Link to home
Start Free TrialLog in
Avatar of 11ods
11ods

asked on

A router. A webserver. And NAT.

Hi,

- I've got a 4 computer home network, where one of them is a newly installed linux box running apache on port 80.
- I've got an Alcatel SpeedTouch Pro as my router which is 'Always-on'.
- When i get a http request it directs to the web interface of the modem. (major security issue)
 
I want it to direct all requests on port 80 to the linux box (10.0.0.9 static ip).

After some research I found that the way to do this is telnet to the router and type:
user: user
=>nat
[nat]=>  create protocol=tcp inside_addr=10.0.0.9 inside_port=80 outside_addr=0 outside_port=80

but i get a "Failed to create static NAT entry".

any help would be greatly appriciated...

11ods
Avatar of Yorkie0362
Yorkie0362

Might be because a NAT entry already exists for port 80.
try this

after user:user

=>nat list

this will show what you have set up at the moment.  I imagine that there is a setting in there already for port 80 tcp and therefore will not allow another.  First of all make a note of the address in that list, (just in case you need to reapply them) then:

=>nat delete protocol=tcp inside_addr=xxx.xxx.xxx.xxx inside_port=80 outside_addr=xxx.xxx.xxx.xxx outside_port=xxxx

obviously fill in the x's with the information you noted down about the existing connection.  Now:

=>nat list

and see that the existing entry has gone.  And now to add the connection:

=>nat create protocol=tcp inside_addr=10.0.0.9 inside_port=80 outside_addr=0 outside_port=0

Give that a whirl let me know how you get on

Avatar of 11ods

ASKER

Hmmmm...

There's nothing using up port 80 according to the 'list'.

basically there's a table:

inside addr: port     outside addr:port      forgn addr: port
10.0.0.6:2732       xx.xx.xx.xxx:13305   207.46.106.200:1863

10.0.0.6:3149       xx.xx.xx.xxx:15506   209.51.159.194:110

10.0.0.6:3151       xx.xx.xx.xxx:15507   64.97.37.170:110

WHERE:
10.0.0.6 is the compuer i am using now (winxp).
xx.xx.xx.xxx is my real ip
and the rest of the Ip's i have no idea what they are or how they got there.

reckon its safe to delete everything?
hmm
If the router has a web interface configure it to use a port other than 80, like 9980 for example.
Avatar of 11ods

ASKER

how?
I've just had a look around and there are no known issues with port 80 on this router so try the following, remember the nat save command:

nat create protocol=tcp inside_addr=10.0.0.254 inside_port=80 outside_addr=0 outside_port=80

nat save

If that doesn't work, try sending ALL traffic to this pc:

nat defserver addr 10.0.0.254

nat save

This is just for testing purposes, don't leave it configured like that, it's a big security hole.
Avatar of 11ods

ASKER

well...

the first line didnt work, same error as before...

but when i set the default server there was no error....

So it works with the nat defserver addr ? Is the website on the Linux box a secure HTTPS site? If so, forward tcp port 443.

Alternatively, try it in this format:

nat create protocol=tcp inside_addr=10.0.0.6:80 outside_addr=0.0.0.0:80

Avatar of 11ods

ASKER

yup drev001,
works with the defserver,
the website isnt https...

and the alternative method "nat create protocol=tcp inside_addr=10.0.0.6:80 outside_addr=0.0.0.0:80"

gave me the same error...
annoying isnt it.


ASKER CERTIFIED SOLUTION
Avatar of drev001
drev001

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Pardon me for asking, - (I'm not familiar with the specific model) don't you have to login at admin level and go to a config level before issuing the command?
Avatar of 11ods

ASKER

nope svenkarlsen.

just tried it and still the same problem.
but,
its amazing what i just stumbled apon:

Taken from: http://adsl.cutw.net/alcatel-stpro-natpat.txt
"Failed to create static NAT entry.
 This is due to the Active Software Version you have on the Pro modem -
it will be more than likely to be the following version: KHDSAA.132"

which happens to be the version i'm running.
Going to go try and update it now..


Avatar of 11ods

ASKER

well now it lets me enter the nat and save it ...

but when i browse to my ip address in the browser the browser just hangs for a long time
and then gives me a cannot find server error... instead of forwarding me to my internal ip 10.0.0.9

... and just when i thought it was almost fixed
i think you have to remove the defserver entry now
You will probably have to change to EXPERT mode before trying to configure NAT/PAT, - see:

http://www.radio-active.net.au/web/internet/adslexpert.html

Kind regards,
Sven Karlsen
Avatar of 11ods

ASKER

defserver was removed ... still nothing..

and i tried setting the NAT in expert mode..

it adds the ip and the port in the table...

and should be working..
but its just not forwarding.


Thanks
11ods
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Sven, on this router i think that the 0 for outside address signifies "any incoming"
OK, - expected so as there was no IF identifiers in the config manual.

Avatar of 11ods

ASKER

here is the exact copy-and-paste from the telnet window.. maybe it will help.
i've replaced my ip with xxx's.

User : user
------------------------------------------------------------------------
*
*                             ______
*                         ___/_____/\
*                        /         /\\ ALCATEL ADSL MODEM
*                  _____/__       /  \\
*                _/       /\_____/___ \   Version 3.2
*               //       /  \       /\ \
*       _______//_______/    \     / _\/______ Copyright 1999-2000.
*      /      / \       \    /    / /        /\
*   __/      /   \       \  /    / /        / _\__
*  / /      /     \_______\/    / /        / /   /\
* /_/______/___________________/ /________/ /___/  \
* \ \      \    ___________    \ \        \ \   \  /
*  \_\      \  /          /\    \ \        \ \___\/
*     \      \/          /  \    \ \        \  /
*      \_____/          /    \    \ \________\/
*           /__________/      \    \  /
*           \   _____  \      /_____\/
*            \ /    /\  \    /
*             /____/  \  \  /
*             \    \  /___\/
*              \____\/
*
-----------------------------------------------------------------------
=>nat
[nat]=>list
Indx Prot Inside-address:Port  Outside-address:Port  Foreign-address:Port Flgs E
xpir State  Control
   1  17        10.0.0.9:137    xx.xxx.xxx.xxx:137     218.168.84.64:1027  11
 20    10
   2   6        10.0.0.6:3266   xx.xxx.xxx.xxx:59126   207.46.107.57:1863  1
 60    1
   3   6        10.0.0.6:4049   xx.xxx.xxx.xxx:59937  209.51.159.194:110   1
 8     5
   4   6        10.0.0.6:4045   xx.xxx.xxx.xxx:59936    64.97.37.170:110   1
 8     5
   5   6        10.0.0.6:4051   xx.xxx.xxx.xxx:59938    64.97.37.170:110   1
 8     5
   6   6        10.0.0.6:4043   xx.xxx.xxx.xxx:59935  209.51.159.194:110   1
 8     5
   7   6        10.0.0.9:80     xx.xxx.xxx.xxx:80            0.0.0.0:0     insta
nce
   8   6        10.0.0.9:80            0.0.0.0:80            0.0.0.0:0     templ
ate
[nat]=>enable
addr = 10.0.0.9
[type] = pat
Failed to set NAT.

-------------------------------------------------------------------------------------------------
i have no idea why 10.0.0.6 (my winxp box) is in the table, or what the rest of the ip's are there for. the only ones i entered in are with the internal ip 10.0.0.9 (my linux box).

The NAT/PAT table shows both dynamic and static mappings, - i.e. when you access something on the internet, the router will make an entry in the NAT/PAT table. So what you see is the result of NAT when you browse, - don't mind the varying port numbers, that's a necessity to perform NAT.

As far as I can see, your linux box is already mapped as required. Try a power cycle on the router and see how much is left in the table when if comes up again (disconnect winxp box and external cable when you boot (if possible...), to avoid any entries caused by access attempts).

I think it would be a good idea to start on a fresh router config...
A Reset to Factory Defaults is often a good idea after a firmware update on these cheapo routers.
Avatar of 11ods

ASKER

Ok,  well...

I disconnected the winxp box, reset factory defaults, had only the linux box connected,
and still I cant access it from my external IP. I tried enableing the Nat/pat again after all this, as sven suggested earlier, but still I get the same "Failed to set NAT".

any other suggestions ?
Please!

Thanks,
11ods
Sure, - you'll give in before I run out of options ;-)

Ok, - next suggestion: when you've reset to factory defaults, it seems like the router sets defserver. Check the nat list, - try deleting any entry and get a clear nat table.

With a verified clear NAT-table, try booting the router and make an attemt to configure NAT/PAT again.

Avatar of 11ods

ASKER

sven,
do you think all this could be configured remotly.. given my Ip address?

if you see what i'm getting at...

?
11ods,
sorry, - that's beyond the rules of this forum: any aid must be performed in free contest and fully trackable in the exchange of comments.

I know it may feel a bit silly at first thought, - but say I agreed on the task and we took it somewhere private (via mail or like), - then I got you in a fix, and suddenly I suggest some fee of sorts!?

Hope you see the point, - I (and and everyone here) works for the honor, and that sets some demand for ethics.

(now, let's turn of the violins, and get on we the task;-)

You could try posting a claim for closure/reclaim of posted points, and repost the question under Networking/ADSL or like, - I would not object, because I have not been able to help you, and a new, shorter thread may make it more likely that other (more competent than I) will throw a glance at your problems.


Kind regards,
Sven
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of 11ods

ASKER

when drev suggested it I upgraded to KHDSAA.134,

and when it didnt solve the problem I went out looking for a newer version...

So right now i'm using Khdsaa3.270

Thanks Yorkie.
Just making 100% sure: you ARE able to connect to your linux-box port 80 from inside subnet ;-)

(no offence intended, - but sometimes (like with RedHat 9) people forget to enable the basic functions when installing the firewall)
Avatar of 11ods

ASKER

Yup. 10.0.0.9 in my browser and i see my linux box .......  :)

Here's something I noticed that might be helpful:

BEFORE I entered the information in the NAT tables to route to my linux box on port 80,
all requests on port 80 would route to the web interface of the router.

NOW that its supposed to be routing, the browser just hangs, and eventually gives me a 'could not find server error'.

Hope this helps in any way!

Then you should probably search the config for some part that configures which port the router will use for http-interface, - when you find it, reconfig it to something like port 8080 or similar.
Avatar of 11ods

ASKER

Cant find it....

OK guys. i feel like we've given up here....
A little dissappointed.. but....

how about we redesign the home network?  right now it looks like this:

           [splitter]
                |
           [speed touch] (10.0.0.138)  (dhcp serv.)
                |
             [Hub]
     ______|____________
    |        |            |         |
  [XP]    [linux]  [w98]     [w98]


how can i make the linux box available to the outside world, and the rest not?

this maybe:?

             [splitter]
                |
           [speed touch] (10.0.0.138)
                |
             [linux] (dhcp serv)
                |
             [hub]
     ______|_______
    |        |            |        
  [XP]    [w98]     [w98]

Sorry if this is ridicules :)


but would this solve the problem?
No, - but it would require an extra NIC in your Linux box (and probably installing Masquerade on it).

But I don't see how you expect this to solve the e-mail problem in the router ?
Looking back, I see that the defserver command seemed to work fine, - only you apparently set it to 10.0.0.254 and not the IP of your Linux box. Have you tried setting defserver to your Linux box IP ?
Avatar of 11ods

ASKER

i set the defserver to 10.0.0.9,
it was drev001 that in his example set it to 10.0.0.254 ...

ok

during all these attempts, I fail to see that we remebered to allow incoming traffic on port 80 in the firewall, - is that correct ?

If so, - you might want to test this:

1. Set defserver
2. In firewall, config to allow incoming traffic on port 80

Sven
there is a third party application called alcatool, which improves on the alcatel web interface, might like to give it a try, http://www.nubz.org/alcatool/Download.html
Avatar of 11ods

ASKER

I dont belive it.. I think i finally found the answer.
after reading this FAQ: http://www.azacamis.com/refer/routerfaqs.htm

It explains how from inside your LAN, you cannot plug in your WAN ip and expect to get forwarded, since it's your routers IP. But, users from outside the LAN would be able to reach it..

I'd test it but its 3:20 am and nobody's online to confirm if this works...

Any ideas? suggestions?
Avatar of 11ods

ASKER

Well,

Thanks very much !

Just tried entering my ip from the WAN and it forwards to my linux box.

So the problem was actually made up of several different components,
but the turning point was Drev001's suggestion for a firmware update. which is why its the accepted answer..
I split the points because everyone assisted and i'd like to thank you for it ..... Thanks !