OpenWrt Forum Archive

i want to verify that my firewall.user script is correct.
i am using kamikaze 7.06 on a linksys wrt54gl

i have a static ip address from bellsouth: 74.245.250.219

2 internal linux lan nodes:
192.168.1.109
192.168.1.190

i am running lighttpd with fast-cgi on the node: 192.168.1.190 on port 80

i am unable to connect via my static address 74.245.250.219:8080

firefox can't establish a connection to the server at 74.245.250.219:8080.
( trying to port forwarding from 8080 to 80)

here is my firewall.user script

iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule

# The following chains are for traffic directed at the IP of the
# WAN interface

iptables -F input_wan
iptables -F forwarding_wan
iptables -t nat -F prerouting_wan

# MPW bittorrent ports
BTFADDRESS=192.168.1.190
BTPORTS="49160 49161 49162 49163 49164 49165 49166 49167 49168 49169 49170 49171 49172 49173 49174"
PORTSTART=49160
PORTEND=49300

### Open port to WAN
## -- This allows port 22 to be answered by (dropbear on) the router - enable - MPW
#iptables -t nat -A prerouting_wan -p tcp --dport 22 -j ACCEPT
#iptables -A input_wan -p tcp --dport 22 -j ACCEPT

### Port forwarding
## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.2
# iptables -t nat -A prerouting_wan -p tcp --dport 8080 -j DNAT --to 192.168.1.2:80
# iptables -A forwarding_wan -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT

## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.190
iptables -t nat -A prerouting_wan -p tcp --dport 8080 -j DNAT --to 192.168.1.190:80
iptables -A forwarding_wan -p tcp --dport 80 -d 192.168.1.190 -j ACCEPT

## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.190
#iptables -t nat -A prerouting_wan -p tcp --dport 8080 -j DNAT --to 192.168.1.190:8080
#iptables -A forwarding_wan -p tcp --dport 8080 -d 192.168.1.190 -j ACCEPT

### MPW forwards port 22 ssh to local address 192.168.1.109
iptables -t nat -A prerouting_wan -p tcp --dport 22 -j DNAT --to 192.168.1.109:22
iptables -A forwarding_wan -p tcp --dport 22 -d 192.168.1.109 -j ACCEPT

### MPW forwards port 25 smtp to local address 192.168.1.109
iptables -t nat -A prerouting_wan -p tcp --dport 25 -j DNAT --to 192.168.1.109:22
iptables -A forwarding_wan -p tcp --dport 25 -d 192.168.1.109 -j ACCEPT

### MPW forwards port 21 ftp to local address 192.168.1.190
iptables -t nat -A prerouting_wan -p tcp --dport 21 -j DNAT --to 192.168.1.190:21
iptables -A forwarding_wan -p tcp --dport 21 -d 192.168.1.190 -j ACCEPT
### MPW forwards port 123 ntp to local address 192.168.1.190
iptables -t nat -A prerouting_wan -p udp --dport 123 -j DNAT --to 192.168.1.190:123
iptables -A forwarding_wan -p udp --dport 123 -d 192.168.1.190 -j ACCEPT

# MPW forward ports 49160 to 49300 for torrentflux on local address 192.168.1.190
#for pt in $BTPORTS; do
# iptables -t nat -A prerouting_wan -p tcp --dport $pt -j DNAT --to $BTFADDRESS:$pt
# iptables -A forwarding_wan -s $BTFADDRESS -p tcp --dport $pt -j ACCEPT
# iptables -A forwarding_wan -p tcp --dport $pt -d $BTFADDRESS -j ACCEPT
#done
iptables -t nat -A prerouting_wan -p tcp --dport $PORTSTART:$PORTEND -j DNAT --to $BTFADDRESS
iptables -A forwarding_wan -p tcp --dport $PORTSTART:$PORTEND -d $BTFADDRESS -j ACCEPT

### DMZ
## -- Connections to ports not handled above will be forwarded to 192.168.1.2
# iptables -t nat -A prerouting_wan -j DNAT --to 192.168.1.2
# iptables -A forwarding_wan -d 192.168.1.2 -j ACCEPT

do the above iptables rules look correct?
is there anything special that i have to do with lighttpd to allow external connections?

-- another question: when i do route on openwrt it get the dsl modems address as
65.14.252.13 but i don't see my static ip address ?!

thanks in advance.

michael

Solved via MBM's thread:

Oh .. right .. I suppose I should explain it better:

iptables -t nat -A prerouting_rule -d x.x.x.x -p tcp --dport 80 -j DNAT --to 10.0.0.2
iptables -A forwarding_rule -p tcp --dport 80 -d 10.0.0.2 -j ACCEPT
iptables -t nat -A postrouting_rule -s 10.0.0.0/24 -p tcp --dport 80 -d 10.0.0.2 -j MASQUERADE

x.x.x.x is my external IP address; I want it so when I connect to that IP address that it gets forwarded to my internal webserver which is 10.0.0.2. The problem is this:

request: 10.0.0.x (some random lan machine) -> x.x.x.x (external ip) -> 10.0.0.2 (websever)
response: 10.0.0.2 -> 10.0.0.x

I've connected to x.x.x.x but the response came from 10.0.0.2 .. oops. To correct this, a masquerade is done using the third rule. This has the unfortunate side effect of hiding the original source address, but it does correct the issue with the response. Since this only applies to machines on the lan subnet, I've added a -s; this allows proper logging of requests from outside the lan.

michael