Doug Sampson wrote: > > I'm trying again as I haven't heard back from any of you since last night. > Please forgive me if this is annoying to you. I'd like to fix this > port-forwarding issue I'm having right now. Thanks for your patience! > > ~Doug
Np Doug. Let's see now. I'm not a DF whiz, but we'll give it the old college try. > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > > I'm having trouble port forwarding on a DCD 102 router. Standard > public/private network set-up with a web server behind the router. Since I'm > on a Cox network, I cannot run a web server using port 80 as it's being > blocked by Cox. So I've resorted to using port 8080 in the past which has > worked out rather well. However, since switching to Dachstein, I've never > been able to get web site requests redirected to the web server via port 8080. Ok, but you never say what exact port the real web server is listening on, on 192.168.1.1. I see down below you infer that you forced the 192.168.1.1 httpd to listen on port 8080. Please prove that with the output of netstat -an on 192.168.1.1. Moving on.... > Here's my configuration files: > > # ip addr > 1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 brd 127.255.255.255 scope global lo > 2: ipsec0: <NOARP> mtu 0 qdisc noop qlen 10 > link/ipip > 3: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10 > link/ipip > 4: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10 > link/ipip > 5: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10 > link/ipip > 6: brg0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop > link/ether fe:fd:09:00:3f:ff brd ff:ff:ff:ff:ff:ff > 7: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 > link/ether 00:40:f4:2a:f3:d4 brd ff:ff:ff:ff:ff:ff > inet 68.7.207.39/22 brd 68.7.207.255 scope global eth0 > 8: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 > link/ether 00:60:97:78:8c:16 brd ff:ff:ff:ff:ff:ff > inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1 Don't know about the ipsec parts at all, but the rest looks a-ok. > # ip route > 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 > 68.7.204.0/22 dev eth0 proto kernel scope link src 68.7.207.39 > default via 68.7.204.1 dev eth0 That's good too. > # netstat -i > Kernel Interface table > Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg > eth0 1500 0 65630 0 0 0 9840 0 0 0 BMRU > eth1 1500 0 16628 3 0 0 18807 0 0 0 BMRU > lo 3924 0 7 0 0 0 7 0 0 0 LRU > Looks good, except for the 3 Rx-errors on eth1. Are you running a 10BaseT internal LAN? It's a non-issue, so neexxxxttt.... > # network.conf > # ICMP types to open > # Indexed list: "SrcAddr/Mask type [ DestAddr[/DestMask] ]" > #EXTERN_ICMP_PORT0="0/0 : 1.1.1.12" > > ## UDP Services open to outside world > # Space seperated list: srcip/mask_dstport > # NOTE: bootpc port is used for dhcp client > # EXTERN_UDP_PORTS="0/0_domain 0/0_bootpc" > EXTERN_UDP_PORTS="0/0_domain" > > # -or- > # Indexed list: "SrcAddr/Mask port [ DestAddr[/DestMask] ]" > #EXTERN_UDP_PORT0="0/0 domain" > #EXTERN_UDP_PORT1="5.6.7.8 500 1.1.1.12" > > # TCP services open to outside world > # Space seperated list: srcip/mask_dstport > EXTERN_TCP_PORTS="216.70.236.234/29_ssh 0/0_www 0/0_1023 0/0_8080" Very nice, very nice. [snip] > ############################################################################## > # > # Port Forwarding > ############################################################################## > # > # Remember to open appropriate holes in the firewall rules, above > > # Uncomment following for port-forwarded internal services. > # The following is an example of what should be put here. > # Tuples are as follows: > # <protocol>_<local-ip>_<local-port>_<remote-ip>_<remote-port> > #INTERN_SERVERS="tcp_${EXTERN_IP}_ftp_192.168.1.1_ftp tcp_${EXTERN_IP}_smtp_192. > INTERN_SERVERS="tcp_${EXTERN_IP}_8080_192.168.1.1_8080" Looks good, too, though I'm not sure about the next to the last line. It seems truncated. > # These lines use the primary external IP address...if you need to > port-forward > # an aliased IP address, use the INTERN_SERVERS setting above > #INTERN_FTP_SERVER=192.168.1.1 # Internal FTP server to make available > INTERN_WWW_SERVER=192.168.1.1 # Internal WWW server to make available > #INTERN_SMTP_SERVER=192.168.1.1 # Internal SMTP server to make available > #INTERN_POP3_SERVER=192.168.1.1 # Internal POP3 server to make available > #INTERN_IMAP_SERVER=192.168.1.1 # Internal IMAP server to make available > #INTERN_SSH_SERVER=192.168.1.1 # Internal SSH server to make available > #EXTERN_SSH_PORT=24 # External port to use for internal SSH access Ok, I guess. > # Advanced settings: parameters passed directly to portfw and autofw > # Indexed list: "<ipmasqadm portfw options>" > #INTERN_SERVER0="-a -P PROTO -L LADDR LPORT -R RADDR RPORT [-p PREF]" > #INTERN_SERVER1="" > # Indexed list: "<ipmasqadm autofw options>" > #INTERN_AUTOFW0="-A -r tcp 20000 20050 -h 192.168.1.1" > #INTERN_AUTOFW0="-A -r tcp 8080 -h 192.168.1.1" --------------------------------------------------------------------------- Next we have: > # ipmasqadm portfw -l > prot localaddr rediraddr lport rport pcnt pref > TCP ip68-7-207-39.sd.sd.cox.net pegasus.cybersampson.com webcache webcache > 10 10 > TCP ip68-7-207-39.sd.sd.cox.net pegasus.cybersampson.com imap2 imap2 > 10 10 > TCP ip68-7-207-39.sd.sd.cox.net pegasus.cybersampson.com www www > 10 10 Yes, the webcache is listed as 8080, so you could have used that name throughout the network.conf. Looks good. > # /etc/hosts.allow: list of hosts that are allowed to access the system. See > # /etc/hosts.deny: list of hosts that are _not_ allowed to access the system. Those don't come into play. Those are used only to control services started by inetd that run on the LEAF. > Note that I can easily access the web server from the internal network. When > I scan all ports on my router's external interface, it doesn't show port 8080 > as being open. Why is that? Is it because it is above port 1024? That's the next question. What are the ipchains rules that got setup for the webcache port? ipchains -L -v -n will tell us. Please paste it in, but don't leave it so wide that it word wraps. Narrow it as necessary and trim out the lines that don't refer to tcp. > I am not quite familiar with how ports are used on a > private/public network so I'm quite sure I'm missing > something here. Does this have to do with the > hosts.allow configuration? Ports are like telephone numbers. You call a number when you want to talk to somebody. Your outside network vs your inside network is like two different area codes. You've only given out one area code to the world. When people phone you at your public area code, you are redirecting that phone call to a different area code (your internal LAN). It's not clear if you are redirecting that call to the same phone number (port 8080) or a different phone number (the usual port 80). That's why I asked. > I also see that port forwarding is not enabled for port 8080 to port 8080 on > my internal web server. What can I do to fix this? Sure it was. I was called webcache. Ports to name mappings are listed in /etc/services. > As a side note, I noticed that the default network.conf exposes udp port 53 > (domain) to the public network. Also for tcp port 1023. Are these necessary? It did? Really? Not critical, but notable. Matthew ~Doug _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user