Hardware: WL500g with Oleg's Firmware v1.9.2.7 CR7b + 128 MB USB stick for swap and to hold pages for thttpd
This is what I want: from WAN pages served by thttpd, but no admin interface acces and admin acces from LAN. The whole point is not to have my Debian server switched on all day for the 1 or 2 requests i get per day. I'm not running any heavy stuff.
I followed the tutorals on macsat.com to install a thttpd webserver. I got the webserver working and I can access my own pages sitting on the USB stick from the LAN, however I cannot get it working from the WAN side without switching off the basic firewall rules in the admin interface.(not a wanted situation)
This is what I tried:
1) followed macsat tutorial
From WAN to <my_external_ip>:80 --> no response
From WAN to <my_external_ip>:81 --> no response
From LAN to 192.168.1.1:81-->thttpd served pages as expected
From LAN to <my_external_ip>:80-->thttpd served pages as expected
From LAN to 192.168.1.1:80-->admin interface as expected
2) switched off the basic firewall rules
result:
From WAN to <my_external_ip>:80 --> admin interface (not wanted from WAN)
From WAN to <my_external_ip>:81 --> thttpd served pages as expected
From LAN same as above
3) switched on the basic firewall rules again
removed the post-firewall script and in in admin interface:
added virtual-server on port 8000 to 192.168.1.100 to my debian server
added virtual-server on port 80 -->81 to 192.168.1.1 this should provide access to the thttpd pages
result:
From WAN to <my_external_ip>:80 --> no response
From WAN to <my_external_ip>:81 --> no response
From WAN to <my_external_ip>:8000 --> displays my pages on the debian server, so virtual server does work with other computer than router
From LAN same as all above
I also tried to forward port 80 to my debian server and that works as well.
this is the output I get in the system log when I try to access the pages sitting on the router either using port 80 or 81
Feb 3 13:42:27 kernel: DROPIN=eth1 OUT= MAC=<removed> SRC=<removed> DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=33856 DF PROTO=TCP SPT=52132 DPT=81 SEQ=172141206 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A00F03A600000000001030302)
So I guess somewhere in the whole IPtables the request from the WAN gets dropped before it reaches the thttpd deamon.
Could anybody help me to solve this puzzle?
VidJa
---------------------------
Contents of /tmp/filter_rules
more filter_rules
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:MACS - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -i br0 -j MACS
-A FORWARD -i br0 -j MACS
-A SECURITY -p tcp --syn -m limit --limit 1/s -j RETURN
-A SECURITY -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
-A SECURITY -p udp -m limit --limit 5/s -j RETURN
-A SECURITY -p icmp -m limit --limit 5/s -j RETURN
-A SECURITY -j logdrop
-A INPUT -m state --state INVALID -j logdrop
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i eth1 -m state --state NEW -j SECURITY
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth1 -m state --state NEW -j SECURITY
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -j logdrop
-A FORWARD -p tcp -m tcp -d 192.168.1.100 --dport 22 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.1.1 --dport 81 -j ACCEPT
-A FORWARD -p udp --dport 6112 -j ACCEPT
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP" --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
Contents of /tmp/nat_rules
more nat_rules
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp -d <my_ip_address> --dport 22 -j DNAT --to 192.168.1.100
-A PREROUTING -p tcp -m tcp -d <my_ip_address> --dport 80 -j DNAT --to-destination 192.168.1.1:81
-A PREROUTING -p udp -d <my_ip_address> --sport 6112 -j NETMAP --to 192.168.1.0/24
-A POSTROUTING -p udp -s 192.168.1.0/24 --dport 6112 -j NETMAP --to <my_ip_address>
-A POSTROUTING -o eth1 ! -s <my_ip_address> -j MASQUERADE
-A POSTROUTING -o br0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j MASQUERADE
COMMIT
Contents of /tmp/nat_rules
more nat_forward_rules
-A FORWARD -p tcp -m tcp -d 192.168.1.100 --dport 22 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.1.1 --dport 81 -j ACCEPT
-A FORWARD -p udp --dport 6112 -j ACCEPT