Welcome to the Sophos User Bulletin Board.
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Reply
 
LinkBack Thread Tools Display Modes
Member
Join Date: Jun 2009
Location: Stuttgart, Germany
Posts: 40
#1 (permalink)  
Old 07-02-2012, 01:12 PM
Question Rule 60002 blocking port 8080

Hi All,

I've been fighting with a DNAT problem for the last week and need some assistance.

I am trying to setup access to my home web server using DNAT and can't seem to get it to work. Using the manual to configure DNAT is also not very helpful.

To start here is some information on what I have done so far:

DSL Router setup:
Speedport W723V
Port Rule Activated: checked
Description: WebServerName
Type Rule: WebServer
Good for Device: WebServerName
Forwarded Ports/Port Range
TCP-Ports: 8080
Astaro v8.305 Home Setup
DNAT
Position: 1
Traffic Source: Internet
Traffic Service: HTTP
Traffic Destination: ExternalInterface
NAT Mode: DNAT
Destination: WebServer IP
Destination Service: [blank]
Log inital packets: checked
Automatic Firewall rule: checked
ERROR Message when I try to connect to the webserver from outside my home network
2012:07:02-14:29:39 ******** ulogd[4646]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth0" srcmac="" dstmac="" srcip="ip_Internal_WebSrv" dstip="ip_Remote_host" proto="6" length="48" tos="0x00" prec="0x00" ttl="63" srcport="8080" dstport="19995" tcpflags="ACK SYN"
Port forwarding on the DSL Router works for WebAdmin on port=4444. There is a general rule for http from my home network into the internet.

Searching the portal also doesn't give any solutions that have been verified. Doing a google search returned the following DNAT rulesets:
iptables -t nat -A PREROUTING -i eth0 --dst $INET_IP -p tcp --dport 80 -j DNAT --to-destination $HTTP_IP

iptables -t nat -A POSTROUTING -p tcp --dst $HTTP_IP --dport 80 -j SNAT --to-source $LAN_IP

iptables -t nat -A OUTPUT --dst $INET_IP -p tcp --dport 80 -j DNAT --to-destination $HTTP_IP
I haven't implemented the above rulesets yet, because I wanted to check in the forum before I start mucking around with the command line. In the meantime, I am trying to implement the above rules through the webadmin interface.

Thanks in advance for your help.

Regards,

Jasper
Reply With Quote
Billybob's Avatar
Wizard
Join Date: Jul 2006
Location: United States
Posts: 1,830
#2 (permalink)  
Old 07-02-2012, 03:33 PM
Default

Http = Port 80
Http Proxy = Port 8080

Looks like you are opening port 8080 on your parameter router and then opening port 80 on astaro. Change the port on your external router to port 80 and it should work as expected. Also, don't forget that port 8080 is also used by http proxy on astaro itself and creating dnat rules might give unexpected results to your http proxy (websecurity) users.

INTERNET--ROUTER port 80 incoming--- astaro port 80 incoming--webserver ALLOW

Regards
Bill
Reply With Quote
Member
Join Date: Jun 2009
Location: Stuttgart, Germany
Posts: 40
#3 (permalink)  
Old 07-02-2012, 04:00 PM
Default

Hi BillyBob,

actually, I am forwarding 80,8080 and 443 from the router. The title is misleading, the HTTP is actually HTTP_Grp on the Router.

But, thanks for the info anyway.

Regards,

Jasper
Reply With Quote
Moderator
Join Date: Jul 2001
Location: southern California
Posts: 12,063
#4 (permalink)  
Old 07-02-2012, 07:31 PM
Default

Hi, try changing the DNAT on Astaro, to port 8080 on the External Address.

Barry
__________________
http://BlogSec.net
http://JobOyster.com
http://DealBert.net
IT Consultant specializing in high-performance Web Infrastructure and Security.
Astaro End-user since v1.x
  • ASL 9.2x, HP DL360G5 - FW, IPS, VPNs
  • ASL 9.2x, 2 Dell 1950's as WAF/proxy w HA
  • UTM 9.1x, Atom n270, 2GB RAM, 2 Intel GigE
    Netgear GS108T gigE switch & Astaro AP30 Access Point with 4 VLANs.
    60/60mbit FiOS internet.
  • Pending - UTM 9.2x, i5-4670, 4GB RAM, 2 Intel GigE
    Needs new NIC drivers before deploying
Reply With Quote
Member
Join Date: Jun 2009
Location: Stuttgart, Germany
Posts: 40
#5 (permalink)  
Old 07-12-2012, 09:16 AM
Wink

Hi Barry,

tried that and am still running into the problem that rule 60002 is activated.

Ok, it is obvious that I am too dump/stupid/whatever to correct this problem.
I have tried going through the iptables documents and have come to the conclusion that each table has a DROP rule. And dependent on how the connection is interpreted, it is possible that a table/chain deny rule can prevent the connection from going any further. The confusing part is the order that the rules are executed.

So, I am looking into deleting the default Deny rules from the database, and setup my own ANY-ANY-Deny? This is the home license and I know that Astaro will not provide any support if I make changes from the cli (I don't have a support contract anyway 8.}).

IMHO, the global deny rule should be at the end (last rule executed) and should not be dependent on which table or chain that the connection must past through.

I have a virtual lab and will conduct a few experiments before implementing my thoughts on my home firewall.

In closing, I would like to thank all who have assisted me in with this problem.

Best regards,

jasperf
Reply With Quote
Wizard
Join Date: May 2003
Location: Brunswick, Maryland, USA
Posts: 7,066
#6 (permalink)  
Old 07-12-2012, 11:13 AM
Default

I would advise putting your dsl router into bridge mode and letting your astaro provide network security. right now you are fighting double-nat which as you have seen is a pain in the keister.
__________________
Owner: Emmanuel Technology Consulting
http://www.etc-md.com
My Installed Configs
Microsoft Partner
Sophos Silver Solution Reseller
Sophos Certified Architect - UTM
Reply With Quote
Member
Join Date: Jun 2009
Location: Stuttgart, Germany
Posts: 40
#7 (permalink)  
Old 07-12-2012, 12:15 PM
Default

Hi William,

thanks for the suggestion .

Unfortunately, the DSL Router [Speedport W723V] that I have doesn't have a bridge mode . It has a built-in firewall, which can't be deactivated, with port forwarding activated.

If I set it up in modem mode, then I would have look into how to configure all hosts on my network for accessing the internet (pppoe). With the hardware that I have I'm pretty sure I can get it work. I just have to figure out why the return packet from the webserver is being blocked. I can access the Webadmin from outside, but not my webserver. Maybe it's because of the port that Webadmin uses.

I've noticed in the german forum that a lot of people are having a similar problem; but no one has enter a solution that works (or that has been confirmed as working).

So, I just have to get the old gray matter working and figure this out .
Reply With Quote
Wizard
Join Date: May 2003
Location: Brunswick, Maryland, USA
Posts: 7,066
#8 (permalink)  
Old 07-12-2012, 01:22 PM
Default

Quote:
Originally Posted by jasperf
Hi William,

thanks for the suggestion .

Unfortunately, the DSL Router [Speedport W723V] that I have doesn't have a bridge mode . It has a built-in firewall, which can't be deactivated, with port forwarding activated.

If I set it up in modem mode, then I would have look into how to configure all hosts on my network for accessing the internet (pppoe). With the hardware that I have I'm pretty sure I can get it work. I just have to figure out why the return packet from the webserver is being blocked. I can access the Webadmin from outside, but not my webserver. Maybe it's because of the port that Webadmin uses.

I've noticed in the german forum that a lot of people are having a similar problem; but no one has enter a solution that works (or that has been confirmed as working).

So, I just have to get the old gray matter working and figure this out .
OK put it into modem mode then you select pppoe as wan type in astaro..astaro is your router now..let astsro handle dhcp and DNS and everyone has inet access with the superior protection of astaro
__________________
Owner: Emmanuel Technology Consulting
http://www.etc-md.com
My Installed Configs
Microsoft Partner
Sophos Silver Solution Reseller
Sophos Certified Architect - UTM
Reply With Quote
BAlfson's Avatar
Grandis Professorem Astaro
Join Date: Mar 2007
Location: Oklahoma City
Posts: 20,879
#9 (permalink)  
Old 07-12-2012, 08:17 PM
Default

Also, in your first post here, the line from the firewall log indicates that the response from your webserver was so slow that the connection tracker timed out. There's a way to set the tcp_timeout from the command line.

Maybe: # cc set http response_timeout 300

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
SCA/UTM - Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!

Last edited by BAlfson; 07-12-2012 at 08:24 PM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT. The time now is 10:24 PM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2015, Jelsoft Enterprises Ltd.

These pages are specifically maintained for the discussion of firewall issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases.