Bekijk de volledige versie : Webserver not accessible from wan
Hi!
I am using FW 1.9.2.7-6b and installed the ipkg package, the webserver and vsftpd.
I configured the post-firewall and post-boot files according to the tutorial.
I also added to "virtual Server" the following: Port range:80 local IP: 192.168.1.1 Local Port:81 Protocol:TCP
As the result of that, the webserver is NOT accessible fron wan. Inside LAN everyting works fine, even typing in the address used by dyndns.org (fama.homedns.org). A portscan with http://www.seifried.org/freescan/freescan.php results in ports 80 and 81 to be not open.
I even used the following post-firewall settings (i found looking through previous posts) without any change:
#!/bin/sh
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --dport 81 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 21 -j DNAT --to-destination 192.168.1.1:21
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:81
iptables -A INPUT -j DROP
Look at the below....
I even used the following post-firewall settings (i found looking through previous posts) without any change:
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 21 -j DNAT --to-destination 192.168.1.1:21
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:81
For the ftp server, you are telling it to listen to the ppp0 interface, and for the web you are telling eth0.
This is definately not correct, you have only 1 WAN device :-)
Change both ppp0 and eth0 to : $1
I changed the post-firewall to:
#!/bin/sh
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --dport 81 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 21 -j DNAT --to-destination 192.168.1.1:21
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:81
iptables -A INPUT -j DROP
but the webpage still is not accessible from wan. Is there anything else I might have forgotten to set up?
How can I make sure, the post-firewall is started or how can I start ist manually?
Could you post the output of
iptables -nL FORWARD?
EDIT: And I have another question (maybe I just didn't understand your original question) - Do you want to have access (from WAN) to a http and ftp server that is running on your wl500g or on another device inside your LAN?
This is what is says, I hope it helps:
-----------------------------------
[admin@(none) root]$ iptables -nL FORWARD
Chain FORWARD (policy ACCEPT)
target prot opt source destination
logaccept all -- 0.0.0.0/0 0.0.0.0/0
logdrop all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 tcpmss match 1453:65535TCPMSS set 1452
logaccept all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
logaccept tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 1/sec burst 5
logaccept tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5
logaccept icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 icmp type 8
logaccept tcp -- 0.0.0.0/0 192.168.1.4 tcp dpts:4661:4662
logaccept udp -- 0.0.0.0/0 192.168.1.4 udp dpt:4672
logaccept tcp -- 0.0.0.0/0 192.168.1.4 tcp dpt:5190
logaccept tcp -- 0.0.0.0/0 192.168.1.1 tcp dpt:81
logaccept tcp -- 0.0.0.0/0 192.168.1.4 tcp dpts:4661:4662
logaccept udp -- 0.0.0.0/0 192.168.1.4 udp dpt:4672
logaccept tcp -- 0.0.0.0/0 192.168.1.4 tcp dpt:5190
logaccept tcp -- 0.0.0.0/0 192.168.1.1 tcp dpt:81
And the http server that you want to access from the WAN is running on 192.168.1.4 or on 192.168.1.1 (your wl500g, I suppose)?
Could you post the output of
iptables -nL FORWARD?
EDIT: And I have another question (maybe I just didn't understand your original question) - Do you want to have access (from WAN) to a http and ftp server that is running on your wl500g or on another device inside your LAN?
I am trying to get wan access to the web and ftpserver running inside the WL500g.
I am trying to get wan access to the web and ftpserver running inside the WL500g.
Ok, got it.
I forgot something (the 'v' character ;)) please post the output of:
iptables -vnL FORWARD
Here you go:
------------
[admin@(none) root]$ iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 346 packets, 17081 bytes)
pkts bytes target prot opt in out source destination
0 0 logaccept all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
263 12480 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 tcpmss match 1453:65535TCPMSS set 1452
127K 112M logaccept all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
67 3984 logaccept tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 1/sec burst 5
0 0 logaccept tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5
0 0 logaccept icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 icmp type 8
0 0 logaccept tcp -- * * 0.0.0.0/0 192.168.1.4 tcp dpts:4661:4662
0 0 logaccept udp -- * * 0.0.0.0/0 192.168.1.4 udp dpt:4672
0 0 logaccept tcp -- * * 0.0.0.0/0 192.168.1.4 tcp dpt:5190
0 0 logaccept tcp -- * * 0.0.0.0/0 192.168.1.1 tcp dpt:81
[admin@(none) root]$
For seeing the route, not only which are open, plz try :
iptables -t nat --list -n
[admin@(none) root]$ iptables -t nat --list -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 83.135.234.103 tcp dpts:4661:4662 to:192.168.1.4
DNAT udp -- 0.0.0.0/0 83.135.234.103 udp dpt:4672 to:192.168.1.4
DNAT tcp -- 0.0.0.0/0 83.135.234.103 tcp dpt:5190 to:192.168.1.4
DNAT tcp -- 0.0.0.0/0 83.135.234.103 tcp dpt:80 to:192.168.1.1:81
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 to:192.168.1.1:21
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.1.1:81
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- !83.135.234.103 0.0.0.0/0
MASQUERADE all -- 192.168.1.0/24 192.168.1.0/24
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[admin@(none) root]$
So, anyone has an idea, what my problem might be, because I don't really know if the port forwarding thing is ok.
