I'm having trouble port forwarding on a DCD 102 router. Standard
public/private network set-up with a web server behind the router. Since I'm
on a Cox network, I cannot run a web server using port 80 as it's being
blocked by Cox. So I've resorted to using port 8080 in the past which has
worked out rather well. However, since switching to Dachstein, I've never
been able to get web site requests redirected to the web server via port 8080.
Here's my configuration files:
# ip addr
1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope global lo
2: ipsec0: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
3: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
4: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
5: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
6: brg0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether fe:fd:09:00:3f:ff brd ff:ff:ff:ff:ff:ff
7: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:40:f4:2a:f3:d4 brd ff:ff:ff:ff:ff:ff
inet 68.7.207.39/22 brd 68.7.207.255 scope global eth0
8: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:60:97:78:8c:16 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1
# ip route
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254
68.7.204.0/22 dev eth0 proto kernel scope link src 68.7.207.39
default via 68.7.204.1 dev eth0
# netstat -i
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 65630 0 0 0 9840 0 0 0 BMRU
eth1 1500 0 16628 3 0 0 18807 0 0 0 BMRU
lo 3924 0 7 0 0 0 7 0 0 0 LRU
# network.conf
# ICMP types to open
# Indexed list: "SrcAddr/Mask type [ DestAddr[/DestMask] ]"
#EXTERN_ICMP_PORT0="0/0 : 1.1.1.12"
## UDP Services open to outside world
# Space seperated list: srcip/mask_dstport
# NOTE: bootpc port is used for dhcp client
# EXTERN_UDP_PORTS="0/0_domain 0/0_bootpc"
EXTERN_UDP_PORTS="0/0_domain"
# -or-
# Indexed list: "SrcAddr/Mask port [ DestAddr[/DestMask] ]"
#EXTERN_UDP_PORT0="0/0 domain"
#EXTERN_UDP_PORT1="5.6.7.8 500 1.1.1.12"
# TCP services open to outside world
# Space seperated list: srcip/mask_dstport
EXTERN_TCP_PORTS="216.70.236.234/29_ssh 0/0_www 0/0_1023 0/0_8080"
# -or-
# Indexed list: "SrcAddr/Mask port [ DestAddr[/DestMask] ]"
#EXTERN_TCP_PORT0="5.6.7.8 domain 1.1.1.12"
#EXTERN_TCP_PORT1="0/0 www"
#EXTERN_TCP_PORT0="216.70.236.234/29 ssh"
#EXTERN_TCP_PORT1="0/0 www"
#EXTERN_TCP_PORT2="0/0 1023"
#EXTERN_TCP_PORT3="0/0 8080"
# Generic Services open to outside world
# Space seperated list: protocol_srcip/mask_dstport
#EXTERN_PORTS="50_5.6.7.8 51_5.6.7.8"
# -or-
# Indexed list: "Protocol SrcAddr/Mask [ DestAddr[/DestMask] ]"
#EXTERN_PROTO0="50 5.6.7.8/32"
#EXTERN_PROTO1="51 5.6.7.8/32"
#EXTERN_PROTO0="8080 0/0 192.168.1.1/32"
##############################################################################
#
# Internal Interface
##############################################################################
#
# Comment 3 settings below for no internal network (DMZ only configuration)
INTERN_IF="eth1" # Internal Interface
INTERN_NET=192.168.1.0/24 # One (or more) Internal network(s)
INTERN_IP=192.168.1.254 # IP number of Internal Interface
# (to allow forwarding to external IP)
MASQ_SWITCH=YES # Masquerade internal network to outside
# world - YES/NO
# These services are not masqueraded from int to ext/DMZ, preventing access
# Space seperated list: proto_destIP/mask_port
#NOMASQ_DEST="tcp_0/0_ssh"
# Override for above...only the listed dest IP's can be accessed
# Space seperated list: proto_destIP/mask_port
#NOMASQ_DEST_BYPASS="tcp_10.0.0.1_ssh"
##############################################################################
#
# Port Forwarding
##############################################################################
#
# Remember to open appropriate holes in the firewall rules, above
# Uncomment following for port-forwarded internal services.
# The following is an example of what should be put here.
# Tuples are as follows:
# <protocol>_<local-ip>_<local-port>_<remote-ip>_<remote-port>
#INTERN_SERVERS="tcp_${EXTERN_IP}_ftp_192.168.1.1_ftp
tcp_${EXTERN_IP}_smtp_192.
INTERN_SERVERS="tcp_${EXTERN_IP}_8080_192.168.1.1_8080"
# These lines use the primary external IP address...if you need to
port-forward
# an aliased IP address, use the INTERN_SERVERS setting above
#INTERN_FTP_SERVER=192.168.1.1 # Internal FTP server to make available
INTERN_WWW_SERVER=192.168.1.1 # Internal WWW server to make available
#INTERN_SMTP_SERVER=192.168.1.1 # Internal SMTP server to make available
#INTERN_POP3_SERVER=192.168.1.1 # Internal POP3 server to make available
#INTERN_IMAP_SERVER=192.168.1.1 # Internal IMAP server to make available
#INTERN_SSH_SERVER=192.168.1.1 # Internal SSH server to make available
#EXTERN_SSH_PORT=24 # External port to use for internal SSH
access
# Advanced settings: parameters passed directly to portfw and autofw
# Indexed list: "<ipmasqadm portfw options>"
#INTERN_SERVER0="-a -P PROTO -L LADDR LPORT -R RADDR RPORT [-p PREF]"
#INTERN_SERVER1=""
# Indexed list: "<ipmasqadm autofw options>"
#INTERN_AUTOFW0="-A -r tcp 20000 20050 -h 192.168.1.1"
#INTERN_AUTOFW0="-A -r tcp 8080 -h 192.168.1.1"
# ipmasqadm portfw -l
prot localaddr rediraddr lport rport pcnt pref
TCP ip68-7-207-39.sd.sd.cox.net pegasus.cybersampson.com webcache webcache
10 10
TCP ip68-7-207-39.sd.sd.cox.net pegasus.cybersampson.com imap2 imap2
10 10
TCP ip68-7-207-39.sd.sd.cox.net pegasus.cybersampson.com www www
10 10
# /etc/hosts.allow: list of hosts that are allowed to access the system. See
# hosts_access(5) and /usr/doc/net/portmapper.txt
#
# Example: ALL: LOCAL @some_netgroup
# ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# Allow anything from the local net
ALL: 192.168.1.0/255.255.255.0
# Allow anything from the DSP network
ALL: 216.70.236.234/255.255.255.248
# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
# See hosts_access(5) and /usr/doc/net/portmapper.txt
#
# Example: ALL: some.host.name, .some.domain
# ALL EXCEPT in.fingerd: other.host.name, .other.domain
#
# The PARANOID wildcard matches any host whose name does not match its
# address.
ALL: PARANOID
# Prevent all access not explicitly allowed in hosts.allow
ALL: ALL
Note that I can easily access the web server from the internal network. When
I scan all ports on my router's external interface, it doesn't show port 8080
as being open. Why is that? Is it because it is above port 1024? I am not
quite familiar with how ports are used on a private/public network so I'm
quite sure I'm missing something here. Does this have to do with the
hosts.allow configuration?
I also see that port forwarding is not enabled for port 8080 to port 8080 on
my internal web server. What can I do to fix this?
As a side note, I noticed that the default network.conf exposes udp port 53
(domain) to the public network. Also for tcp port 1023. Are these necessary?
~Doug
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
