PDA

Bekijk de volledige versie : How to run two webservers



sesamebike
25-08-2004, 13:12
Hi,

I've seen several questions regarding how to setup a second webserver on the wl500g so I thought I'd share my experiences on this matter.

First you need to start the webserver. Add the following line to /usr/local/init/post-boot:


busybox_httpd -c /mnt/usbfs/etc/httpd.conf -p 8080 -r "My dungeon" -h /mnt/usbfs/web

Here' s the documentation fot the busybox webserver


/*
* httpd implementation for busybox
*
* Copyright (C) 2002,2003 Glenn Engel <glenne@engel.org>
* Copyright (C) 2003 Vladimir Oleynik <dzo@simtreas.ru>
*
* simplify patch stolen from libbb without using strdup
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
************************************************** ***************************
*
* Typical usage:
* for non root user
* httpd -p 8080 -h $HOME/public_html
* or for daemon start from rc script with uid=0:
* httpd -u www
* This is equivalent if www user have uid=80 to
* httpd -p 80 -u 80 -h /www -c /etc/httpd.conf -r "Web Server Authentication"
*
*
* When a url contains "cgi-bin" it is assumed to be a cgi script. The
* server changes directory to the location of the script and executes it
* after setting QUERY_STRING and other environment variables.
*
* The server can also be invoked as a url arg decoder and html text encoder
* as follows:
* foo=`httpd -d $foo` # decode "Hello%20World" as "Hello World"
* bar=`httpd -e "<Hello World>"` # encode as "&#60Hello&#32World&#62"
* Note that url encoding for arguments is not the same as html encoding for
* presentation. -d decodes a url-encoded argument while -e encodes in html
* for page display.
*
* httpd.conf has the following format:
*
* A:172.20. # Allow address from 172.20.0.0/16
* A:10.0.0.0/25 # Allow any address from 10.0.0.0-10.0.0.127
* A:10.0.0.0/255.255.255.128 # Allow any address that previous set
* A:127.0.0.1 # Allow local loopback connections
* D:* # Deny from other IP connections
* /cgi-bin:foo:bar # Require user foo, pwd bar on urls starting with /cgi-bin/
* /adm:admin:setup # Require user admin, pwd setup on urls starting with /adm/
* /adm:toor:PaSsWd # or user toor, pwd PaSsWd on urls starting with /adm/
* .au:audio/basic # additional mime type for audio.au files
*
* A/D may be as a/d or allow/deny - first char case insensitive
* Deny IP rules take precedence over allow rules.
*
*
* The Deny/Allow IP logic:
*
* - Default is to allow all. No addresses are denied unless
* denied with a D: rule.
* - Order of Deny/Allow rules is significant
* - Deny rules take precedence over allow rules.
* - If a deny all rule (D:*) is used it acts as a catch-all for unmatched
* addresses.
* - Specification of Allow all (A:*) is a no-op
*
* Example:
* 1. Allow only specified addresses
* A:172.20 # Allow any address that begins with 172.20.
* A:10.10. # Allow any address that begins with 10.10.
* A:127.0.0.1 # Allow local loopback connections
* D:* # Deny from other IP connections
*
* 2. Only deny specified addresses
* D:1.2.3. # deny from 1.2.3.0 - 1.2.3.255
* D:2.3.4. # deny from 2.3.4.0 - 2.3.4.255
* A:* # (optional line added for clarity)
*
* If a sub directory contains a config file it is parsed and merged with
* any existing settings as if it was appended to the original configuration.
*
* subdir paths are relative to the containing subdir and thus cannot
* affect the parent rules.
*
* Note that since the sub dir is parsed in the forked thread servicing the
* subdir http request, any merge is discarded when the process exits. As a
* result, the subdir settings only have a lifetime of a single request.
*
*
* If -c is not set, an attempt will be made to open the default
* root configuration file. If -c is set and the file is not found, the
* server exits with an error.
*
*/


That's the easy part. What is a bit more trickier is to configure iptables so that you can access your webserver from the WAN. I want this webserver to be used when I browse to my external IP, e.g. http://sesamebike.dyndns.org (bogus url, don't click). Still I want the wl500g admin webserver to be used if I browse to http://my.router. Finally, I don't want the external web server to be accessable on port 8080, only port 80.

