ADSL Router (Linux NAT) help!

L

Leela

New Member
Joined
Jul 28, 2007
Messages
5
Reaction score
0
I hope someone can help me with this NAT problem :)

I have this linux based adsl router. (The brand/make/etc shouldn't matter :)

I also host websites, on box on the lan (10.0.0.1, port 80, standard stuff). So the router has port 80 port forwarded to 10.0.0.1. Standard Stuff.

People hit my external IP (its on ppp0 below but I masked the IP out) and they get my website. I use virtual hosts. All standard stuff.

However, I can't type in www.siteihost.com in my browser and get the page, BECAUSE it resolves to my external IP, the packets go to my external IP, and I get my router's page instead. (I moved my routers webserver to port 81, now port 80 just gives a connection refused). Externally, anyone can browse the sites fine.

Sure, I can type in the IP 10.0.0.1 in my browser and get the webserver, but that kinda doesn't work with virtual hosts, does it?

So is there some way to make this work? My previous router (when I was on Cable) did this correctly. If it hit it at 10.0.0.254 on port 80, i saw the routers webpage, if I hit the router's external IP on port 80 (either coming in over the WAN port from Cable, or from a LAN port -- it didn't matter -- it correctly forwarded everything on to my webserver on 10.0.0l.1). It was a beautful thing.

Now everything is quite f*****d with this adsl router.

Since i'm a n00b with Linux (I'm FreeBSD mostly) and have zero knowledge of iptables or ipchains or how linux even does nat (there's no natd..) is there any way I can easily fix this problem?

Below is my ifconfig and iptables output. If you need anything else, let me know.

Any help would be VERY greatly appreciated! <3.



# /sbin/ifconfig -a
br0 Link encap:Ethernet HWaddr 00:17:9A:77:04:CC
inet addr:10.0.0.254 Bcast:10.0.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 ASYMMTU:1500
RX packets:9479762 errors:0 dropped:0 overruns:0 frame:0
TX packets:9328211 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1671210362 (1593.7 Mb) TX bytes:3922165178 (3740.4 Mb)

br1 Link encap:Ethernet HWaddr 00:00:00:00:00:00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 ASYMMTU:1500
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

eth0 Link encap:Ethernet HWaddr 00:17:9A:77:04:CC
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 ASYMMTU:1500
RX packets:9479774 errors:0 dropped:0 overruns:0 frame:0
TX packets:9328192 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1671211082 (1593.7 Mb) TX bytes:3922164134 (3740.4 Mb)
Base address:0x2800

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1 ASYMMTU:0
RX packets:36 errors:0 dropped:0 overruns:0 frame:0
TX packets:36 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:9146 (8.9 kb) TX bytes:9146 (8.9 kb)

nas0 Link encap:Ethernet HWaddr 00:17:9A:77:04:CC
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 ASYMMTU:1500
RX packets:9581676 errors:0 dropped:0 overruns:0 frame:0
TX packets:8439829 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:3873194655 (3693.7 Mb) TX bytes:1734436519 (1654.0 Mb)

ppp0 Link encap:Point-Point Protocol
inet addr:203.122.x.x P-t-P:203.16.x.x Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1 ASYMMTU:1500
RX packets:62312 errors:0 dropped:0 overruns:0 frame:0
TX packets:59748 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:15512338 (14.7 Mb) TX bytes:7210604 (6.8 Mb)

#


# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
CFG tcp -- 10.0.0.6 anywhere tcp dpt:www Records Packet's Source Interface

ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
synflood tcp -- anywhere anywhere state NEW
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
ACCEPT udp -- anywhere anywhere udp spt:10290
ACCEPT tcp -- anywhere anywhere tcp spt:10290
ACCEPT udp -- anywhere anywhere udp dpt:10290
ACCEPT tcp -- anywhere anywhere tcp dpt:10290
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
DROP udp -- anywhere anywhere udp dpt:bootps
DROP udp -- anywhere anywhere udp dpt:route
ACCEPT igmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:8082
ACCEPT udp -- anywhere anywhere udp dpt:161
ACCEPT icmp -- anywhere anywhere icmp echo-request state NEW
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 10.0.0.1 tcp dpt:3784
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS set 1360
synflood tcp -- anywhere anywhere state NEW
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
DROP tcp -- anywhere anywhere tcp dpt:telnet
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
DROP udp -- anywhere anywhere udp dpt:500
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
DROP udp -- anywhere anywhere udp dpt:bootps
DROP udp -- anywhere anywhere udp dpt:route
ACCEPT igmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp echo-request state NEW
ACCEPT tcp -- anywhere 10.0.0.2 tcp dpt:ssh
ACCEPT udp -- anywhere 10.0.0.6 udp dpt:3389
ACCEPT tcp -- anywhere 10.0.0.6 tcp dpt:3389
ACCEPT tcp -- anywhere 10.0.0.1 tcp dpts:6881:6999
ACCEPT tcp -- anywhere 10.0.0.1 tcp dpt:110
ACCEPT tcp -- anywhere 10.0.0.1 tcp dpt:smtp
ACCEPT udp -- anywhere 10.0.0.1 udp dpt:domain
ACCEPT tcp -- anywhere 10.0.0.1 tcp dpt:443
ACCEPT tcp -- anywhere 10.0.0.1 tcp dpt:www
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere icmp destination-unreachable
DROP icmp -- anywhere anywhere state INVALID

Chain synflood (2 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere limit: avg 15/sec burst 25
REJECT tcp -- anywhere anywhere reject-with tcp-reset
#

<3,
Leela
 
That domain name your using is not resolving.

Also your not accessing it from behind your LAN right?
 
Please post the out-put of the following command:
iptables -L -vn -t nat

The will reveal all the nat etries on you firewall.

The next question would be are you hosting you virtual host on a per domain or per port ?
A extract of your virtual.conf will help.
 
!!DV!! said:
Please post the out-put of the following command:
iptables -L -vn -t nat

The will reveal all the nat etries on you firewall.
Click to expand...

# iptables -L -vn -t nat
Chain PREROUTING (policy ACCEPT 229K packets, 17M bytes)
pkts bytes target prot opt in out source destination
4 252 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3784 to:10.0.0.1:3784
24282 1457K DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 to:10.0.0.2:22
0 0 DNAT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:3389 to:10.0.0.6:3389
43 2528 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 to:10.0.0.6:3389
3 156 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:6881:6999 to:10.0.0.1:6881
537 32144 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 to:10.0.0.1:110
33633 1650K DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to:10.0.0.1:25
37594 2488K DNAT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 to:10.0.0.1:53
16 960 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:10.0.0.1:443
3659 163K DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.0.0.1:80

Chain POSTROUTING (policy ACCEPT 494K packets, 29M bytes)
pkts bytes target prot opt in out source destination
39485 2604K MASQUERADE all -- * !br0 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 108 packets, 13372 bytes)
pkts bytes target prot opt in out source destination
#

!!DV!! said:
The next question would be are you hosting you virtual host on a per domain or per port ?
A extract of your virtual.conf will help.
Click to expand...

Yes i'm using domain based virtual hosting. All websites are sitting on 10.0.0.1 port 80. So the problem is, I can't access the websites from my lan because the router doesn't correctly forward the packets like my old router did. And i can't just type in http://10.0.0.1/ into my browser because it can only send the default page. The domains all resolves to my external IP address.
 
Leela said:
# iptables -L -vn -t nat
Chain PREROUTING (policy ACCEPT 229K packets, 17M bytes)
pkts bytes target prot opt in out source destination
4 252 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3784 to:10.0.0.1:3784
24282 1457K DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 to:10.0.0.2:22
0 0 DNAT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:3389 to:10.0.0.6:3389
43 2528 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 to:10.0.0.6:3389
3 156 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:6881:6999 to:10.0.0.1:6881
537 32144 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 to:10.0.0.1:110
33633 1650K DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to:10.0.0.1:25
37594 2488K DNAT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 to:10.0.0.1:53
16 960 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:10.0.0.1:443
3659 163K DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.0.0.1:80

Chain POSTROUTING (policy ACCEPT 494K packets, 29M bytes)
pkts bytes target prot opt in out source destination
39485 2604K MASQUERADE all -- * !br0 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 108 packets, 13372 bytes)
pkts bytes target prot opt in out source destination
#
Click to expand...

Okay. So it looks like I just need to add a nat entry so packets from eth0 port 80 are destined for 10.0.0.1:80 too? Right? :)
 
So I fixed my problem.

# iptables -I POSTROUTING -t nat -o br0 -d 10.0.0.0/16 -j MASQUERADE

Is all i had to do.

Output now is:

# iptables -L -vn -t nat
Chain PREROUTING (policy ACCEPT 230K packets, 17M bytes)
pkts bytes target prot opt in out source destination
4 252 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3784 to:10.0.0.1:3784
24329 1459K DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 to:10.0.0.2:22
0 0 DNAT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:3389 to:10.0.0.6:3389
43 2528 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 to:10.0.0.6:3389
3 156 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:6881:6999 to:10.0.0.1:6881
537 32144 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 to:10.0.0.1:110
34402 1687K DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to:10.0.0.1:25
38519 2549K DNAT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 to:10.0.0.1:53
16 960 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:10.0.0.1:443
3672 163K DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.0.0.1:80
4 192 DNAT tcp -- * * 0.0.0.0/0 203.122.230.157 tcp dpt:80 to:10.0.0.1

Chain POSTROUTING (policy ACCEPT 496K packets, 29M bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * br0 0.0.0.0/0 10.0.0.0/16
40259 2656K MASQUERADE all -- * !br0 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 112 packets, 13647 bytes)
pkts bytes target prot opt in out source destination
#

Of course, its probably best to just change that !br0 line, correct?
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X