Solved

A router. A webserver. And NAT.

Posted on 2003-11-03
39
6,770 Views
Last Modified: 2007-12-19
Hi,

- I've got a 4 computer home network, where one of them is a newly installed linux box running apache on port 80.
- I've got an Alcatel SpeedTouch Pro as my router which is 'Always-on'.
- When i get a http request it directs to the web interface of the modem. (major security issue)
 
I want it to direct all requests on port 80 to the linux box (10.0.0.9 static ip).

After some research I found that the way to do this is telnet to the router and type:
user: user
=>nat
[nat]=>  create protocol=tcp inside_addr=10.0.0.9 inside_port=80 outside_addr=0 outside_port=80

but i get a "Failed to create static NAT entry".

any help would be greatly appriciated...

11ods
0
Comment
Question by:11ods
  • 16
  • 12
  • 6
  • +1
39 Comments
 
LVL 1

Expert Comment

by:Yorkie0362
ID: 9672291
Might be because a NAT entry already exists for port 80.
try this

after user:user

=>nat list

this will show what you have set up at the moment.  I imagine that there is a setting in there already for port 80 tcp and therefore will not allow another.  First of all make a note of the address in that list, (just in case you need to reapply them) then:

=>nat delete protocol=tcp inside_addr=xxx.xxx.xxx.xxx inside_port=80 outside_addr=xxx.xxx.xxx.xxx outside_port=xxxx

obviously fill in the x's with the information you noted down about the existing connection.  Now:

=>nat list

and see that the existing entry has gone.  And now to add the connection:

=>nat create protocol=tcp inside_addr=10.0.0.9 inside_port=80 outside_addr=0 outside_port=0

Give that a whirl let me know how you get on

0
 

Author Comment

by:11ods
ID: 9672447
Hmmmm...

There's nothing using up port 80 according to the 'list'.

basically there's a table:

inside addr: port     outside addr:port      forgn addr: port
10.0.0.6:2732       xx.xx.xx.xxx:13305   207.46.106.200:1863

10.0.0.6:3149       xx.xx.xx.xxx:15506   209.51.159.194:110

10.0.0.6:3151       xx.xx.xx.xxx:15507   64.97.37.170:110

WHERE:
10.0.0.6 is the compuer i am using now (winxp).
xx.xx.xx.xxx is my real ip
and the rest of the Ip's i have no idea what they are or how they got there.

reckon its safe to delete everything?
hmm
0
 
LVL 9

Expert Comment

by:drev001
ID: 9673062
If the router has a web interface configure it to use a port other than 80, like 9980 for example.
0
 

Author Comment

by:11ods
ID: 9673070
how?
0
 
LVL 9

Expert Comment

by:drev001
ID: 9673258
I've just had a look around and there are no known issues with port 80 on this router so try the following, remember the nat save command:

nat create protocol=tcp inside_addr=10.0.0.254 inside_port=80 outside_addr=0 outside_port=80

nat save

If that doesn't work, try sending ALL traffic to this pc:

nat defserver addr 10.0.0.254

nat save

This is just for testing purposes, don't leave it configured like that, it's a big security hole.
0
 

Author Comment

by:11ods
ID: 9673311
well...

the first line didnt work, same error as before...

but when i set the default server there was no error....

0
 
LVL 9

Expert Comment

by:drev001
ID: 9673634
So it works with the nat defserver addr ? Is the website on the Linux box a secure HTTPS site? If so, forward tcp port 443.

0
 
LVL 9

Expert Comment

by:drev001
ID: 9673651
Alternatively, try it in this format:

nat create protocol=tcp inside_addr=10.0.0.6:80 outside_addr=0.0.0.0:80

0
 

Author Comment

by:11ods
ID: 9673812
yup drev001,
works with the defserver,
the website isnt https...

and the alternative method "nat create protocol=tcp inside_addr=10.0.0.6:80 outside_addr=0.0.0.0:80"

gave me the same error...
annoying isnt it.


0
 
LVL 9

Accepted Solution

by:
drev001 earned 167 total points
ID: 9674339
Very annoying. How about a firmware upgrade?
0
 
LVL 9

Expert Comment

by:svenkarlsen
ID: 9675590
Pardon me for asking, - (I'm not familiar with the specific model) don't you have to login at admin level and go to a config level before issuing the command?
0
 

Author Comment

by:11ods
ID: 9675679
nope svenkarlsen.

just tried it and still the same problem.
but,
its amazing what i just stumbled apon:

Taken from: http://adsl.cutw.net/alcatel-stpro-natpat.txt
"Failed to create static NAT entry.
 This is due to the Active Software Version you have on the Pro modem -
it will be more than likely to be the following version: KHDSAA.132"

which happens to be the version i'm running.
Going to go try and update it now..


0
 

Author Comment

by:11ods
ID: 9675736
well now it lets me enter the nat and save it ...

but when i browse to my ip address in the browser the browser just hangs for a long time
and then gives me a cannot find server error... instead of forwarding me to my internal ip 10.0.0.9

... and just when i thought it was almost fixed
0
 
LVL 1

Expert Comment

by:Yorkie0362
ID: 9677033
i think you have to remove the defserver entry now
0
 
LVL 9

Expert Comment

by:svenkarlsen
ID: 9677351
You will probably have to change to EXPERT mode before trying to configure NAT/PAT, - see:

http://www.radio-active.net.au/web/internet/adslexpert.html

Kind regards,
Sven Karlsen
0
 

Author Comment

by:11ods
ID: 9678161
defserver was removed ... still nothing..

and i tried setting the NAT in expert mode..

it adds the ip and the port in the table...

and should be working..
but its just not forwarding.


Thanks
11ods
0
 
LVL 9

Assisted Solution

by:svenkarlsen
svenkarlsen earned 166 total points
ID: 9678550
have you enabled NAT/PAT?

nat enable addr=[??] type=pat

Try setting the defserver again, and enabling pat for that address
If that doesn't work, try enabling pat for the outside interface (it's a bit unclear if its source or target you enable here)


***
I'd normally expect that you should use your outside address instead of '0' for outside address:
     nat create protocol=tcp inside_addr=10.0.0.254 inside_port=80 outside_addr=[!!] outside_port=80

But leave that for now, - this router may use 0 as synonym for 'outside interface'

0
 
LVL 1

Expert Comment

by:Yorkie0362
ID: 9678582
Sven, on this router i think that the 0 for outside address signifies "any incoming"
0
 
LVL 9

Expert Comment

by:svenkarlsen
ID: 9678652
OK, - expected so as there was no IF identifiers in the config manual.

0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:11ods
ID: 9678795
here is the exact copy-and-paste from the telnet window.. maybe it will help.
i've replaced my ip with xxx's.

User : user
------------------------------------------------------------------------
*
*                             ______
*                         ___/_____/\
*                        /         /\\ ALCATEL ADSL MODEM
*                  _____/__       /  \\
*                _/       /\_____/___ \   Version 3.2
*               //       /  \       /\ \
*       _______//_______/    \     / _\/______ Copyright 1999-2000.
*      /      / \       \    /    / /        /\
*   __/      /   \       \  /    / /        / _\__
*  / /      /     \_______\/    / /        / /   /\
* /_/______/___________________/ /________/ /___/  \
* \ \      \    ___________    \ \        \ \   \  /
*  \_\      \  /          /\    \ \        \ \___\/
*     \      \/          /  \    \ \        \  /
*      \_____/          /    \    \ \________\/
*           /__________/      \    \  /
*           \   _____  \      /_____\/
*            \ /    /\  \    /
*             /____/  \  \  /
*             \    \  /___\/
*              \____\/
*
-----------------------------------------------------------------------
=>nat
[nat]=>list
Indx Prot Inside-address:Port  Outside-address:Port  Foreign-address:Port Flgs E
xpir State  Control
   1  17        10.0.0.9:137    xx.xxx.xxx.xxx:137     218.168.84.64:1027  11
 20    10
   2   6        10.0.0.6:3266   xx.xxx.xxx.xxx:59126   207.46.107.57:1863  1
 60    1
   3   6        10.0.0.6:4049   xx.xxx.xxx.xxx:59937  209.51.159.194:110   1
 8     5
   4   6        10.0.0.6:4045   xx.xxx.xxx.xxx:59936    64.97.37.170:110   1
 8     5
   5   6        10.0.0.6:4051   xx.xxx.xxx.xxx:59938    64.97.37.170:110   1
 8     5
   6   6        10.0.0.6:4043   xx.xxx.xxx.xxx:59935  209.51.159.194:110   1
 8     5
   7   6        10.0.0.9:80     xx.xxx.xxx.xxx:80            0.0.0.0:0     insta
nce
   8   6        10.0.0.9:80            0.0.0.0:80            0.0.0.0:0     templ
ate
[nat]=>enable
addr = 10.0.0.9
[type] = pat
Failed to set NAT.

-------------------------------------------------------------------------------------------------
i have no idea why 10.0.0.6 (my winxp box) is in the table, or what the rest of the ip's are there for. the only ones i entered in are with the internal ip 10.0.0.9 (my linux box).

0
 
LVL 9

Expert Comment

by:svenkarlsen
ID: 9680336
The NAT/PAT table shows both dynamic and static mappings, - i.e. when you access something on the internet, the router will make an entry in the NAT/PAT table. So what you see is the result of NAT when you browse, - don't mind the varying port numbers, that's a necessity to perform NAT.

As far as I can see, your linux box is already mapped as required. Try a power cycle on the router and see how much is left in the table when if comes up again (disconnect winxp box and external cable when you boot (if possible...), to avoid any entries caused by access attempts).

I think it would be a good idea to start on a fresh router config...
0
 
LVL 9

Expert Comment

by:drev001
ID: 9681150
A Reset to Factory Defaults is often a good idea after a firmware update on these cheapo routers.
0
 

Author Comment

by:11ods
ID: 9682445
Ok,  well...

I disconnected the winxp box, reset factory defaults, had only the linux box connected,
and still I cant access it from my external IP. I tried enableing the Nat/pat again after all this, as sven suggested earlier, but still I get the same "Failed to set NAT".

any other suggestions ?
Please!

Thanks,
11ods
0
 
LVL 9

Expert Comment

by:svenkarlsen
ID: 9683175
Sure, - you'll give in before I run out of options ;-)

Ok, - next suggestion: when you've reset to factory defaults, it seems like the router sets defserver. Check the nat list, - try deleting any entry and get a clear nat table.

With a verified clear NAT-table, try booting the router and make an attemt to configure NAT/PAT again.

0
 

Author Comment

by:11ods
ID: 9683283
sven,
do you think all this could be configured remotly.. given my Ip address?

if you see what i'm getting at...

?
0
 
LVL 9

Expert Comment

by:svenkarlsen
ID: 9683426
11ods,
sorry, - that's beyond the rules of this forum: any aid must be performed in free contest and fully trackable in the exchange of comments.

I know it may feel a bit silly at first thought, - but say I agreed on the task and we took it somewhere private (via mail or like), - then I got you in a fix, and suddenly I suggest some fee of sorts!?

Hope you see the point, - I (and and everyone here) works for the honor, and that sets some demand for ethics.

(now, let's turn of the violins, and get on we the task;-)

You could try posting a claim for closure/reclaim of posted points, and repost the question under Networking/ADSL or like, - I would not object, because I have not been able to help you, and a new, shorter thread may make it more likely that other (more competent than I) will throw a glance at your problems.


Kind regards,
Sven
0
 
LVL 1

Assisted Solution

by:Yorkie0362
Yorkie0362 earned 167 total points
ID: 9685157
Just found an article online stating that it is because of your active software version, as drev has stated previously you should be on 134 which can be downloaded from here

http://adsl.cutw.net/firmware-stpro/KHDSAA.134
0
 

Author Comment

by:11ods
ID: 9685431
when drev suggested it I upgraded to KHDSAA.134,

and when it didnt solve the problem I went out looking for a newer version...

