OpenWrt Forum Archive

Topic: locally yes, externally not

The content of this topic has been archived on 23 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
alej00d
14 Nov 2005, 02:18

http://communa.ath.cx:8080/

thats the DDNS to my openwrt's i.p address, i can see the /www when im in a local computer but when trying to access from the outside the server just dont deliver.

my httpd looks like this:

httpd -h /www -p 8080 -r WRT54G Router

but i also have lighttp running:

  422 root        408 S   udhcpc -i vlan1 -b -p /var/run/vlan1.pid -R
  457 nobody      440 S   dnsmasq -l /tmp/dhcp.leases -K -F 192.168.1.100,192.168.1.250,255.255.255.0,12h -I vlan1
  463 root        420 S   /usr/sbin/dropbear
  471 root        304 S   telnetd -l /bin/login
2873 root        644 R   /usr/sbin/dropbear
2874 root        548 S   -ash
3185 root        392 S   httpd -h /www -p 8080 -r WRT54G Router
3277 root        676 S   lighttpd -f lighttpd.conf
3302 root        384 R   ps -aux

(actually i dont know why telnet is still there since i have rebooted and its supposed to be disabled after the changing password thing)


some of my nvram settings look loke this:

wan_unit=0
wan_run_mtu=1500
wan_lease=86400
lan_netmask=255.255.255.0
vlan2hwname=et0
wan_proto=dhcp
wan_hwaddr=00:0C:41:BD:DD:52
lan_ifnames=vlan2 eth2
wan_get=dns
wan_ifnames=vlan1
lan_ipaddr=192.168.1.1
lan_proto=static
vlan1hwname=et0
lan_ifname=br0
wan_primary=1
wan_gateway_buf=0.0.0.0
wan_iface=vlan1
wan_mtu=1500
wan_ifname=vlan1


as said at the beginin this is Openwrt (white russian rc3) on a v1.1 AP.. using a DynDNS that pings but does not serve /www to external requests but only to local petitions.

thanks in advance for any clue

/a

Post #2
Void Main
14 Nov 2005, 02:38

Put this in your /etc/firewall.user:

iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 8080 -j ACCEPT
iptables        -A input_rule      -i $WAN -p tcp --dport 8080 -j ACCEPT

Post #3
alej00d
14 Nov 2005, 03:13

Void Main, that file is a read only file, no matter if i go to the link in /rom its read-only and doesnt allow me to change it..

"/rom/etc/firewall.user" [Read only] [modified] line 28 of 28 --100%--

this is what it tells though:

-rwxr-x---    1 root     root          993 Aug 13  2005 /rom/etc/firewall.user



any way around for this?

merci
/a

Post #4
Void Main
14 Nov 2005, 03:27

# rm /etc/firewall.user
# cp /rom/etc/firewall.user /etc
# vi /etc/firewall.user

Post #5
alej00d
14 Nov 2005, 15:36

Void Main, thanks

i did the changes but still, no one outside of my local network can see my /www pages.

this is how my /etc/firewall.user looks like:


root@OpenWrt:~# less /etc/firewall.user
#!/bin/sh
. /etc/functions.sh

WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)

iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule

### BIG FAT DISCLAIMER
### The "-i $WAN" literally means packets that came in over the $WAN interface;
### this WILL NOT MATCH packets sent from the LAN to the WAN address.

### Allow SSH on the WAN interface
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 8080 -j ACCEPT
iptables        -A input_rule      -i $WAN -p tcp --dport 8080 -j ACCEPT

### Port forwarding
# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j DNAT --to 192.168.1.2
# iptables        -A forwarding_rule -i $WAN -p tcp --dport 22 -d 192.168.1.2 -j ACCEPT

### DMZ (should be placed after port forwarding / accept rules)
# iptables -t nat -A prerouting_rule -i $WAN -j DNAT --to 192.168.1.2
# iptables        -A forwarding_rule -i $WAN -d 192.168.1.2 -j ACCEPT


from the outside world you can do this:

ping communa.ath.cx
PING communa.ath.cx (84.72.178.125): 56 data bytes
64 bytes from 84.72.178.125: icmp_seq=0 ttl=61 time=22.486 ms
64 bytes from 84.72.178.125: icmp_seq=1 ttl=61 time=17.141 ms


so, any other hint appreciated.
/a

Post #6
mbm
14 Nov 2005, 19:04
alej00d wrote:

### BIG FAT DISCLAIMER
### The "-i $WAN" literally means packets that came in over the $WAN interface;
### this WILL NOT MATCH packets sent from the LAN to the WAN address.

Post #7
Void Main
14 Nov 2005, 19:09

I assume you rebooted? If not then can you post the output of a "netstat -an | grep 8080" and post a copy of your /etc/lighttpd.conf? It certainly doesn't seem to be listening on 8080 on your WAN interface:

$ nmap communa.ath.cx

Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2005-11-14 12:07 CST
Interesting ports on 84-72-178-125.dclient.hispeed.ch (84.72.178.125):
(The 1660 ports scanned but not shown below are in state: closed)
PORT     STATE    SERVICE
135/tcp  filtered msrpc
136/tcp  filtered profile
137/tcp  filtered netbios-ns
138/tcp  filtered netbios-dgm
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
4444/tcp filtered krb524

Nmap finished: 1 IP address (1 host up) scanned in 19.637 seconds
Post #8
alej00d
15 Nov 2005, 23:45

solved, it was then to have the same port selected in the  /etc/lighttpd.conf and the /etc/firewall.user
thanks again,
/a

The discussion might have continued from here.