Ubuntu server access from outside network

Dave!

Hey guys,

I've got an old laptop that I decided to use as a web server, so today I installed Ubuntu Server 14.04, and I've just managed to get it connected to my home wifi network. I have a LAMP stack installed, and when I visit the IP address that I found when I run ifconfig, the files are served. All good so far!

I can visit that IP address from devices that are connected to the same network, but the problem is that when I try to visit it from external devices it just times out. Nothing appears in the logs.

I also got a public IP address by doing 'curl ifconfig.me' from the server. Visiting that from outside the network times out, and from inside the network takes me to the router configuration interface!

I'm sure that I'm missing some important step which forwards traffic from my IP address to my server, but I don't know what I need to do. Port forwarding is it?

Can anyone help here? I've got a UPC Horizon box, if that makes a difference.

I'm sure that I'll have other things to sort out next because of the dynamic IP address, etc, but for now I just want to see traffic hitting the server.

Thanks

deconduo

Yup, you'll need to set up port forwarding on your router on port 80 (assuming everything is set up as standard) to the internal IP of the laptop. Keep in mind that some ISPs don't allow you to set up external facing websites, so you might want to check with UPC's T&Cs before doing so.

AnCatDubh

you'll need port forwarding of some description enabled on your router. Enabling that will allow external traffic from the internet to flow onto your LAN/WLAN. Generally you'll be telling the router - for external traffic on port x, send to local LAN ip address aaa.bbb.ccc.ddd - Consult the help screens/manual of your router.

btw - great fun, but not without its perils. I recall following someone's howto only to get to the bottom 'update' to the howto to find the setup being shown was not without its flaws and the poor divil had been hacked unknown to him for a number of months. Yeah, this stuff has its perils (but, yes... great fun).

Dave!

Thanks guys! Would there be any implications for the wifi in the house if I set up port forwarding? Everyone else in the house will still be able to connect as normal?

Also what hacking do you mean AnCatDubh? Presumably it would just be the server that could be compromised, or could it damage the router or any other devices connected to it?

I'm new to this side of things, so treading carefully!

L.Jenkins

Just took a capture of the port forwarding area on the local UPC router. Doesn't look all that difficult. If you have a smartphone, you could use it as a hotspot to test the connection.

AnCatDubh

Dave! wrote: »

Thanks guys! Would there be any implications for the wifi in the house if I set up port forwarding? Everyone else in the house will still be able to connect as normal?

Port forwarding itself should not have any impact on Wifi users within your house.

Also what hacking do you mean AnCatDubh? Presumably it would just be the server that could be compromised, or could it damage the router or any other devices connected to it?

I'm new to this side of things, so treading carefully!

Ok, there are lots of risks (so this is not intended to be a definitive answer) but one reasonable possibility - If your server gets compromised (which is exactly the case I was recalling previously) and if the server is a full member of the LAN ie. traffic can flow to and from it to the local networked machines - then the server itself, your server, may become the tool of a subsequent attack on the internal network and everything attached to it. Lets say someone gets command of your server. They can then start sniffing out whatever else is on your LAN (particularly, that may be vulnerable) and when they find some device (another laptop, desktop, gaming console, etc..) they can attempt to compromise and exploit those. They may or may not be successful depending on how good your security is on all your devices.

If you were to do a textbook risk analysis on doing the port forwarding thing, you would measure the risk of compromise happening against the impact of someone else having control of your computing infrastructure (your personal data, your files, your photos, your browsing history, the ability to monitor what you do in real time, the potential of picking up your banking passwords/codes/identity measures, etc..). Then you would put as many measures in place to reduce or better still eliminate the risk at all as you can. Such measures will be IT Security which is next on your list to learn all about.

Dave!

Oh my! You're right, I'll get into that next :pac:

So I set up the port forwarding, and all is good – can access it from outside!

One more thing though, which you may be able to help with – I registered with noip.com, which is a free service which gives me a fully qualified domain name and uses a bit of software running on the server to track the dynamic IP of the server and updates the FQDN to point at it.

But I can't figure out what I do next... I presume I can point my domain at the FQDN now, but an A record requires an IP address, so do I use a CNAME maybe...?

syklops

Dave! wrote: »

Oh my! You're right, I'll get into that next :pac:

So I set up the port forwarding, and all is good – can access it from outside!

One more thing though, which you may be able to help with – I registered with noip.com, which is a free service which gives me a fully qualified domain name and uses a bit of software running on the server to track the dynamic IP of the server and updates the FQDN to point at it.

But I can't figure out what I do next... I presume I can point my domain at the FQDN now, but an A record requires an IP address, so do I use a CNAME maybe...?

You need to upgrade your noip account

FSL

Personally I would set up an openvpn server on the machine you have the web server on and openvpn clients on the machines you want to use to connect to the web server. You can then port forward the port you are using for openvpn and block all others. That way any would be hacker would have to have one of the openvpn certificates you generate in order to connect to your server.

AnCatDubh

Dave! wrote: »

so do I use a CNAME maybe...?

I'm assuming you have a domain purchased with a domain provider with full control panel access?

So assume your domain is dave.com - You could create a CNAME www - for example pointing to yourdomain.ddns.net (or whatever your noip domain is).

In theory then [noparse]www.dave.com[/noparse] should resolve to your external ip address (stored and updated at noip's ddns service). Thereafter your port forwarding should take over.

I say in theory. I don't and haven't used noip.com so I'm unsure if it has any restrictions on you doing so. Works elsewhere though.

Dave!

Thanks – yeah that works! What can I do about the non-www domain though? I can't point an A record at a domain sadly.

gouche

You'll need to use a CNAME record to point a domain to another domain.
A records only allow mapping to a public IP address.

PrzemoF

OP, check http://freedns.afraid.org/ if you have problems with no-ip

Dave!

Thanks guys. The only problem I'm having now is that I don't know how to get my non-www domain pointing at my server (using the NOIP domain). I can point the www CNAME at it.

Knasher

I'd suggest using hurricane electrics free dns service. You can transfer your domain over to them, by changing the name server on the admin console of the place you bought the domain from. Hurricane electric have scripts to update your dynamic ip. Then you can set up dynamically updated A-names.

That's assuming that the place you bought your domain from doesn't offer the ability to update your IP via a script, the place I bought mine from did, but I preferred to use HE because I was already using them for an IPv6 tunnel. I wouldn't be surprised if it wasn't a fairly standard practice, of if it wasn't too hard to write a script to do it if you were up to it.

I prefer it over some of the other DNS servers because it doesn't require you to open your domain up to be shared with other people.