| View previous topic :: View next topic |
| Author |
Message |
paul_chany
Tux's lil' helper
Joined: 01 Aug 2010
Posts: 82
Location: Europe, Serbia
|
 Posted: Sun Jul 09, 2017 8:24 am Post subject: Web server behind cable modem router |
 |
|
Hi,
at home I have a small web server on a Raspberry Pi Model 2. It is connected to a cable modem router. On this router there is running firewall ( Filter Proxy, Filter Cookies, Filter Java Applets, Filter ActiveX, Filter Popup Windows, Block Fragmented IP Packets, Port Scan Detection, IP Flood Detection are all enabled ) and the Firewall Protection is HIGH, moreover port forwarding:
| Code: | 192.168.0.14 80 80 217.17.98.71 80 80 TCP HTTP Server Yes.
192.168.0.14 443 443 217.17.98.71 443 443 TCP HTTPS Server Yes |
The Raspberry Pi gets it's IP address dinamically so far and I was used a DDNS service. But now I am using a static IP address given from my Internet Provider and this is a different situation. This static IP address is for the Internet but the eth0 NIC on RasPi still gets it's IP dinamically.
On RasPi:
| Code: | eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.14 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::ba27:ebff:feac:cbf1 prefixlen 64 scopeid 0x20<link>
ether b8:27:eb:ac:cb:f1 txqueuelen 1000 (Ethernet)
RX packets 2078 bytes 180482 (176.2 KiB)
RX errors 0 dropped 2 overruns 0 frame 0
TX packets 815 bytes 254578 (248.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 14445 bytes 5376842 (5.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 14445 bytes 5376842 (5.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 |
My domain is cspl.hu:
| Code: | Server: 91.102.231.242
Address: 91.102.231.242#53
Non-authoritative answer:
Name: cspl.hu
Address: 217.17.98.71 |
| Code: | Server: 91.102.231.242
Address: 91.102.231.242#53
Non-authoritative answer:
Name: www.cspl.hu
Address: 217.17.98.71 |
So it past 24 hours after I deleted the dinamic DNS service.
I have two A records and one SOA record too.
I have shorewall firewall on RasPi.
There is a rule in shorewall's rules file:
| Code: | | Web(ACCEPT) net $FW |
and the interfaces file is:
| Code: | | net eth0 dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0 |
I can't open my webserver's home page from my LAN ( this LAN is provided from cable modem), and it can't be opened from Internet also. Why?
[Moderator edit: changed [quote] tags to [code] tags to preserve output layout. -Hu]
_________________
Best, Pali |
|
| Back to top |
|
 |
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3131
|
| Posted: Sun Jul 09, 2017 2:10 pm Post subject: |
|
|
You're firewalled with policy DROP.
So, the first thing to check is firewall rules on your router.
Second thing is the forwarding direction. Router must redirect packets arriving at its own IP to your internal IP, not the other way around. It's hard to determine its set behaviour from the lines you included.
Third one, firewall on Pi itself, though this thing should _not_ actually require any changes when moving from dynamic IP to static.
Finally, you say it's not available from within your LAN. How do you try to connect? Using domain name? Can you connect using its local IP instead? |
|
| Back to top |
|
|
paul_chany
Tux's lil' helper
Joined: 01 Aug 2010
Posts: 82
Location: Europe, Serbia
|
| Posted: Sun Jul 09, 2017 4:38 pm Post subject: |
|
|
| szatox wrote: | You're firewalled with policy DROP.
So, the first thing to check is firewall rules on your router.
Second thing is the forwarding direction. Router must redirect packets arriving at its own IP to your internal IP, not the other way around. It's hard to determine its set behaviour from the lines you included.
Third one, firewall on Pi itself, though this thing should _not_ actually require any changes when moving from dynamic IP to static.
Finally, you say it's not available from within your LAN. How do you try to connect? Using domain name? Can you connect using its local IP instead? |
The router's ( cable modem ) firewall rules
The cable modem / router has a web interface which I can open at http://192.168.0.1 .
So I can not get firewall rules other ways but only by seeing it's webpages.
There I can see these:
| Quote: | Allowed Services
DNS TCP 53 53 TCP
DNS UDP 53 53 UDP
HTTP 80 80 TCP
HTTP-S 443 443 TCP
IMAP-S 993 993 TCP
IPSec NAT-T 4500 4500 UDP
NTP 123 123 UDP
POP3-S 995 995 TCP
SSH 22 22 TCP
SMTP 25 25 TCP
SMTP-S 465 465 TCP |
| Quote: | Trusted Computers
1. MAC address of my RasPi
2. MAC address of my laptop |
Forwarding
| Quote: | Port Forwarding
Internal External
IP Address Start Port End Port IP Address Start Port End Port Prot Description Enabled
192.168.0.14 80 80 217.17.98.71 80 80 TCP HTTP Server Yes
192.168.0.14 443 443 217.17.98.71 443 443 TCP HTTPS Server Yes |
where 192.168.0.14 is the internal IP address of my RasPi and it's static IP address given from my Internet Provider is 217.17.98.71. This IP 217.17.98.71 is associated with the MAC address of the RasPi's NIC - ethernet card.
Shorewall firewall on RasPi
| Quote: | /etc/shorewall/interfaces
| Code: | #ZONE INTERFACE OPTIONS
net eth0 dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0 |
|
| Quote: | /etc/shorewall/policy
| Code: | #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
$FW net ACCEPT
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info |
|
| Quote: | /etc/shorewall/rules
| Code: | # Drop packets in the INVALID state
Invalid(DROP) net all tcp
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
Ping(DROP) net $FW
# Enged Ping -et LANrol
Ping(ACCEPT) net:192.168.0.0/24 $FW
# Permit all ICMP traffic FROM the firewall TO the net zone
ACCEPT $FW net icmp
# Enged SSH kifele es LANrol befele
SSH(ACCEPT) $FW net
SSH(ACCEPT) net:192.168.0.1/24 $FW
# Nginx weboldalanak eleresehez a világból
Web(ACCEPT) net $FW
# Accept DNS connections from the firewall to the Internet
DNS(ACCEPT) $FW net
# Gentoo emerge
Rsync(ACCEPT) $FW net
Web(ACCEPT) $FW net |
|
| Quote: | /etc/shorewall/shorewall.conf
|
| Quote: | /etc/shorewall/zones
| Code: | #ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4 |
|
Within router's LAN I am trying to open my web site by using it's FQDN: cspl.hu or www.cspl.hu, or it's external IP 217.17.98.71 or internal IP 192.168.0.14 address without any success. What am I missing here?
_________________
Best, Pali |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3131
|
| Posted: Sun Jul 09, 2017 6:17 pm Post subject: |
|
|
| Quote: | | or internal IP 192.168.0.14 address without any success. |
So.... Firewall on your Pi?
I'd launch a sniffer to check whether or not you can see any traffic at all on your pi.
Also, can you ping it within your LAN?
And I'm pretty sure you are behind a firewall:
| Code: | Nmap scan report for 71-98-17-217.cpe.stcable.net (217.17.98.71)
Host is up (0.027s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
25/tcp open smtp
113/tcp closed ident
1720/tcp open h323q931
|
|
|
| Back to top |
|
|
paul_chany
Tux's lil' helper
Joined: 01 Aug 2010
Posts: 82
Location: Europe, Serbia
|
| Posted: Sun Jul 09, 2017 8:27 pm Post subject: |
|
|
| szatox wrote: | | Quote: | | or internal IP 192.168.0.14 address without any success. |
So.... Firewall on your Pi?
I'd launch a sniffer to check whether or not you can see any traffic at all on your pi.
Also, can you ping it within your LAN?
And I'm pretty sure you are behind a firewall:
| Code: | Nmap scan report for 71-98-17-217.cpe.stcable.net (217.17.98.71)
Host is up (0.027s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
25/tcp open smtp
113/tcp closed ident
1720/tcp open h323q931
|
|
I can run tcpdump on RasPi.
I run it with these options on RasPi:
| Code: | | tcpdump -i eth0 -c 6 |
but first start ping on my laptop:
| Quote: | | PING 192.168.0.14 (192.168.0.14) 56(84) bytes of data. |
and there is no other output from ping command
and try to open my web site on RasPi from my laptop,
and then on RasPi get output:
| Quote: | dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
22:05:54.743919 IP 192.168.0.14.ssh > 192.168.0.10.32950: Flags [P.], seq 307270013:307270073, ack 1642040114, win 316, options [nop,nop,TS val 5009274 ecr 56598460], length 60
22:05:54.744434 IP 192.168.0.10.32950 > 192.168.0.14.ssh: Flags [.], ack 60, win 1901, options [nop,nop,TS val 56598565 ecr 5009274], length 0
22:05:54.744898 IP 192.168.0.14.ssh > 192.168.0.10.32950: Flags [P.], seq 60:248, ack 1, win 316, options [nop,nop,TS val 5009275 ecr 56598565], length 188
22:05:54.745366 IP 192.168.0.10.32950 > 192.168.0.14.ssh: Flags [.], ack 248, win 1901, options [nop,nop,TS val 56598566 ecr 5009275], length 0
22:05:54.745885 IP 192.168.0.14.41449 > resolver4.stcable.net.domain: 40431+ PTR? 14.0.168.192.in-addr.arpa. (43)
22:05:54.763752 IP resolver4.stcable.net.domain > 192.168.0.14.41449: 40431 NXDomain 0/1/0 (92)
6 packets captured
17 packets received by filter
5 packets dropped by kernel |
and I run it again, and get this output:
| Quote: | dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
22:09:30.383862 IP 192.168.0.14.ssh > 192.168.0.10.32950: Flags [P.], seq 307271613:307271673, ack 1642040194, win 316, options [nop,nop,TS val 5030838 ecr 56814107], length 60
22:09:30.384417 IP 192.168.0.10.32950 > 192.168.0.14.ssh: Flags [.], ack 60, win 1901, options [nop,nop,TS val 56814205 ecr 5030838], length 0
22:09:30.384837 IP 192.168.0.14.ssh > 192.168.0.10.32950: Flags [P.], seq 60:248, ack 1, win 316, options [nop,nop,TS val 5030839 ecr 56814205], length 188
22:09:30.385331 IP 192.168.0.10.32950 > 192.168.0.14.ssh: Flags [.], ack 248, win 1901, options [nop,nop,TS val 56814206 ecr 5030839], length 0
22:09:30.385823 IP 192.168.0.14.52130 > resolver4.stcable.net.domain: 10953+ PTR? 14.0.168.192.in-addr.arpa. (43)
22:09:30.387284 IP 192.168.0.10 > igmp.mcast.net: igmp v3 report, 1 group record(s)
6 packets captured
22 packets received by filter
9 packets dropped by kernel |
No, I can't ping RasPi from LAN, that is from my laptop that is also connected to cable modem / router.
However, on RasPi in /etc/shorewall/rules I have:
| Code: | # Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
Ping(DROP) net $FW
# Enged Ping -et LANrol
Ping(ACCEPT) net:192.168.0.10 $FW |
and on my laptop in /etc/shorewall/rules I have:
| Code: | | Ping(ACCEPT) $FW net |
Still can't ping RasPi from laptop, but only when I clear the shorewall firewall rules out there with command:
_________________
Best, Pali |
|
| Back to top |
|
|
paul_chany
Tux's lil' helper
Joined: 01 Aug 2010
Posts: 82
Location: Europe, Serbia
|
| Posted: Tue Jul 11, 2017 9:28 am Post subject: |
|
|
Finally works something!
I ask my ISP to give me instructions how to setup Thomson modem:
at web page of the modem (192.168.0.1) choose
Network / Portbase PassThrough
Here must add MAC address of RasPi's NIC, the eth0.
After this is set, RasPi gets it's static IP and not internal
(192.168.0.x) IP address.
I removed every other settings for this, like port forwarding.
So at last I can see my homepage out there: http://cspl.hu.
I can ssh into RasPi after that too.
Just can't ping it from my laptop. But, this is not interesting and
not important at all.
So my problem is solved.
_________________
Best, Pali |
|
| Back to top |
|
|
chiefbag
Guru
Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom
|
| Posted: Wed Aug 09, 2017 10:46 am Post subject: |
|
|
| Quote: | Finally works something!
I ask my ISP to give me instructions how to setup Thomson modem:
at web page of the modem (192.168.0.1) choose
Network / Portbase PassThrough
Here must add MAC address of RasPi's NIC, the eth0.
After this is set, RasPi gets it's static IP and not internal
(192.168.0.x) IP address. |
Are you sure that this is what you want, Passthrough in this instance on this router means that your Pi is now directly connected to the internet.
Ensure your Pi firewall is up to scratch.
Port forwarding might be a safer solution for you. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
