I have next config:
- some http servers together with desktops on lan behind clearOS firewall
- xyz.com point to WAN ip of clearOS
- 80 port is forwarded to https server from local network
All was ok until yesterday. During las tnigh was an automatic update and today if I access xyz.com from exernal ip , it work ok (like yesterday). But if I try to access my server xyz.com from lan, i receive no answer. It seems to be not refused, just no answer. The request seems to be not forwarded to lan http server but disappear somewere. It seems that clearos trap the request. The same is is happening if i try to access external_IP:80 from inside but it is working ok from outside.
Any advice? I am newbie in this kind of debug.
- some http servers together with desktops on lan behind clearOS firewall
- xyz.com point to WAN ip of clearOS
- 80 port is forwarded to https server from local network
All was ok until yesterday. During las tnigh was an automatic update and today if I access xyz.com from exernal ip , it work ok (like yesterday). But if I try to access my server xyz.com from lan, i receive no answer. It seems to be not refused, just no answer. The request seems to be not forwarded to lan http server but disappear somewere. It seems that clearos trap the request. The same is is happening if i try to access external_IP:80 from inside but it is working ok from outside.
Any advice? I am newbie in this kind of debug.
Share this post:
Responses (2)
-
Accepted Answer
Please can you reply with your firewall rules from:
And please put the result between code tags? If you need to, you can redirect the output to file and copy and paste from there, but you should also be able to directly copy from PuTTy just by selecting the text.iptables -nvL
iptables -nvL -t nat
[edit]
please note that if we can't get the diagnostics and no one else reports the issue, we will probably not revert the change.
With your output, can you also give the output from:ifconfig | grep '^\S' -A 1
grep IF /etc/clearos/network.conf
[/edit] -
Accepted Answer
OK, I know the change and, this time when testing, I am getting very inconsistent results so I am confused. I am just pushing a build to revert the change, but you can do it in advance. To indo the change, go to /usr/clearos/apps/firewall/deploy/firewall.lua and you will see linies 953-955 commented out with a "--". Just remove the "--" for the three lines changing:
to:-- iptables("nat",
-- string.format("-A POSTROUTING -d %s -p %d -s %s/%s --dport %s -j SNAT --to %s",
-- r_addr, r_proto, network, netmask, dport, ip))
Then restart the firewall with a "systemctl firewall restart".iptables("nat",
string.format("-A POSTROUTING -d %s -p %d -s %s/%s --dport %s -j SNAT --to %s",
r_addr, r_proto, network, netmask, dport, ip))
Can I make a couple of points?
1 - Normally you would make an entry in your DNS Server pointing your FQDN to the LAN IP of your web server so that the private IP was used when inside your LAN.
2 - There was a forum sticky post asking people to test the change. It did not get a single reply. In the Community you can expect occasional breakages and this one could have been prevented if people had tested and fed back the results.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »