Hi all, I'm still having a problem with port forwarding packets to the internal web server... I am on a Cox network that supposedly blocks packets coming inward via port 80. I've set up an account with DynDNS that forwards packets directed at http://www.cybersampson.com to http://www2.cybersampson.com:8080. I am getting an error message that essentially says "connection request refused".
Here is the data for analysis: Running DCD 1.02 on a system with 2 NICs. NETWORK.CONF <snip> # Traffic to completely ignore...define here to prevent filling your logs # Space seperated list: protocol_srcip[/mask][_dstport] #SILENT_DENY="udp_207.235.84.1_route udp_207.235.84.0/24_37" SILENT_DENY="udp_10.8.238.1_68 tcp_10.8.238.1_68 icmp_192.168.100.1_65535" # Extra rule scripts added by Charles Steinkuehler to more easily support # non-standard extentions of the pre-configured ipchains rules IPCH_IN=/etc/ipchains.input IPCH_FWD=/etc/ipchains.forward IPCH_OUT=/etc/ipchains.output # ICMP types to open # Indexed list: "SrcAddr/Mask type [ DestAddr[/DestMask] ]" #EXTERN_ICMP_PORT0="0/0 : 1.1.1.12" ## UDP Services open to outside world # Space seperated list: srcip/mask_dstport # NOTE: bootpc port is used for dhcp client # EXTERN_UDP_PORTS="0/0_domain 0/0_bootpc" EXTERN_UDP_PORTS="0/0_bootpc" # -or- # Indexed list: "SrcAddr/Mask port [ DestAddr[/DestMask] ]" #EXTERN_UDP_PORT0="0/0 domain" #EXTERN_UDP_PORT1="5.6.7.8 500 1.1.1.12" # TCP services open to outside world # Space seperated list: srcip/mask_dstport #EXTERN_TCP_PORTS="216.70.236.234/29_ssh 0/0_www 0/0_1023 0/0_8080" # -or- # Indexed list: "SrcAddr/Mask port [ DestAddr[/DestMask] ]" #EXTERN_TCP_PORT0="5.6.7.8 domain 1.1.1.12" #EXTERN_TCP_PORT1="0/0 www" EXTERN_TCP_PORT0="216.70.236.236/29 ssh" EXTERN_TCP_PORT1="0/0 www" EXTERN_TCP_PORT2="0/0 8080" #EXTERN_TCP_PORT3="0/0 8080" # Generic Services open to outside world # Space seperated list: protocol_srcip/mask_dstport #EXTERN_PORTS="50_5.6.7.8 51_5.6.7.8" # -or- # Indexed list: "Protocol SrcAddr/Mask [ DestAddr[/DestMask] ]" #EXTERN_PROTO0="50 5.6.7.8/32" #EXTERN_PROTO1="51 5.6.7.8/32" #EXTERN_PROTO0="8080 0/0 192.168.1.1/32" ############################################################################## # # Port Forwarding ############################################################################## # # Remember to open appropriate holes in the firewall rules, above # Uncomment following for port-forwarded internal services. # The following is an example of what should be put here. # Tuples are as follows: # <protocol>_<local-ip>_<local-port>_<remote-ip>_<remote-port> #INTERN_SERVERS="tcp_${EXTERN_IP}_ftp_192.168.1.200_ftp tcp_${EXTERN_IP}_smtp_19 #INTERN_SERVERS="tcp_${EXTERN_IP}_8080_192.168.1.200_80" # These lines use the primary external IP address...if you need to port-forward # an aliased IP address, use the INTERN_SERVERS setting above #INTERN_FTP_SERVER=192.168.1.200 # Internal FTP server to make available INTERN_WWW_SERVER=192.168.1.200 # Internal WWW server to make available #INTERN_SMTP_SERVER=192.168.1.200 # Internal SMTP server to make available #INTERN_POP3_SERVER=192.168.1.200 # Internal POP3 server to make available #INTERN_IMAP_SERVER=192.168.1.200 # Internal IMAP server to make available #INTERN_SSH_SERVER=192.168.1.200 # Internal SSH server to make available #EXTERN_SSH_PORT=24 # External port to use for internal SSH # Advanced settings: parameters passed directly to portfw and autofw # Indexed list: "<ipmasqadm portfw options>" #INTERN_SERVER0="-a -P PROTO -L LADDR LPORT -R RADDR RPORT [-p PREF]" INTERN_SERVER0="tcp ${EXTERN_IP} 8080 192.168.1.200 80" # Indexed list: "<ipmasqadm autofw options>" #INTERN_AUTOFW0="-A -r tcp 20000 20050 -h 192.168.1.1" #INTERN_AUTOFW0="-A -r tcp 8080 -h 192.168.1.200" ############################################################################## # # DMZ setup (optional) ############################################################################## # # Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO) DMZ_SWITCH=NO DMZ_IF="eth2" DMZ_NET=192.168.2.0/24 # DMZ switches for all flavors except PRIVATE </snip> # netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 68.7.204.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0 0.0.0.0 68.7.204.1 0.0.0.0 UG 0 0 0 eth0 # netstat -nre Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 68.7.204.