Edit the /usr/local/init/post-firewall and add the following:


/usr/sbin/iptables -t nat -I PREROUTING -p tcp -d "$2" --dport 80 -j DNAT --to "$2":8080
/usr/sbin/iptables -t nat -D PREROUTING -i "$1" -p tcp --dport 80 -j DROP
/usr/sbin/iptables -t nat -I PREROUTING -i "$1" -p tcp --dport 8080 -j DROP
/usr/sbin/iptables -A INPUT -i "$1" -d "$2" -p tcp --syn --dport 8080 -j ACCEPT


Remember to save your changes to the flash using flashfs save and flashfs commit.

Hopefully this will get you started. At least this setup worked for me on Oleg's excellent 1.7.5.9-5 firmware.

Cheers!

Styno
25-08-2004, 13:45
Nice, thanks!

Busybox_http can also run cgi-bin scripts:

- Create a directory named: `cgi-bin` in the `wwwroot` directory.
- Place one or more executable (`chmod +x scriptname`) Bash script(s) in the `cgi-bin` directory.
- Call the script using `http://my.router:8080/cgi-bin/scriptname` in the address toolbar of your browser.
- Enjoy the output from your script :)

All scripts in the subdirectorys below cgi-bin are also executable. If your script is not executable or is not a runnable script the webserver returns: 404 (page not found).

One example of what you can do with Bash scripting is below. It shows info from your router such as uptime, running services, free disk space, etc:


#!/bin/sh

echo "<html>"
echo "<body bgcolor=#5555aa>"
echo "<h2>System info for Asus WL-500g home gateway router</h2>"

echo "<hr>"
echo "<b>Uptime:</b><br>"
echo "<pre>"
uptime
echo "</pre>"
echo "<hr>"
echo "<b>Harware and firmware versions:</b><br>"
echo "<pre>"
cat /mnt/ramfs/etc/linuxigd/general.log
echo "</pre>"
echo "<hr>"
echo "<b>CPU info:</b><br>"
echo "<pre>"
cat /proc/cpuinfo
echo "</pre>"
echo "<hr>"
echo "<b>Memory Info:</b><br>"
echo "<pre>"
cat /proc/meminfo
echo "</pre>"
echo "<hr>"
echo "<b>Partitions:</b><br>"
echo "<pre>"
cat /proc/partitions
echo "</pre>"
echo "<hr>"
echo "<b>Disk usage:</b><br>"
echo "<pre>"
df
echo "</pre>"
echo "<hr>"
echo "<b>Services:</b><br>"
echo "<table>"

echo "<tr>"
echo "<td>Stupid FTP server</td>"
echo "<td>-</td>"
if [ `ps -ax | grep -c stupid-ftpd` -gt 1 ]
then
echo "<td>Running</td>"
else
echo "<td>NOT running</td>"
fi
echo "</tr>"

echo "<tr>"
echo "<td>giFT daemon</td>"
echo "<td>-</td>"
if [ `ps -ax | grep -c ld.so.1` -gt 1 ]
then
echo "<td>Running</td>"
else
echo "<td>NOT running</td>"
fi
echo "</tr>"


echo "<tr>"
echo "<td>Dropbear SSH daemon</td>"
echo "<td>-</td>"
if [ `ps -ax | grep -c dropbear` -gt 1 ]
then
echo "<td>Running</td>"
else
echo "<td>NOT running</td>"
fi
echo "</tr>"

echo "<tr>"
echo "<td>Traffic counter</td>"
echo "<td>-</td>"
if [ `ps -ax | grep -c iptraf` -gt 1 ]
then
echo "<td>Running</td>"
else
echo "<td>NOT running</td>"
fi
echo "</tr>"

echo "</table>"
echo "<hr>"
echo "</body>"
echo "</html>"

