuperUser perhaps?). Thanks! – Wilco Feb 14 '13 at 17:55

3 Answers3

2

I have no idea what may be the problem but a useful next step might be to attach to the listening process (and its forks) with strace and have a look at what's going on when you try to connect.

strace -o apache.strace -f -p $PID

Puts the result into the file apache.strace.

Hauke Laging
  • 5,157
  • 2
  • 23
  • 40
2

In the firewall's INPUT chain, logdrop line kills your connection. It is a catch-all chain for dropping all unwanted traffic. The rule processing never reaches the web rules. You must move the ACCEPT rules above the logdrop rule.

hayalci
  • 3,611
  • 3
  • 25
  • 37
1

Something is wrong. Apache is listening on IPv6 only. Can you change the Listen parameter in Apache configuration file to

      Listen 0.0.0.0:80 

And then restart Apache. Do netstat again, and make sure the output includes 0.0.0.0:www or something along those lines of IPv4.

Daniel t.
  • 9,061
  • 1
  • 32
  • 36
  • Ah goot catch! I went ahead and tried that and now netstat correctly shows "0.0.0.0:80" but I still experience the same behavior (basically times out). – Wilco Feb 14 '13 at 00:43
  • check `iptables` now. Run `iptables -L -n` and see if connection to port 80 is allowed. – Daniel t. Feb 14 '13 at 00:45
  • just updated the post with the output from `iptables -L` – Wilco Feb 14 '13 at 01:00
  • did you use a web interface or command line to open the ports in iptables? Can you disable the firewall for a moment? Just wanted to see if this is a firewall or Apache config issue. – Daniel t. Feb 14 '13 at 01:16
  • I actually opened the ports directly via the command line. Went ahead and turned off the firewall and still can't seem to get Apache to respond. – Wilco Feb 14 '13 at 01:28
  • It could be Apache then. Can you check the Apache config file for `Allow from` lines, and see if it allows only from `127.0.0.1`. If that is the case you might need to add your IP there. As for iptables, use iptables -I instead of iptables -A to add rules. – Daniel t. Feb 14 '13 at 01:34