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0 0.0.0.0 68.7.204.1 0.0.0.0 UG 0 0 0 eth0 # ip addr show 1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope global lo 2: ipsec0: <NOARP> mtu 0 qdisc noop qlen 10 link/ipip 3: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10 link/ipip 4: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10 link/ipip 5: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10 link/ipip 6: brg0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop link/ether fe:fd:0e:00:e0:d7 brd ff:ff:ff:ff:ff:ff 7: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:60:97:78:8c:16 brd ff:ff:ff:ff:ff:ff inet 68.7.207.164/22 brd 68.7.207.255 scope global eth0 8: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:40:f4:2a:f3:d4 brd ff:ff:ff:ff:ff:ff inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1 # ip route show 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 68.7.204.0/22 dev eth0 proto kernel scope link src 68.7.207.164 default via 68.7.204.1 dev eth0 # netstat -an Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 192.168.1.254:22 192.168.1.2:2435 ESTABLISHED tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:1023 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN udp 0 0 127.0.0.1:53 0.0.0.0:* udp 0 0 0.0.0.0:53 0.0.0.0:* udp 0 0 0.0.0.0:67 0.0.0.0:* udp 0 0 0.0.0.0:69 0.0.0.0:* udp 0 0 0.0.0.0:68 0.0.0.0:* raw 0 0 0.0.0.0:1 0.0.0.0:* 7 raw 0 0 0.0.0.0:1 0.0.0.0:* 7 raw 0 0 0.0.0.0:6 0.0.0.0:* 7 Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 0 [ ACC ] STREAM LISTENING 41088 /dev/log unix 1 [ ] STREAM CONNECTED 1806 @00000001 unix 1 [ ] STREAM CONNECTED 1825 @00000005 unix 1 [ ] STREAM CONNECTED 3070 @00000039 unix 1 [ ] STREAM CONNECTED 3071 /dev/log unix 1 [ ] STREAM CONNECTED 1826 /dev/log unix 1 [ ] STREAM CONNECTED 1807 /dev/log # ipchains -L -n -v Chain input (policy DENY: 20 packets, 5484 bytes): pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports 409 136K DENY udp ------ 0xFF 0x00 eth0 10.8.238.1 0.0.0.0/0 * -> 68 0 0 DENY tcp ------ 0xFF 0x00 eth0 10.8.238.1 0.0.0.0/0 * -> 68 0 0 DENY icmp ------ 0xFF 0x00 eth0 192.168.100.1 0.0.0.0/0 * -> 65535 0 0 DENY icmp ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 5 -> * 0 0 DENY icmp ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 13 -> * 0 0 DENY icmp ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 14 -> * 0 0 DENY all ----l- 0xFF 0x00 eth0 0.0.0.0 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 255.255.255.255 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 127.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 224.0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 10.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 172.16.0.0/12 0.0.0.0/0 n/a 11 308 DENY all ----l- 0xFF 0x00 eth0 192.168.0.0/16 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 0.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 128.0.0.0/16 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 191.255.0.0/16 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 192.0.0.0/24 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 223.255.255.0/24 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 240.0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 192.168.1.0/24 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 68.7.207.164 0.0.0.0/0 n/a 0 0 REJECT all ----l- 0xFF 0x00 eth0 0.0.0.0/0 127.0.0.0/8 n/a 0 0 REJECT all ----l- 0xFF 0x00 eth0 0.0.0.0/0 192.168.1.0/24 n/a 0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 137 0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 135 0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 137 0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 135 0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 138:139 0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 138 0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 137:138 -> * 0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 135 -> * 0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 137:139 -> * 0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 135 -> * 0 0 ACCEPT tcp ------ 0xFF 0x00 eth0 216.70.236.232/29 68.7.207.164 * -> 22 0 0 ACCEPT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 68.7.207.164 * -> 80 0 0 ACCEPT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 68.7.207.164 * -> 8080 0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 113 2755 1317K ACCEPT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 1024:65535 0 0 REJECT udp ----l- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 161:162 0 0 ACCEPT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 68 0 0 DENY udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 67 204 62912 ACCEPT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 1024:65535 0 0 ACCEPT icmp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> * 0 0 ACCEPT ospf ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 n/a 0 0 REJECT udp ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 161:162 0 0 REJECT udp ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 161:162 -> * 7687 654K ACCEPT all ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a Chain forward (policy DENY: 0 packets, 0 bytes): pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports 0 0 DENY icmp ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 5 -> * 2630 226K MASQ all ------ 0xFF 0x00 eth0 192.168.1.0/24 0.0.0.0/0 n/a 0 0 DENY all ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a Chain output (policy DENY: 24 packets, 3776 bytes): pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports 10993 4815K fairq all ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 0.0.0.0 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 255.255.255.255 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 127.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 224.0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 10.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 172.16.0.0/12 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 192.168.0.0/16 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 0.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 128.0.0.0/16 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 191.255.0.0/16 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 192.0.0.0/24 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 223.255.255.0/24 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 240.0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all ------ 0xFF 0x00 eth0 192.168.1.0/24 0.0.0.0/0 n/a 0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 137 0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 135 0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 137 0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 135 0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 138:139 0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 138 0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 137:138 -> * 0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 135 -> * 0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 137:139 -> * 0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 135 -> * 10993 4815K ACCEPT all ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a Chain fairq (1 references): pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports 0 0 RETURN ospf ------ 0xFF 0x00 * 0x1 0.0.0.0/0 0.0.0.0/0 n/a 0 0 RETURN ospf ------ 0xFF 0x00 * 0x1 0.0.0.0/0 0.0.0.0/0 n/a 0 0 RETURN udp ------ 0xFF 0x00 * 0x1 0.0.0.0/0 0.0.0.0/0 * -> 520 0 0 RETURN udp ------ 0xFF 0x00 * 0x1 0.0.0.0/0 0.0.0.0/0 520 -> * 0 0 RETURN tcp ------ 0xFF 0x00 * 0x1 0.0.0.0/0 0.0.0.0/0 * -> 179 0 0 RETURN tcp ------ 0xFF 0x00 * 0x1 0.0.0.0/0 0.0.0.0/0 179 -> * 0 0 RETURN tcp ------ 0xFF 0x00 * 0x1 0.0.0.0/0 0.0.0.0/0 * -> 53 0 0 RETURN tcp ------ 0xFF 0x00 * 0x1 0.0.0.0/0 0.0.0.0/0 53 -> * 188 11629 RETURN udp ------ 0xFF 0x00 * 0x1 0.0.0.0/0 0.0.0.0/0 * -> 53 42 4980 RETURN udp ------ 0xFF 0x00 * 0x1 0.0.0.0/0 0.0.0.0/0 53 -> * 0 0 RETURN tcp ------ 0xFF 0x00 * 0x2 0.0.0.0/0 0.0.0.0/0 * -> 23 0 0 RETURN tcp ------ 0xFF 0x00 * 0x2 0.0.0.0/0 0.0.0.0/0 23 -> * 0 0 RETURN tcp ------ 0xFF 0x00 * 0x2 0.0.0.0/0 0.0.0.0/0 * -> 22 5153 3203K RETURN tcp ------ 0xFF 0x00 * 0x2 0.0.0.0/0 0.0.0.0/0 22 -> * I've verified that the web server is running at port 80 by running SuperScan against it from inside the router and also running a browser that display home page data as expected. I put in a PTR record in the private DNS file so that browsers inside the private network can resolve to the web server. I've pinged www.cybersampson.com from outside the router and it resolves correctly to the right IP address that is assigned by Cox to the external interface. Somehow the HTTP request dies at the external interface (or somewhere inside the router) and I'm not sure why... I'm hoping the above data will help us decipher what is going on with port 8080. If more data is needed, please do let me know and I'll get it out asap. Thanks! ~Doug _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user