Hi,

I've a little problem with my port forwarding on port 80 (WR RC4).
I'v check the WAN acces on port 80 with running httpd on the router and it access the openwrt admin console on RC4.
After that, I've reset the httpd to port 8080 for internal network use, and so the port 80 it's free for forwarding on wan.
I've set the port forwarding rule on the /etc/firewall.user like this.

# HTTP Server
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 80 -j DNAT --to 192.168.100.20
iptables        -A forwarding_rule -i $WAN -p tcp --dport 80 -d 192.168.100.20 -j ACCEPT

My internal network is 192.168.100.0, the router is 192.168.100.254 and the http server is 192.168.100.20. DMZ is on 192.168.100.1 (the last rule).
Restarting /etc/init.d/S45firewall and see the iptables -n -L list.

Chain forwarding_rule (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            192.168.100.20      tcp dpt:80

But it don't work. All access from wan will end with this.

==========
The following error was encountered:

    * Connection Failed

The system returned:

    (111) Connection refused

The remote host or network may be down. Please try the request again.
==========

The routing to my wan ip will work right, I've checked it with my old D-Link DI-624+ and the same port forwarding. On this router, all forwarding will work.

What's going wrong on my openwrt?

Are you sure that there are no ^M in your script?  Try and edit the script like this:

vim /etc/firewall.user

Once in vim use the "a" key to enter into editing and type "esc' then ":wq' to save and quit or just ":q!" to quit without saving.

-Duffin

I'm sorry, but...

Im working on linux since ~8 years and I'm working all day with vi(m) on linux, and on sunos / solaris and aix in my practical training on motorola. I think so, I can handle the work with vi(m) and ex. I'm not a professional developer, but I know a little bit what I'm doing. ;)

But I can't handle the problem with the port forwarding. In my opinion the settings are all right. That's the problem. :)

Forgive me for having given too simplistic an explanation, I didn't mean to offend you.  Have you checked you "input_rule" chain?  You said that the http port was available from the wan when you where running the httpd on the wrt.  This leads me to believe that the port is still being routed to the local router before it gets to the rule about forwarding.  If this is not the case then can you please give the entire output of the following commands?

iptables -L
iptables -L -t nat

-Duffin

Can you post the output of

tcpdump -i vlan1 -n port 80

and

tcpdump -i br0 -n port 80

while trying to access the webserver from the WAN. Might make it easier to see what's going on.

Ok, I've checked this:

iptables -L

root@OpenWrt:~# iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp option=!2 flags:0x02/0x02
input_rule  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT     47   --  0.0.0.0/0            0.0.0.0/0
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
forwarding_rule  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
output_rule  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain forwarding_rule (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            192.168.100.20      tcp dpts:6881:6999
ACCEPT     tcp  --  0.0.0.0/0            192.168.100.20      tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            192.168.100.20      tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            192.168.100.20      tcp dpts:20:21
ACCEPT     udp  --  0.0.0.0/0            192.168.100.20      udp dpts:20:21
ACCEPT     all  --  0.0.0.0/0            192.168.100.1

Chain input_rule (1 references)
target     prot opt source               destination

Chain output_rule (1 references)
target     prot opt source               destination

iptables -L -n -t nat

root@OpenWrt:~# iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
prerouting_rule  all  --  0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
postrouting_rule  all  --  0.0.0.0/0            0.0.0.0/0
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain postrouting_rule (1 references)
target     prot opt source               destination

Chain prerouting_rule (1 references)
target     prot opt source               destination
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpts:6881:6999 to:192.168.100.20
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 to:192.168.100.20:80
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 to:192.168.100.20
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpts:20:21 to:192.168.100.20
DNAT       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpts:20:21 to:192.168.100.20
DNAT       all  --  0.0.0.0/0            0.0.0.0/0           to:192.168.100.1

I've check allways tcpddump -n -q -i ppp0 for my pppoe connection and access.

Output tcpdump -n -i vlan1 port 80 = no tcpdump output while connect to my ip with browser.