Oleg
25-08-2004, 15:08
Guys please make a WIKI page, otherwise this will got lost - nobody is using search as seems.
Also, some hints - small web server pages as well as httpd.conf file could be stored in the flashfs also.
flashfs rocks. :D At the moment that's the easiest way for using both stock firmware features and a customizations. sveasoft does not offer thing like this in their firmwares. openwrt has no web iface and is completely different. I'm really proud of my invention. :)

Styno
25-08-2004, 15:41
Guys please make a WIKI page, otherwise this will got lost - nobody is using search as seems. aye, aye captain :o. Though it might be useful to let it stay here so all the newbies have to learn how-to use the search :D


Also, some hints - small web server pages as well as httpd.conf file could be stored in the flashfs also.Yes, the webpages can be stored anywhere; Flashfs, USB stick, USB HDD, compiled into the firmware...


flashfs rocks. :D At the moment that's the easiest way for using both stock firmware features and a customizations. sveasoft does not offer thing like this in their firmwares. openwrt has no web iface and is completely different. I'm really proud of my invention. :)The flashfs method certainly is a great `invention`. Nobody's disagreeing with that!

monnier
25-08-2004, 16:15
flashfs rocks. :D At the moment that's the easiest way for using both stock firmware features and a customizations. sveasoft does not offer thing like this in their firmwares. openwrt has no web iface and is completely different. I'm really proud of my invention. :)

It's a neat way to get a more-or-less-persistent directory tree.
But the lffs thingy in OpenWRT gets you real persistent storage, which is pretty convenient at times (you basically don't ever need to flash a new firmware any more). Losing the web-config is a bummer, tho, especially at the beginning. I'm very comfortable with Unix-style administration, but I still considered it important that when I switched to your custom firmware, everything was going to work "just as before".
Now that I've been using it for a while and I've added my own config tweaks, I'd rather get rid of the web-config (especially with its "password in the clear").

If it were possible to have your custom firmware but with squashfs replaced by lffs2 I'd be pretty happy.

Styno
25-08-2004, 16:40
I assume you mean jffs2 ... :)

jffs2 might be interesting for replacing the flashfs partition for 2 reasons:
- Just edit a config file and forget about it :), no need for flashfs save and commit commands.
- No need to check maximum flash space before commiting anymore.

It's no option to replace the squashfs partions containing the firmware with jffs2 because the compression provided by squashfs (Unless jffs2 provides compression as well of course).

Oleg
25-08-2004, 18:59
If it were possible to have your custom firmware but with squashfs replaced by lffs2 I'd be pretty happy.
Forget about this. There are two reasons: 1) jjfs requires much moe free space than we have (currently 40k); 2) jffs has lower comprression ratio, comparable with cramfs.

chancho
26-08-2004, 12:28
i am using the 1.8.1.7 firmware . i want to setup a webserver. but the telnetd does not included. so i use the busybox as discussed in other thread. however,
1) the telnetd is not password protected.
2) i can not find the path /usr/local/init.

any suggestion that what should i do.

Oleg
26-08-2004, 12:48
any suggestion that what should i do.
Downgrade to 1.7.5.9-5.

NIGHTCD
26-08-2004, 14:13
hello, this post is interessing me..

i have oleg's firmware 1.7.5.9-5 but i can't seem to find the path /usr/local/init

i am getting as far as the /usr/local and there i stop.. i can't find the init folder

the only to folder i got under /usr/local is those : etc and root.

hope there is someone that can help me with this.

Kind Regards

NIGHTCD

sesamebike
26-08-2004, 14:41
Hi chancho and NIGHTCD!

You both asked why you are not seeing the /usr/local/init folder. That's because you need to create it yourself. Please read Oleg's documentation for the 1.7.5.9-5 firmware. It's located at http://wl500g.dyndns.org. Be sure to read the Tips and Tricks sektion where you'll find detail instructions on how to create the /usr/local/init folder :)

Happy hacking!

Styno
26-08-2004, 14:51
hello, this post is interessing me..

i have oleg's firmware 1.7.5.9-5 but i can't seem to find the path /usr/local/init

i am getting as far as the /usr/local and there i stop.. i can't find the init folder

the only to folder i got under /usr/local is those : etc and root.

hope there is someone that can help me with this.

Kind Regards

NIGHTCD
Look at the Flashfs-boot page in the WIKI section: It contains detailed information on how-to setup post-boot configurations.

http://wiki.wl500g.info/index.php/FlashfsBoot

NIGHTCD
26-08-2004, 15:37
Thanks :-)

NIGHTCD

monnier
26-08-2004, 19:27
(Sorry, I meant jffs2. I just can't get to terms with their choice of "journalling" in the name, even though the first line explains clearly that jffs2 is a "log-structured" filesystem (which is similar to a journalling filesystem, but is not the same)).


Forget about this. There are two reasons: 1) jjfs requires much moe free space than we have (currently 40k); 2) jffs has lower comprression ratio, comparable with cramfs.

Reading some jffs2 mailing-lists, I got the impression that it can still work even with very low free space (although inefficiently, but we don't necessarily care if we only write to it for config purposes, and keep logfiles in ramfs).

But the compression ratio is the killer. Damn!
BTW, I had looked around before to get some data about the relative compression efficiency between squashfs, cramfs, jffs2, ... but couldn't find anything: where
did you get your info from?

Oleg
26-08-2004, 21:03
But the compression ratio is the killer. Damn!
BTW, I had looked around before to get some data about the relative compression efficiency between squashfs, cramfs, jffs2, ... but couldn't find anything: where
did you get your info from?
Tried myself. jffs2 package also contains something like mkjffs2 - can't remember how it's named exactly.

sesamebike
27-08-2004, 10:03
Hi,

This how-to is now contributed to the wiki as well. Use the wiki functions to correct my mistakes ;)

Cheers!

Styno
27-08-2004, 10:30
Great work, thanks! I'll try to add cgi-bin scripting info later today...

Question:
You've used several rules to gain acces to the webserver from WAN. I just used:


# allow webserver requests to port 8080 (busybox_httpd)
iptables -A INPUT -p tcp --dport 8080 --syn -j ACCEPT

I know this is not the same as redirecting port 80 to 8080, I only opens WAN access to port 8080, but is this method safe or should there be more rules?

sesamebike
27-08-2004, 10:55
Hi,

It's a matter of choice really. I'd like to have it on port 80 for external access in order to avoid having to specify port 8080 in the url. It's easier to remember for other people as well. But other than that, no, having it on port 8080 will work the same way.

Now to your question, yes I think that iptables line will suffice. You might want to consider adding
-i "$1" -d "$2". if you want to limit the access to the WAN interface only. Note, $1 and $2 represents the external interface name and ip-adress. But again, it's your choice.

Styno
27-08-2004, 11:20
It's a matter of choice really. I'd like to have it on port 80 for external access in order to avoid having to specify port 8080 in the url. It's easier to remember for other people as well. But other than that, no, having it on port 8080 will work the same way. Yes I knew that :)



Now to your question, yes I think that iptables line will suffice. You might want to consider adding
-i "$1" -d "$2". if you want to limit the access to the WAN interface only. Note, $1 and $2 represents the external interface name and ip-adress. But again, it's your choice.Thanks! Thats what I was wondering about, I will add -i "$1" to the rule.

NIGHTCD
28-08-2004, 19:05
Hello. is there any chance to get php up an running with this second webserver?

and how to do it... someone got an tutorial?


NIGHTCD

pledge
30-08-2004, 11:41
As far as I can understand $1 and $2 are shell variables, representing respectively the external interface name and its IP adress.
Are these variables set up automatically? because I am unable to use those in the iptables commands:

/usr/sbin/iptables -t nat -I PREROUTING -p tcp -d "$2" --dport 80 -j DNAT --to "$2":8080
/usr/sbin/iptables -t nat -D PREROUTING -i "$1" -p tcp --dport 80 -j DROP

Thanks for your help.

sesamebike
30-08-2004, 12:58
Hi Pledge,

No, they are not shell variables but rather arguments passed to the post-firewall script.

From the firmware documentation:


/usr/local/init/post-firewall is now executed at the end of the default firewall script. If you need any customizations place them here (this scripts also receives all the args passed to the original firewall script, i.e. $1/$2 are WAN_IF/WAN_IP, $3/$4 are LAN_IF/LAN_IP, $5/$6 are $DMZ_IF/$DMZ_IP

If you need to call the script manually you'll need to supply these to the script as follows:


/usr/local/init/post-firewall eth1 1.2.3.4

Replace 1.2.3.4 with the ip you got from your ISP.

Cheers!

FilimoniC
29-01-2006, 13:37
Uhm.. I get 401 error: unauthorised when I try to access to /cgi-bin/ directory
busybox_httpd -p 81 -u nobody -h /opt/share/www

macsat
29-01-2006, 22:34
Uhm.. I get 401 error: unauthorised when I try to access to /cgi-bin/ directory
busybox_httpd -p 81 -u nobody -h /opt/share/www

Do you have an /opt/share/www/cgi-bin directory ?

If so, is it readable by the webserver?

try a:
ls -la /opt/share/www

and post result here, if you dont fully get what I mean :-)

oleo
29-01-2006, 22:59
First try to run it as admin. Then as nobody!
[admin@oleo root]$ cat httpd.conf
A:*
/cgi-bin:admin:admin
.au:audio/basic
.asp:text/html

SuperB
14-04-2006, 00:51
Great howto, just what I need. I do have one problem; the iptables commands are not accepted by my router (which runs Oleg 1.9.2.7-7c).
When I run the post-firewall script from the shell I get an error message:

$post-firewall eth0 192.168.2.150
iptables: Bad rule (does a matching rule exist in that chain?)

eth0 is the device that is connected to the WAN.
192.168.2.150 is the fixed address I use on the WAN side (I am behind another router)

Removing the second line in the script takes care of the error message, but does not give me access to my web files.
Entering the commands one by one in the shell shows that no entries are added to the PREROUTING chain, only to the INPUT chain.

What am I doing wrong?

SuperB
18-04-2006, 21:32
OK, what I wanted was to run a (second) webserver for the WAN side. My website must be stored on a USB stick and will be updated through Samba.

I found out what I was doing wrong. The main issue was that my post-firewall script missed #!/bin/sh on the first line.

Then, I found out how to check the iptables chains:


iptables --list -t nat for checking the PREROUTING chain and
iptables --list for checking the INPUT chain.

With these commands I saw that (in my case) the rules were added to the bottom of the chain, were they are useless. So I added a 1 and 2 after the -I command to get them to the top of the chain. (I learned a lot on iptables here (http://www.siliconvalleyccie.com/linux-hn/iptables-intro.htm).)

The last problem I encountered was that starting busybox_httpd in post-boot on /tmp/harddisk, were I initially found my USB stick, does not work because this directory is not mapped at the time post-boot is executed. I mapped the USB stick to /mnt and finally I was ready.

Here are the files I use.

