Hi all,

I'm still having a problem with port forwarding packets to the internal web
server...  I am on a Cox network that supposedly blocks packets coming inward
via port 80.  I've set up an account with DynDNS that forwards packets
directed at http://www.cybersampson.com to http://www2.cybersampson.com:8080.
I am getting an error message that essentially says "connection request
refused".

Here is the data for analysis:

Running DCD 1.02 on a system with 2 NICs.

NETWORK.CONF

<snip>

# Traffic to completely ignore...define here to prevent filling your logs
# Space seperated list: protocol_srcip[/mask][_dstport]
#SILENT_DENY="udp_207.235.84.1_route udp_207.235.84.0/24_37"
SILENT_DENY="udp_10.8.238.1_68 tcp_10.8.238.1_68 icmp_192.168.100.1_65535"

# Extra rule scripts added by Charles Steinkuehler to more easily support
# non-standard extentions of the pre-configured ipchains rules
IPCH_IN=/etc/ipchains.input
IPCH_FWD=/etc/ipchains.forward
IPCH_OUT=/etc/ipchains.output

# ICMP types to open
# Indexed list: "SrcAddr/Mask type [ DestAddr[/DestMask] ]"
#EXTERN_ICMP_PORT0="0/0 : 1.1.1.12"

## UDP Services open to outside world
# Space seperated list: srcip/mask_dstport
# NOTE: bootpc port is used for dhcp client
# EXTERN_UDP_PORTS="0/0_domain 0/0_bootpc"
EXTERN_UDP_PORTS="0/0_bootpc"

# -or-
# Indexed list: "SrcAddr/Mask port [ DestAddr[/DestMask] ]"
#EXTERN_UDP_PORT0="0/0 domain"
#EXTERN_UDP_PORT1="5.6.7.8 500 1.1.1.12"

# TCP services open to outside world
# Space seperated list: srcip/mask_dstport
#EXTERN_TCP_PORTS="216.70.236.234/29_ssh 0/0_www 0/0_1023 0/0_8080"

# -or-
# Indexed list: "SrcAddr/Mask port [ DestAddr[/DestMask] ]"
#EXTERN_TCP_PORT0="5.6.7.8 domain 1.1.1.12"
#EXTERN_TCP_PORT1="0/0 www"
EXTERN_TCP_PORT0="216.70.236.236/29 ssh"
EXTERN_TCP_PORT1="0/0 www"
EXTERN_TCP_PORT2="0/0 8080"
#EXTERN_TCP_PORT3="0/0 8080"

# Generic Services open to outside world
# Space seperated list: protocol_srcip/mask_dstport
#EXTERN_PORTS="50_5.6.7.8 51_5.6.7.8"

# -or-
# Indexed list: "Protocol SrcAddr/Mask [ DestAddr[/DestMask] ]"
#EXTERN_PROTO0="50 5.6.7.8/32"
#EXTERN_PROTO1="51 5.6.7.8/32"
#EXTERN_PROTO0="8080 0/0 192.168.1.1/32"

##############################################################################
#
# Port Forwarding
##############################################################################
#
# Remember to open appropriate holes in the firewall rules, above

# Uncomment following for port-forwarded internal services.
# The following is an example of what should be put here.
# Tuples are as follows:
#       <protocol>_<local-ip>_<local-port>_<remote-ip>_<remote-port>
#INTERN_SERVERS="tcp_${EXTERN_IP}_ftp_192.168.1.200_ftp
tcp_${EXTERN_IP}_smtp_19
#INTERN_SERVERS="tcp_${EXTERN_IP}_8080_192.168.1.200_80"

# These lines use the primary external IP address...if you need to
port-forward
# an aliased IP address, use the INTERN_SERVERS setting above
#INTERN_FTP_SERVER=192.168.1.200        # Internal FTP server to make
available
INTERN_WWW_SERVER=192.168.1.200         # Internal WWW server to make
available
#INTERN_SMTP_SERVER=192.168.1.200       # Internal SMTP server to make
available
#INTERN_POP3_SERVER=192.168.1.200       # Internal POP3 server to make
available
#INTERN_IMAP_SERVER=192.168.1.200       # Internal IMAP server to make
available
#INTERN_SSH_SERVER=192.168.1.200        # Internal SSH server to make
available
#EXTERN_SSH_PORT=24                     # External port to use for internal
SSH

# Advanced settings: parameters passed directly to portfw and autofw
# Indexed list: "<ipmasqadm portfw options>"
#INTERN_SERVER0="-a -P PROTO -L LADDR LPORT -R RADDR RPORT [-p PREF]"
INTERN_SERVER0="tcp ${EXTERN_IP} 8080 192.168.1.200 80"
# Indexed list: "<ipmasqadm autofw options>"
#INTERN_AUTOFW0="-A -r tcp 20000 20050 -h 192.168.1.1"
#INTERN_AUTOFW0="-A -r tcp 8080 -h 192.168.1.200"

##############################################################################
#
# DMZ setup (optional)
##############################################################################
#
# Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO)
DMZ_SWITCH=NO
DMZ_IF="eth2"
DMZ_NET=192.168.2.0/24

# DMZ switches for all flavors except PRIVATE

</snip>


# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth1
68.7.204.0      0.0.0.0         255.255.252.0   U         0 0          0 eth0
0.0.0.0         68.7.204.1      0.0.0.0         UG        0 0          0 eth0

# netstat -nre
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
68.7.204.0      0.0.0.0         255.255.252.0   U     0      0        0 eth0
0.0.0.0         68.7.204.1      0.0.0.0         UG    0      0        0 eth0

# ip addr show
1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope global lo
2: ipsec0: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip
3: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip
4: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip
5: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip
6: brg0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
    link/ether fe:fd:0e:00:e0:d7 brd ff:ff:ff:ff:ff:ff
7: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:60:97:78:8c:16 brd ff:ff:ff:ff:ff:ff
    inet 68.7.207.164/22 brd 68.7.207.255 scope global eth0
8: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:40:f4:2a:f3:d4 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1

# ip route show
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.254
68.7.204.0/22 dev eth0  proto kernel  scope link  src 68.7.207.164
default via 68.7.204.1 dev eth0

# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 192.168.1.254:22        192.168.1.2:2435
ESTABLISHED
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:1023            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
udp        0      0 127.0.0.1:53            0.0.0.0:*
udp        0      0 0.0.0.0:53              0.0.0.0:*
udp        0      0 0.0.0.0:67              0.0.0.0:*
udp        0      0 0.0.0.0:69              0.0.0.0:*
udp        0      0 0.0.0.0:68              0.0.0.0:*
raw        0      0 0.0.0.0:1               0.0.0.0:*               7
raw        0      0 0.0.0.0:1               0.0.0.0:*               7
raw        0      0 0.0.0.0:6               0.0.0.0:*               7
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path
unix  0      [ ACC ]     STREAM     LISTENING     41088  /dev/log
unix  1      [ ]         STREAM     CONNECTED     1806   @00000001
unix  1      [ ]         STREAM     CONNECTED     1825   @00000005
unix  1      [ ]         STREAM     CONNECTED     3070   @00000039
unix  1      [ ]         STREAM     CONNECTED     3071   /dev/log
unix  1      [ ]         STREAM     CONNECTED     1826   /dev/log
unix  1      [ ]         STREAM     CONNECTED     1807   /dev/log