Next... tcpdump -n -i br0 port 80

root@OpenWrt:~# tcpdump -n -i br0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 96 bytes
00:19:07.481570 IP 192.168.100.20.2009 > 84.163.197.6.80: S 2179787900:2179787900(0) win 17520 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK>
00:19:07.482157 IP 84.163.197.6.80 > 192.168.100.20.2009: R 0:0(0) ack 2179787901 win 0
00:19:07.948149 IP 192.168.100.20.2009 > 84.163.197.6.80: S 2179787900:2179787900(0) win 17520 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK>
00:19:07.948725 IP 84.163.197.6.80 > 192.168.100.20.2009: R 0:0(0) ack 1 win 0
00:19:08.385686 IP 192.168.100.20.2009 > 84.163.197.6.80: S 2179787900:2179787900(0) win 17520 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK>
00:19:08.386272 IP 84.163.197.6.80 > 192.168.100.20.2009: R 0:0(0) ack 1 win 0

Hmm... I see... redirect will go to 192.168.100.20:2009 and not to 192.168.100.20:80??? Or I'm wrong?
What's wrong on my settings?

Thanks for help!

/edit
I'v add a little one to /etc/firewall.user :

iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 80 -j ACCEPT
iptables        -A input_rule      -i $WAN -p tcp --dport 80 -j ACCEPT

===========================================================

Chain input_rule (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80

===========================================================

Chain prerouting_rule (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80

But don't fix the problem.

(Last edited by grw on 16 Dec 2005, 16:40)

It might be easier to set up the webserver in a dmz vlan. You can find reference in this thread: http://forum.openwrt.org/viewtopic.php?id=2438

I think the MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0 is causing problems forwarding the port 80 traffic but I could be wrong.

see mistake #3

Ok, mbm, I know what you mean, but this setting

# HTTP Server
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 80 -j DNAT --to 192.168.100.20
iptables        -A forwarding_rule -i $WAN -p tcp --dport 80 -d 192.168.100.20 -j ACCEPT

should redirect access from i-net (WAN) to my router on port 80 redirect to 192.168.100.20, if I'm not going wrong.
Or, if I disable this, all access should go to my DMZ (set at last entry to 192.168.100.1).

### DMZ (should be placed after port forwarding / accept rules)
iptables -t nat -A prerouting_rule -i $WAN -j DNAT --to 192.168.100.1
iptables        -A forwarding_rule -i $WAN -d 192.168.100.1 -j ACCEPT

So, test it... can you access it? Please test http://grw.homelinux.org/ ? Ther's a running apache on my dmz for test. A friend of me can't access it from outside.
Or I'm complet going wrong? I'm confused. Must I use for my pppoe connection allways the -d x.x.x.x ?

(Last edited by grw on 16 Dec 2005, 21:46)

I see the apache test page

Yes, now it will work and hope so all day.

I've change somthing on the /etc/firewall.user and something on my dmz and checked it with port scans from the i-net (external server).
Don't know what's realy going wrong, but now it will go to the right server ip.

Thank's for help!

BTW:
The nvram wan_ipaddr will not set right on pppoe up and I've put some code in the /etc/ppp/ip-up script to do this.

(Last edited by grw on 17 Dec 2005, 18:02)

I'm having the same problem here, and I do understand what the disclaimer is saying, but is there anyway around this?

Before I was using OpenWRT (using either the default firmware or HyperWRT) I was able to access my lan servers from a lan PC by using either the local LAN hostname (e.g. "server1" or the FQDN "yellow.mydomain.com").  Now, I am not able to access using FQDN.  I realize that this is because when I use the FQDN it is using the internet IP address vs. my local private address.

This is kind of annoying for me, as I like to always use my FQDNs, but it poses more of a problem because I use hostheaders on some websites.  This means that when I hit my webserver using just the hostname or the IP address, I will not get the proper page, because the FQDN (www2.mydomain.com) is nowhere in the requesting packet, so the webserver does not know how to route it to the appropriate website.  In short, there isn't a way then for me to access my websites properly internally.

So, in short, is there a way to allow me to use the FQDN, either by matching packets send from the LAN to the WAN, or somehow remapping all my outgoing DNS requests to my FQDNs to return my internal IP?  I know I could probably make a hosts file, or even use static DNS entries, but this seems like a cheap workaround.

Thanks