/etc/smb.conf:


[global]
workgroup=mygroup
guest account=nobody
security=share
browseable=yes
guest ok=yes
guest only=no
log level=1
max log size=100
encrypt passwords=yes
dns proxy=no

[fat32]
path=/mnt
writeable=yes
browseable=yes
force user=admin

/tmp/local/sbin/post-firewall:


#!/bin/sh
/usr/sbin/iptables -t nat -I PREROUTING 1 -p tcp -d "$2" --dport 80 -j DNAT --to "$2":8080
/usr/sbin/iptables -t nat -D PREROUTING -i "$1" -p tcp --dport 80 -j DROP
/usr/sbin/iptables -t nat -I PREROUTING 2 -i "$1" -p tcp --dport 8080 -j DROP
/usr/sbin/iptables -I INPUT 1 -i "$1" -d "$2" -p tcp --syn --dport 8080 -j ACCEPT

/tmp/local/sbin/post-boot:


#!/bin/sh
mount -t vfat /dev/scsi/host0/bus0/target0/lun0/part1 /mnt
/usr/sbin/smbd -D
/usr/sbin/nmbd -D
busybox_httpd -p 8080 -h /mnt

Note that I use -t vfat with the mount command. Before I added that all the files I copied to my USB stick over Samba got short (8.3) filenames.

kRiSiS
09-11-2006, 22:05
So I followed the instructions pretty carefully and have those 4 lines in my post-firewall. However, when trying to access busybox from the outside, it still fails, but the same server on an opened port 8008 works just fine. Here's the output from my "iptables --list -t nat":


DNAT tcp -- anywhere [router interface]tcp dpt:www to:[router ip]:8080
DROP tcp -- anywhere anywhere tcp dpt:webcache

And I can confirm that busybox is running on port 8080 with "ps|grep busybox"

Can anyone tell me why this still fails? Any help would be appreciated.

SuperB
10-11-2006, 01:06
Please enter the command 'iptables --list' and see if you have an entry like this:


Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere [external IP] tcp dpt:webcache flags:SYN,RST,ACK/SYN

And what do you mean by [router interface]? My output shows the [external IP] there.

kRiSiS
10-11-2006, 14:33
By router interface I mean the name assigned to my net connection by the cable company, in this case something like "myrouter.dyn.optonline.net" and by external IP I mean the actual IP address I get from going to www.whatismyip.com. I just didn't want to put the name and IP out there for all the internet to see. :p

I do have that line in my INPUT chain.


ACCEPT tcp -- anywhere myrouter.dyn.optonline.nettcp dpt:webcache flags:SYN,RST,ACK/SYN

This is weird if what I have is exactly what you have. Any ideas?

Edit: I should probably add that I have a WL500gP. Though I don't think that makes any difference.

SuperB
11-11-2006, 19:39
I don't have the full output of your 'iptables --list' commands, but you will have to watch the order in which rules are listed.
You should have those lines at or near the top of the tables.

Are you sure the drive/directory on wich you map busybox_http is mounted at the moment busybox_http starts?

kRiSiS
11-11-2006, 22:01
Here's the top few results of iptables --list:


Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere myrouter.dyn.optonline.nettcp dpt:webcache flags:SYN,RST,ACK/SYN
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
SECURITY all -- anywhere anywhere state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp


And here are the results of iptables --list -t nat:


Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere myrouter.dyn.optonline.nettcp dpt:www to:[router's actual ip]:8080
DROP tcp -- anywhere anywhere tcp dpt:webcache
VSERVER all -- anywhere myrouter.dyn.optonline.net
NETMAP udp -- anywhere myrouter.dyn.optonline.netudp spt:6112 192.168.1.0/24


I'm 100% sure busybox works because I can access my pages from WAN on a different port (8008) with that port forwarded in post-firewall as


iptables -A INPUT -p tcp --dport 8008 -j ACCEPT
iptables -t nat -A PREROUTING -i -p tcp --dport 8008 -j DNAT --to-destination :8008

Busybox runs on my /opt/share/www directory of the USB hard drive.

Update: When I go to http://myrouteripaddress (which is the ip i get from whatismyip.com), I get the web page, but I know that when I ask people to visit the ip address, they get a Page cannot be displayed error. Do I have something in my post-firewall config mixed up?