BTW the ftp server also is not accessible from wan.
This is what the logfile says when trying to accecc the web and ftp server from wan:
Have you read this - regarding the ftp problem? http://www.wl500g.info/showthread.php?t=2705&highlight=ftp
Thanks for the advice, after adding the line:
only_from = 0.0.0.0/0 to /opt/etc/xinetd.d/vsftp
I could at least login to vsftpd, but the directory listing took VERY long. After that the ftp client crashed (I am using the Totalcommander).
Here is the log:
----------
Connect to: (14.07.2005 08:09:49)
hostname=fama.homedns.org
username=admin
startdir=
fama.homedns.org=83.135.197.235
220 Welcome to the NSLU2 vsftp daemon.
USER admin
331 Please specify the password.
PASS ***********
230 Login successful.
SYST
215 UNIX Type: L8
FEAT
500 'FEAT ': command not understood by Sidewinder proxy.
Connect ok!
PWD
257 "/tmp/local/root"
Verzeichnis einlesen
TYPE A
200 Switching to ASCII mode.
PASV
227 Entering passive mode (83,135,197,235,235,75)
LIST
425 Failed to establish connection.
PWD
257 "/tmp/local/root"
CWD /
250 Directory successfully changed.
PWD
257 "/"
OK, the vsftpd now is accessible from wan, I only had to change the ftp client settings (passive mode disabled).
But the webserver still doesnt work.
I also enabled web access from wan over 8080 and here the config page shows up.
Any ideas???
Try this in post-firewall:
#!/bin/sh
iptables -I INPUT 2 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT 2 -p tcp --dport 21 -j ACCEPT
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:81
I think the line with port 21 dnat is not needed if the ftp listens on WAN as well.
his ftp server is already working, so the line
iptables -I INPUT 2 -p tcp --dport 21 -j ACCEPT is not needed, also, both the port from which it is redirected (ergo 80) and the port it is redirected to (ergo port 81) must be open and in post firewall, $4 is the IP of your asus device (on the LAN) in post-firewall, so place it there instead of 192.168.1.1 (one never knows what can change;-)), so, the result is here
#!/bin/sh iptables -I INPUT 2 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT 2 -p tcp --dport 81 -j ACCEPT
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 80 -j DNAT --to-destination $4:81
his ftp server is already working, so the line
iptables -I INPUT 2 -p tcp --dport 21 -j ACCEPT is not needed
I don't think he will get access to his ftp from wan if the firewall was not open on 21 or you put the dnat port21 back!?
also, both the port from which it is redirected (ergo 80) and the port it is redirected to (ergo port 81) must be open and in post firewall
Port 81 is only a redirection to Lan, which AFAIK has no firewall, from Wan you only access port 80, so you don't have to open p81 on Wan, do you?
Sure 21 must be opened, but Fama has it opened since his ftp is running now - see the post #15.
And yeah, I would also suppose 81 does not have to be opened, but I spend some time getting my webserver working and it does not work with 81 closed. I do not exactly know why, but it is how it goes :rolleyes: .
(and for example - this guide also says to open these ports: http://www.macsat.com/php_web.php?PHPSESSID=2bb1d164862c03629f2401b75d21 a929)
@sup: can you post or email me your post-boot and post firewall settings, because it still doesn't work. Somehow the ports 80 and 81 are not accessible from wan. This is my post-firewall:
#!/bin/sh
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --dport 81 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 80 -j DNAT
--to-destination $4:81
iptables -A INPUT -j DROP
And I redirected port 80 to port 81 in virtual server settings.
Any other ideas???
After trying:
#!/bin/sh
iptables -I INPUT 2 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT 2 -p tcp --dport 81 -j ACCEPT
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 80 -j DNAT --to-destination $4:81
as rdude suggested, the webserver is working now. :) :)
Thanks a lot!
-----------------------------------------------------------
What is the difference between the code above and the lines:
#!/bin/sh
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --dport 81 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 80 -j DNAT --to-destination $4:81
iptables -A INPUT -j DROP
as written in the tutorial form Macsat.com?
What are the lines:
iptables -D INPUT -j DROP
and
iptables -A INPUT -j DROP
at the beginning and the end for, as I don't seem to need them?
After trying:
as rdude suggested, the webserver is working now. :) :)
Credit has to go to Barsju, he suggested that one to me... :)
What are the lines:
iptables -D INPUT -j DROP
and
iptables -A INPUT -j DROP
at the beginning and the end for, as I don't seem to need them?
I'm still not a firewall guru, but I think those lines are not needed, because of the iptables -I INPUT 2 command, which inserts a rule to the top of the chain before the DROP ALL rule, which is at the end of the chain, so you dont need to disable/reenable it.
Try digging here for more info: http://www.linuxguruz.com/iptables/howto/iptables-HOWTO-6.html#ss6.2