# ipchains -L -n -v
Chain input (policy DENY: 20 packets, 5484 bytes):
 pkts bytes target     prot opt    tosa tosx  ifname     mark       outsize
source                destination           ports
  409  136K DENY       udp  ------ 0xFF 0x00  eth0
10.8.238.1           0.0.0.0/0             * ->   68
    0     0 DENY       tcp  ------ 0xFF 0x00  eth0
10.8.238.1           0.0.0.0/0             * ->   68
    0     0 DENY       icmp ------ 0xFF 0x00  eth0
192.168.100.1        0.0.0.0/0             * ->   65535
    0     0 DENY       icmp ----l- 0xFF 0x00  *
0.0.0.0/0            0.0.0.0/0             5 ->   *
    0     0 DENY       icmp ----l- 0xFF 0x00  *
0.0.0.0/0            0.0.0.0/0             13 ->   *
    0     0 DENY       icmp ----l- 0xFF 0x00  *
0.0.0.0/0            0.0.0.0/0             14 ->   *
    0     0 DENY       all  ----l- 0xFF 0x00  eth0
0.0.0.0              0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0
255.255.255.255      0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0
127.0.0.0/8          0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0
224.0.0.0/4          0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0
10.0.0.0/8           0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0
172.16.0.0/12        0.0.0.0/0             n/a
   11   308 DENY       all  ----l- 0xFF 0x00  eth0
192.168.0.0/16       0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0
0.0.0.0/8            0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0
128.0.0.0/16         0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0
191.255.0.0/16       0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0
192.0.0.0/24         0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0
223.255.255.0/24     0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0
240.0.0.0/4          0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0
192.168.1.0/24       0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0
68.7.207.164         0.0.0.0/0             n/a
    0     0 REJECT     all  ----l- 0xFF 0x00  eth0
0.0.0.0/0            127.0.0.0/8           n/a
    0     0 REJECT     all  ----l- 0xFF 0x00  eth0
0.0.0.0/0            192.168.1.0/24        n/a
    0     0 REJECT     tcp  ------ 0xFF 0x00  eth0
0.0.0.0/0            0.0.0.0/0             * ->   137
    0     0 REJECT     tcp  ------ 0xFF 0x00  eth0
0.0.0.0/0            0.0.0.0/0             * ->   135
    0     0 REJECT     udp  ------ 0xFF 0x00  eth0
0.0.0.0/0            0.0.0.0/0             * ->   137
    0     0 REJECT     udp  ------ 0xFF 0x00  eth0
0.0.0.0/0            0.0.0.0/0             * ->   135
    0     0 REJECT     tcp  ------ 0xFF 0x00  eth0
0.0.0.0/0            0.0.0.0/0             * ->   138:139
    0     0 REJECT     udp  ------ 0xFF 0x00  eth0
0.0.0.0/0            0.0.0.0/0             * ->   138
    0     0 REJECT     udp  ------ 0xFF 0x00  eth0
0.0.0.0/0            0.0.0.0/0             137:138 ->   *
    0     0 REJECT     udp  ------ 0xFF 0x00  eth0
0.0.0.0/0            0.0.0.0/0             135 ->   *
    0     0 REJECT     tcp  ------ 0xFF 0x00  eth0
0.0.0.0/0            0.0.0.0/0             137:139 ->   *
    0     0 REJECT     tcp  ------ 0xFF 0x00  eth0
0.0.0.0/0            0.0.0.0/0             135 ->   *
    0     0 ACCEPT     tcp  ------ 0xFF 0x00  eth0
216.70.236.232/29    68.7.207.164          * ->   22
    0     0 ACCEPT     tcp  ------ 0xFF 0x00  eth0
0.0.0.0/0            68.7.207.164          * ->   80
    0     0 ACCEPT     tcp  ------ 0xFF 0x00  eth0
0.0.0.0/0            68.7.207.164          * ->   8080
    0     0 REJECT     tcp  ------ 0xFF 0x00  eth0
0.0.0.0/0            0.0.0.0/0             * ->   113
 2755 1317K ACCEPT     tcp  ------ 0xFF 0x00  eth0
0.0.0.0/0            0.0.0.0/0             * ->   1024:65535
    0     0 REJECT     udp  ----l- 0xFF 0x00  eth0
0.0.0.0/0            0.0.0.0/0             * ->   161:162
    0     0 ACCEPT     udp  ------ 0xFF 0x00  eth0
0.0.0.0/0            0.0.0.0/0             * ->   68
    0     0 DENY       udp  ------ 0xFF 0x00  eth0
0.0.0.0/0            0.0.0.0/0             * ->   67
  204 62912 ACCEPT     udp  ------ 0xFF 0x00  eth0
0.0.0.0/0            0.0.0.0/0             * ->   1024:65535
    0     0 ACCEPT     icmp ------ 0xFF 0x00  eth0
0.0.0.0/0            0.0.0.0/0             * ->   *
    0     0 ACCEPT     ospf ------ 0xFF 0x00  eth0
0.0.0.0/0            0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0
0.0.0.0/0            0.0.0.0/0             n/a
    0     0 REJECT     udp  ----l- 0xFF 0x00  *
0.0.0.0/0            0.0.0.0/0             * ->   161:162
    0     0 REJECT     udp  ----l- 0xFF 0x00  *
0.0.0.0/0            0.0.0.0/0             161:162 ->   *
 7687  654K ACCEPT     all  ------ 0xFF 0x00  *
0.0.0.0/0            0.0.0.0/0             n/a
Chain forward (policy DENY: 0 packets, 0 bytes):
 pkts bytes target     prot opt    tosa tosx  ifname     mark       outsize
source                destination           ports
    0     0 DENY       icmp ----l- 0xFF 0x00  *
0.0.0.0/0            0.0.0.0/0             5 ->   *
 2630  226K MASQ       all  ------ 0xFF 0x00  eth0
192.168.1.0/24       0.0.0.0/0             n/a