Here's my post-firewall in its entirety:


#!/bin/sh
iptables -D INPUT -j DROP

#iptables -A INPUT -p tcp --dport 81 -j ACCEPT
#iptables -A INPUT -p tcp --dport 80 -j ACCEPT
#iptables -t nat -I PREROUTING 1 -i $1 -p tcp --dport 80 -j DNAT --to-destination $2:81

iptables -t nat -I PREROUTING 1 -p tcp -d "$2" --dport 80 -j DNAT --to "$2":8080
iptables -t nat -D PREROUTING -i "$1" -p tcp --dport 80 -j DROP
iptables -t nat -I PREROUTING 2 -i "$1" -p tcp --dport 8080 -j DROP
iptables -I INPUT 1 -i "$1" -d "$2" -p tcp --syn --dport 8080 -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 8008 -j ACCEPT
iptables -A INPUT -p tcp --dport 1213 -j ACCEPT
iptables -A INPUT -p tcp --dport 1214 -j ACCEPT
iptables -A INPUT -p tcp --dport 3512 -j ACCEPT
iptables -A INPUT -p tcp --dport 56881:56889 -j ACCEPT
iptables -A INPUT -p tcp --dport 9387 -j ACCEPT

iptables -t nat -A PREROUTING -i -p tcp --dport 22 -j DNAT --to-destination :22
iptables -t nat -A PREROUTING -i -p tcp --dport 21 -j DNAT --to-destination :21
iptables -t nat -A PREROUTING -i -p tcp --dport 8008 -j DNAT --to-destination :8008
iptables -t nat -A PREROUTING -i -p tcp --dport 1213 -j DNAT --to-destination :1213
iptables -t nat -A PREROUTING -i -p tcp --dport 1214 -j DNAT --to-destination :1214
iptables -t nat -A PREROUTING -i -p tcp --dport 3512 -j DNAT --to-destination :3512
iptables -t nat -A PREROUTING -i -p tcp --dport 56881 -j DNAT --to-destination :56881
iptables -t nat -A PREROUTING -i -p tcp --dport 56882 -j DNAT --to-destination :56882
iptables -t nat -A PREROUTING -i -p tcp --dport 56883 -j DNAT --to-destination :56883
iptables -t nat -A PREROUTING -i -p tcp --dport 56884 -j DNAT --to-destination :56884
iptables -t nat -A PREROUTING -i -p tcp --dport 56885 -j DNAT --to-destination :56885
iptables -t nat -A PREROUTING -i -p tcp --dport 56886 -j DNAT --to-destination :56886
iptables -t nat -A PREROUTING -i -p tcp --dport 56887 -j DNAT --to-destination :56887
iptables -t nat -A PREROUTING -i -p tcp --dport 56888 -j DNAT --to-destination :56888
iptables -t nat -A PREROUTING -i -p tcp --dport 56889 -j DNAT --to-destination :56889
iptables -t nat -A PREROUTING -i -p tcp --dport 9387 -j DNAT --to-destination :3689

ip link set dev $1 qlen 30
iptables -A PREROUTING -t mangle -s 10.0.1.0/30 -j MARK --set-mark 6
/usr/local/sbin/wshaper start $1 3600 240
iptables -A INPUT -j DROP

kRiSiS
16-11-2006, 14:58
Anyone? No ideas/help? :confused:

oleo
16-11-2006, 22:15
With Oleg firmware it is easy to move GUI httpd to other port with simple
nvram set http_lanport=8002 && nvram commit && reboot
Then you can setup another http server like busybox_httpd on standard port 80 with the following script:

#!/bin/sh

PATH=/sbin:/bin:/usr/bin:/usr/sbin:/opt/bin:/opt/sbin

# Uncomment path to busybox httpd to enable startup
BUSYBOX_HTTPD=/usr/sbin/busybox_httpd

HTTPD_CONFIG=${HOME}/httpd.conf
LISTENING_PORT=80


check_config(){
if [ ! -e ${HTTPD_CONFIG} ]; then
echo "Creating default ${HTTPD_CONFIG}"
cat > ${HTTPD_CONFIG} << __EOF__
# httpd.conf has the following format:
#
# A:172.20. # Allow address from 172.20.0.0/16
# A:10.0.0.0/25 # Allow any address from 10.0.0.0-10.0.0.127
# A:10.0.0.0/255.255.255.128 # Allow any address that previous set
# A:127.0.0.1 # Allow local loopback connections
# D:* # Deny from other IP connections
# /cgi-bin:foo:bar # Require user foo, pwd bar on urls starting with /cgi-bin/
# /adm:admin:setup # Require user admin, pwd setup on urls starting with /adm/
# /adm:toor:PaSsWd # or user toor, pwd PaSsWd on urls starting with /adm/
# .au:audio/basic # additional mime type for audio.au files
#
# A/D may be as a/d or allow/deny - first char case insensitive
# Deny IP rules take precedence over allow rules.
#
#
# The Deny/Allow IP logic:
#
# - Default is to allow all. No addresses are denied unless
# denied with a D: rule.
# - Order of Deny/Allow rules is significant
# - Deny rules take precedence over allow rules.
# - If a deny all rule (D:*) is used it acts as a catch-all for unmatched
# addresses.
# - Specification of Allow all (A:*) is a no-op
#
# Example:
# 1. Allow only specified addresses
# A:172.20 # Allow any address that begins with 172.20.
# A:10.10. # Allow any address that begins with 10.10.
# A:127.0.0.1 # Allow local loopback connections
# D:* # Deny from other IP connections
#
# 2. Only deny specified addresses
# 2. Only deny specified addresses
# D:1.2.3. # deny from 1.2.3.0 - 1.2.3.255
# D:2.3.4. # deny from 2.3.4.0 - 2.3.4.255
# A:* # (optional line added for clarity)
#
# If a sub directory contains a config file it is parsed and merged with
# any existing settings as if it was appended to the original configuration.
#
# subdir paths are relative to the containing subdir and thus cannot
# affect the parent rules.
#
# Note that since the sub dir is parsed in the forked thread servicing the
# subdir http request, any merge is discarded when the process exits. As a
# result, the subdir settings only have a lifetime of a single request.
#
A:*
#/cgi-bin:${USER}:password
.au:audio/basic
.asp:text/html
__EOF__
fi
}
start() {
if [ ! -x "${BUSYBOX_HTTPD}" ]; then
echo "busybox httpd ${BUSYBOX_HTTPD} not started."
exit 2
fi
check_config
echo -n "Starting busybox httpd at port ${LISTENING_PORT} ... "
${BUSYBOX_HTTPD} -c ${HTTPD_CONFIG} -p ${LISTENING_PORT} -h /opt/share/www
echo "done"
}

stop() {
echo -n "Shutting down busybox httpd... "
killall busybox_httpd
echo "done"
}

case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
sleep 1
start
;;
*)
echo "Usage: $0 (start|stop|restart)"
exit 1
;;
esac


I run thttpd and busybox_httpd besides httpd server. Opening appropriate ports with GUI interface is not really an issue.

KGy
11-03-2007, 20:40
Sorry my english.
If I run two busybox_httpd server on my router, "killall busybox_httpd" shutting down both.

If I select busybox_httpd pid by config file (/opt/etc/httpd1.conf and /opt/etc/httpd2.conf):

ps | grep "/opt/etc/httpd1.conf" | grep -v "grep" | awk '{print $1}'

And I can't send for "kill" this pid. How I can do?

ps | grep "/opt/etc/httpd1.conf" | grep -v "grep" | awk '{print $1}' | kill
not worked... :-(

George

SuperB
13-03-2007, 01:07
Hi George,

This works:

kill `ps | grep "busybox_httpd" | grep -v "grep" | awk '{print $1}' `

KGy
13-03-2007, 09:05
Thanks, SuperB!

George