So right now i'm using Khdsaa3.270

Thanks Yorkie.
0
 
LVL 9

Expert Comment

by:svenkarlsen
ID: 9685765
Just making 100% sure: you ARE able to connect to your linux-box port 80 from inside subnet ;-)

(no offence intended, - but sometimes (like with RedHat 9) people forget to enable the basic functions when installing the firewall)
0
 

Author Comment

by:11ods
ID: 9685813
Yup. 10.0.0.9 in my browser and i see my linux box .......  :)

Here's something I noticed that might be helpful:

BEFORE I entered the information in the NAT tables to route to my linux box on port 80,
all requests on port 80 would route to the web interface of the router.

NOW that its supposed to be routing, the browser just hangs, and eventually gives me a 'could not find server error'.

Hope this helps in any way!

0
 
LVL 9

Expert Comment

by:svenkarlsen
ID: 9686460
Then you should probably search the config for some part that configures which port the router will use for http-interface, - when you find it, reconfig it to something like port 8080 or similar.
0
 

Author Comment

by:11ods
ID: 9696741
Cant find it....

OK guys. i feel like we've given up here....
A little dissappointed.. but....

how about we redesign the home network?  right now it looks like this:

           [splitter]
                |
           [speed touch] (10.0.0.138)  (dhcp serv.)
                |
             [Hub]
     ______|____________
    |        |            |         |
  [XP]    [linux]  [w98]     [w98]


how can i make the linux box available to the outside world, and the rest not?

this maybe:?

             [splitter]
                |
           [speed touch] (10.0.0.138)
                |
             [linux] (dhcp serv)
                |
             [hub]
     ______|_______
    |        |            |        
  [XP]    [w98]     [w98]

Sorry if this is ridicules :)


but would this solve the problem?
0
 
LVL 9

Expert Comment

by:svenkarlsen
ID: 9697182
No, - but it would require an extra NIC in your Linux box (and probably installing Masquerade on it).

But I don't see how you expect this to solve the e-mail problem in the router ?
0
 
LVL 9

Expert Comment

by:svenkarlsen
ID: 9697379
Looking back, I see that the defserver command seemed to work fine, - only you apparently set it to 10.0.0.254 and not the IP of your Linux box. Have you tried setting defserver to your Linux box IP ?
0
 

Author Comment

by:11ods
ID: 9697497
i set the defserver to 10.0.0.9,
it was drev001 that in his example set it to 10.0.0.254 ...

0
 
LVL 9

Expert Comment

by:svenkarlsen
ID: 9698164
ok

during all these attempts, I fail to see that we remebered to allow incoming traffic on port 80 in the firewall, - is that correct ?

If so, - you might want to test this:

1. Set defserver
2. In firewall, config to allow incoming traffic on port 80

Sven
0
 
LVL 1

Expert Comment

by:Yorkie0362
ID: 9698230
there is a third party application called alcatool, which improves on the alcatel web interface, might like to give it a try, http://www.nubz.org/alcatool/Download.html
0
 

Author Comment

by:11ods
ID: 9698255
I dont belive it.. I think i finally found the answer.
after reading this FAQ: http://www.azacamis.com/refer/routerfaqs.htm

It explains how from inside your LAN, you cannot plug in your WAN ip and expect to get forwarded, since it's your routers IP. But, users from outside the LAN would be able to reach it..

I'd test it but its 3:20 am and nobody's online to confirm if this works...

Any ideas? suggestions?
0
 

Author Comment

by:11ods
ID: 9701999
Well,

Thanks very much !

Just tried entering my ip from the WAN and it forwards to my linux box.

So the problem was actually made up of several different components,
but the turning point was Drev001's suggestion for a firmware update. which is why its the accepted answer..
I split the points because everyone assisted and i'd like to thank you for it ..... Thanks !
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now