    0     0 DENY       all  ------ 0xFF 0x00  *
0.0.0.0/0            0.0.0.0/0             n/a
Chain output (policy DENY: 24 packets, 3776 bytes):
 pkts bytes target     prot opt    tosa tosx  ifname     mark       outsize
source                destination           ports
10993 4815K fairq      all  ------ 0xFF 0x00  *
0.0.0.0/0            0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0
0.0.0.0              0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0
255.255.255.255      0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0
127.0.0.0/8          0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0
224.0.0.0/4          0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0
10.0.0.0/8           0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0
172.16.0.0/12        0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0
192.168.0.0/16       0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0
0.0.0.0/8            0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0
128.0.0.0/16         0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0
191.255.0.0/16       0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0
192.0.0.0/24         0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0
223.255.255.0/24     0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0
240.0.0.0/4          0.0.0.0/0             n/a
    0     0 DENY       all  ------ 0xFF 0x00  eth0
192.168.1.0/24       0.0.0.0/0             n/a
    0     0 REJECT     tcp  ------ 0xFF 0x00  eth0
0.0.0.0/0            0.0.0.0/0             * ->   137
    0     0 REJECT     tcp  ------ 0xFF 0x00  eth0
0.0.0.0/0            0.0.0.0/0             * ->   135
    0     0 REJECT     udp  ------ 0xFF 0x00  eth0
0.0.0.0/0            0.0.0.0/0             * ->   137
    0     0 REJECT     udp  ------ 0xFF 0x00  eth0
0.0.0.0/0            0.0.0.0/0             * ->   135
    0     0 REJECT     tcp  ------ 0xFF 0x00  eth0
0.0.0.0/0            0.0.0.0/0             * ->   138:139
    0     0 REJECT     udp  ------ 0xFF 0x00  eth0
0.0.0.0/0            0.0.0.0/0             * ->   138
    0     0 REJECT     udp  ------ 0xFF 0x00  eth0
0.0.0.0/0            0.0.0.0/0             137:138 ->   *
    0     0 REJECT     udp  ------ 0xFF 0x00  eth0
0.0.0.0/0            0.0.0.0/0             135 ->   *
    0     0 REJECT     tcp  ------ 0xFF 0x00  eth0
0.0.0.0/0            0.0.0.0/0             137:139 ->   *
    0     0 REJECT     tcp  ------ 0xFF 0x00  eth0
0.0.0.0/0            0.0.0.0/0             135 ->   *
10993 4815K ACCEPT     all  ------ 0xFF 0x00  *
0.0.0.0/0            0.0.0.0/0             n/a
Chain fairq (1 references):
 pkts bytes target     prot opt    tosa tosx  ifname     mark       outsize
source                destination           ports
    0     0 RETURN     ospf ------ 0xFF 0x00  *          0x1
0.0.0.0/0            0.0.0.0/0             n/a
    0     0 RETURN     ospf ------ 0xFF 0x00  *          0x1
0.0.0.0/0            0.0.0.0/0             n/a
    0     0 RETURN     udp  ------ 0xFF 0x00  *          0x1
0.0.0.0/0            0.0.0.0/0             * ->   520
    0     0 RETURN     udp  ------ 0xFF 0x00  *          0x1
0.0.0.0/0            0.0.0.0/0             520 ->   *
    0     0 RETURN     tcp  ------ 0xFF 0x00  *          0x1
0.0.0.0/0            0.0.0.0/0             * ->   179
    0     0 RETURN     tcp  ------ 0xFF 0x00  *          0x1
0.0.0.0/0            0.0.0.0/0             179 ->   *
    0     0 RETURN     tcp  ------ 0xFF 0x00  *          0x1
0.0.0.0/0            0.0.0.0/0             * ->   53
    0     0 RETURN     tcp  ------ 0xFF 0x00  *          0x1
0.0.0.0/0            0.0.0.0/0             53 ->   *
  188 11629 RETURN     udp  ------ 0xFF 0x00  *          0x1
0.0.0.0/0            0.0.0.0/0             * ->   53
   42  4980 RETURN     udp  ------ 0xFF 0x00  *          0x1
0.0.0.0/0            0.0.0.0/0             53 ->   *
    0     0 RETURN     tcp  ------ 0xFF 0x00  *          0x2
0.0.0.0/0            0.0.0.0/0             * ->   23
    0     0 RETURN     tcp  ------ 0xFF 0x00  *          0x2
0.0.0.0/0            0.0.0.0/0             23 ->   *
    0     0 RETURN     tcp  ------ 0xFF 0x00  *          0x2
0.0.0.0/0            0.0.0.0/0             * ->   22
 5153 3203K RETURN     tcp  ------ 0xFF 0x00  *          0x2
0.0.0.0/0            0.0.0.0/0             22 ->   *



I've verified that the web server is running at port 80 by running SuperScan
against it from inside the router and also running a browser that display home
page data as expected.  I put in a PTR record in the private DNS file so that
browsers inside the private network can resolve to the web server.

I've pinged www.cybersampson.com from outside the router and it resolves
correctly to the right IP address that is assigned by Cox to the external
interface.  Somehow the HTTP request dies at the external interface (or
somewhere inside the router) and I'm not sure why...

I'm hoping the above data will help us decipher what is going on with port
8080.  If more data is needed, please do let me know and I'll get it out asap.

Thanks!

~Doug



_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Reply via email to