LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-30-2004, 06:41 PM   #1
retinaburn
LQ Newbie
 
Registered: Aug 2004
Posts: 6

Rep: Reputation: 0
port forwarding to linux, not reaching it


Fedora Core 2.
I have a linksys router, port forwarding (uPnP) two external ports (high numbers) to shh and http to my linux box (22,80) I can access my linux webserver via the internal network address on port 80. But I can't access them externally. I have tried enabling the services in the redhat firewall and then just disabling the firewall. Still no dice. I can see the via the logs on the router incoming requests to the correct external port from other people. My own requests to my external IP don't show up, but I am not too worried about that.

My question is what could possibly be interfering with the packets coming in and not getting to my firewall. What are some of the magic linux network commands I could use to find out where the address is getting dropped. Ideally I would like to get this working with the firewall up, another layer of protection and all, but worried about just getting it working.

Cheers,
 
Old 08-30-2004, 06:58 PM   #2
angrybeaver
Member
 
Registered: Aug 2004
Location: .au
Distribution: debian, BSD
Posts: 104

Rep: Reputation: 16
try running up tcpdump or tethereal (preferable) against the interface you are port forwarding to. It'll tell you if your linksys is forwarding packets and let you make an informed decision about where the problem lies.
 
Old 08-30-2004, 06:58 PM   #3
DrNeil
Member
 
Registered: Aug 2004
Location: Scotland
Distribution: Debian, Suse, Knoppix, Dyna:bolic, Mandrake [couple of years ago], Slackware [1993 or so]
Posts: 150

Rep: Reputation: 15
your firewall is your router ?

Since you mention port forwardin I assume it is.

http://www.computing.net/windows2003...orum/2292.html

"You will have to set up Port Forwarding. The requests to port 80 are hitting your router and your router is not your web site - your web server is. You need to tell your router that requests on port 80 are sent to your web server. Your router most likely has a web interface that you can connect to to set up Port Forwarding. Forward port 80 to the internal ip address of your web server - 192.168.0.x or whatever your internal subnet is."

a guess what do you mean with firewall

oops just seen "redhat firewall" .its not your firewall your link sys router is the answer to your problem hopefully

Last edited by DrNeil; 08-30-2004 at 07:04 PM.
 
Old 08-30-2004, 07:01 PM   #4
retinaburn
LQ Newbie
 
Registered: Aug 2004
Posts: 6

Original Poster
Rep: Reputation: 0
My router is a firewall of sorts I guess. But I believed that the firewall that is part of fedora was my problems, but disabling it still didn't yield any results.

I will try the suggest links from angrybeaver.

Thanks
 
Old 08-30-2004, 07:07 PM   #5
DrNeil
Member
 
Registered: Aug 2004
Location: Scotland
Distribution: Debian, Suse, Knoppix, Dyna:bolic, Mandrake [couple of years ago], Slackware [1993 or so]
Posts: 150

Rep: Reputation: 15
well u said redhat firewall

"tried enabling the services in the redhat firewall and then just disabling the firewall."



good luck with the links (ys)
 
Old 08-30-2004, 07:33 PM   #6
DrNeil
Member
 
Registered: Aug 2004
Location: Scotland
Distribution: Debian, Suse, Knoppix, Dyna:bolic, Mandrake [couple of years ago], Slackware [1993 or so]
Posts: 150

Rep: Reputation: 15
But NATurally you follow the links


http://www.homenethelp.com/web/explain/about-NAT.asp
What If I want to host a server?
Most NAT devices allow you to create maps between the internet and your computer network - this is called port forwarding. Example: A request on port 80 from the Internet (looking for a web server on your IP address) would normally be turned away by a NAT device. A special mapping can be set up to send that request from the internet to a specific computer on your network. One of your LAN computers could host a web server on the Internet, and another computer (or the same one) could host an FTP server because the two services work on different ports. Only a few special programs on the internet will not work using this port forwarding system.
 
Old 08-30-2004, 07:36 PM   #7
DrNeil
Member
 
Registered: Aug 2004
Location: Scotland
Distribution: Debian, Suse, Knoppix, Dyna:bolic, Mandrake [couple of years ago], Slackware [1993 or so]
Posts: 150

Rep: Reputation: 15
Seriously try the Network Adress Translation. If that doesn't work then go for the fancy tools imo.

Occam's Razor

PRINCIPLE OF PARSIMONY OR PRINCIPLE OF SIMPLICITY
a criterion for deciding among scientific theories or explanations. One should always choose the simplest explanation of a phenomenon, the one that requires the fewest leaps of logic.

Ok bye have some qmail-scanner patches to do

Last edited by DrNeil; 08-30-2004 at 07:39 PM.
 
Old 08-30-2004, 07:43 PM   #8
retinaburn
LQ Newbie
 
Registered: Aug 2004
Posts: 6

Original Poster
Rep: Reputation: 0
Ok forwarding an high numbered port on the router side, to port 80 on the linux box (where httpd is running).
Using tethereal I captured the following:

Capturing on eth0
0.000000 192.168.1.1 -> 192.168.1.100 TCP 2913 > http [SYN] Seq=0 Ack=0 Win=65535 Len=0 MSS=1460
0.002655 192.168.1.100 -> 192.168.1.1 TCP http > 2913 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0
0.473825 192.168.1.1 -> 192.168.1.100 TCP 2913 > http [SYN] Seq=0 Ack=0 Win=65535 Len=0 MSS=1460
0.473966 192.168.1.100 -> 192.168.1.1 TCP http > 2913 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
0.975467 192.168.1.1 -> 192.168.1.100 TCP 2913 > http [SYN] Seq=0 Ack=0 Win=65535 Len=0 MSS=1460
0.975605 192.168.1.100 -> 192.168.1.1 TCP http > 2913 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
2.088163 192.168.1.1 -> 192.168.1.255 SNMP TRAP-V1 SNMPv2-SMI::enterprises.3955.1.1.0
7 packets captured


So the request packets are getting through the router and to my linux box. The port (2913) is not the external port, I guess the router is switching it to a different port on the internal side (192.168.1.1). However I don't see the webpage in my browser. Do I have to tell apache it is behind a router and to behave differently?

internet <-> linksys router <-> internal network (192.168.1.xxx)
 
Old 08-30-2004, 07:51 PM   #9
DrNeil
Member
 
Registered: Aug 2004
Location: Scotland
Distribution: Debian, Suse, Knoppix, Dyna:bolic, Mandrake [couple of years ago], Slackware [1993 or so]
Posts: 150

Rep: Reputation: 15
Seriously mate you have to tell your router to route incoming traffic on 80 to your internal linux IP on port 80

http://www.google.com/search?hl=en&i...=Google+Search

Last edited by DrNeil; 08-30-2004 at 07:54 PM.
 
Old 08-30-2004, 08:02 PM   #10
retinaburn
LQ Newbie
 
Registered: Aug 2004
Posts: 6

Original Poster
Rep: Reputation: 0
I don't want port 80 on the external side, that would open me up to any port scanning on port 80. I want a different port to go to port 80. This should be possible, even when I switch it to port 80 on the router forwarding to port 80 on the linux box I get the same issues.
 
Old 08-30-2004, 08:26 PM   #11
DrNeil
Member
 
Registered: Aug 2004
Location: Scotland
Distribution: Debian, Suse, Knoppix, Dyna:bolic, Mandrake [couple of years ago], Slackware [1993 or so]
Posts: 150

Rep: Reputation: 15
Quote:
This should be possible, even when I switch it to port 80 on the router forwarding to port 80 on the linux box
So at least you wrote now that you did that. Wasn't quite clear from the above.

Have you tried DMZ just to check, that incoming 80 (or 8080 etc) is possible ? If that's not possible, ef Occam and good luck

Last edited by DrNeil; 08-30-2004 at 08:28 PM.
 
Old 08-30-2004, 08:30 PM   #12
DrNeil
Member
 
Registered: Aug 2004
Location: Scotland
Distribution: Debian, Suse, Knoppix, Dyna:bolic, Mandrake [couple of years ago], Slackware [1993 or so]
Posts: 150

Rep: Reputation: 15
Redirecting Around A Port 80 Block

Many Internet Service Providers (ISPs) choose to block traffic bound for their customers' port 80, the port used for web traffic. This is usually done for security or policy reasons, and makes it difficult (but not impossible) to run a web server.

This can be solved using either our MyWebHop (with Custom DNS) or WebHop (with Dynamic DNS or Static DNS) by creating a redirection to a URL which includes a non-standard port number.

http://www.dyndns.org/support/kb/portredirect.html

Maybe you have a nasty ISP ?
 
Old 08-30-2004, 08:40 PM   #13
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677
Which port does your web server use then? You will need to add :<port number> to your web brower address line to access the server then, and have this port forwarded to the server computer (192.168.1.100).
 
Old 08-30-2004, 08:42 PM   #14
angrybeaver
Member
 
Registered: Aug 2004
Location: .au
Distribution: debian, BSD
Posts: 104

Rep: Reputation: 16
Quote:
Originally posted by retinaburn
Capturing on eth0
0.000000 192.168.1.1 -> 192.168.1.100 TCP 2913 > http [SYN] Seq=0 Ack=0 Win=65535 Len=0 MSS=1460
0.002655 192.168.1.100 -> 192.168.1.1 TCP http > 2913 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0
0.473825 192.168.1.1 -> 192.168.1.100 TCP 2913 > http [SYN] Seq=0 Ack=0 Win=65535 Len=0 MSS=1460
0.473966 192.168.1.100 -> 192.168.1.1 TCP http > 2913 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
0.975467 192.168.1.1 -> 192.168.1.100 TCP 2913 > http [SYN] Seq=0 Ack=0 Win=65535 Len=0 MSS=1460
0.975605 192.168.1.100 -> 192.168.1.1 TCP http > 2913 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
2.088163 192.168.1.1 -> 192.168.1.255 SNMP TRAP-V1 SNMPv2-SMI::enterprises.3955.1.1.0
7 packets captured
interesting dump. your linux box is sending back RST packets to the client (RFC 793) - are you sure you don't have any filters running? it could be tcpwrappers (/etc/hosts.deny or /etc/hosts.allow), a stray ipchains, iptables or ipf rule, or an ACL perhaps in your apache config ...

you could always put your linksys into bridging mode and run it that way - take port forwarding/NAT etc out of the equation. may not be practical depending on your setup.
 
Old 08-30-2004, 09:10 PM   #15
retinaburn
LQ Newbie
 
Registered: Aug 2004
Posts: 6

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by angrybeaver
interesting dump. your linux box is sending back RST packets to the client (RFC 793) - are you sure you don't have any filters running? it could be tcpwrappers (/etc/hosts.deny or /etc/hosts.allow), a stray ipchains, iptables or ipf rule, or an ACL perhaps in your apache config ...

you could always put your linksys into bridging mode and run it that way - take port forwarding/NAT etc out of the equation. may not be practical depending on your setup.
both hosts.deny and hosts.allow are empty. ip tables is empty, it doesn't look like I have ipchains installed.

ipf doesn't seem to be supported by the newer kernels, and it doesn't look like its installed.
As for ACL I haven't changed anything from the default, I did not find any .htaccess files, or .acl files on my system.

As far as using port 80 on the router side, it produces the same result posted above as using a different external port and forwarding it to port 80 on the linux box (accessing via http://externalip:externalport )

I tried using the DMZ option, and got the same RST result.
8.557715 192.168.1.1 -> 192.168.1.100 TCP 4746 > http [SYN] Seq=0 Ack=0 Win=65535 Len=0 MSS=1460
8.557935 192.168.1.100 -> 192.168.1.1 TCP http > 4746 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0

I could try rebooting and seeing if it fixes anything, something is seriously messed up. What's strange is I often run bittorrent, which also use ports forwarded from the router, and it works fine, I am going to double check those results again though.

Any further ideas?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPCHAINS port forwarding and IPTABLES port forwarding ediestajr Linux - Networking 26 01-14-2007 07:35 PM
Simple Port Forwarding Firewall - not forwarding MadTurki Linux - Security 14 04-09-2006 12:08 PM
SoF2 Linux Server and Port Forwarding adskiremote Linux - Games 0 07-30-2004 04:15 AM
port forwarding to a linux server's sendmail herron Linux - Networking 2 02-28-2004 07:18 PM
Netgear MR814 - Port Forwarding with linux?? rEph Linux - Networking 6 02-10-2003 10:24 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:59 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration