Community discussions

 
KowaI
just joined
Topic Author
Posts: 2
Joined: Thu Jun 21, 2018 7:05 am

Port 80 redirect

Wed Jul 24, 2019 10:26 am

I am trying to set up a firewall to route port 80 to the local host where the web server is running. A computer in the local network to Orange PI with Armbian installed. On Mikrotik i set the nat rule chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=80 protocol=tcp dst-port=80 log=no log-prefix="". Everything works fine except for the Armbian package manager APT. When I turn off the firewall rule, the ATP works fine. Instead of Mikrotik I installed a regular TP-Link and redirected port 80. On TP-Link everything works fine. APT and redirection.
 
mkx
Forum Guru
Forum Guru
Posts: 3185
Joined: Thu Mar 03, 2016 10:23 pm

Re: Port 80 redirect  [SOLVED]

Wed Jul 24, 2019 11:08 am

The rule is too greedy and actually captures all connections targeting port 80 (even those from LAN towards internet). You should limit that to connections arriving through WAN interface. You can do it in one of the following two ways:
add chain=dstnat action=dst-nat to-addresses=10.0.0.2 protocol=tcp dst-port=80 dst-address=<WAN IP address>
add chain=dstnat action=dst-nat to-addresses=10.0.0.2 protocol=tcp dst-port=80 in-interface-list=WAN
If your router is running recent ROS (version 6.43 or newer) and uses current default setup which relies on proper interface list membership (defined in /interface list and subtree), then the second rule in the example above would be preferred. If your WAN IP address is dynamic (you get it via DHCP client or with PPPoE client), then using the second rule is the only sustainable way of doing it.

N.b.: if port being forwarded is the same as port on target (LAN) server, you don't have to configure to-ports attribute.
BR,
Metod
 
sindy
Forum Guru
Forum Guru
Posts: 3945
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port 80 redirect

Wed Jul 24, 2019 11:10 am

Posting although @mkx was faster, just because my response contains yet another way to do that :)

Your dst-nat rule doesn't check the dst-address so when the Armbian itself (or any other device using the Tik as a router) initiates a http session towards anywhere, it gets redirected to the Armbian's IP as well. So add in-interface=your-wan-interface name or dst-address-type=local (or both) to your dst-nat rule and you'll be good. And as you don't change the port, you can also remove to-ports from the rule to speed things up 0.000001% :)
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
mkx
Forum Guru
Forum Guru
Posts: 3185
Joined: Thu Mar 03, 2016 10:23 pm

Re: Port 80 redirect

Wed Jul 24, 2019 11:31 am

So add in-interface=your-wan-interface name or dst-address-type=local (or both) to your dst-nat rule ...
My understanding is, that if you only set dst-address-type=local, you loose access to webfig (web GUI for administering routerboards ... in case you care, I personally use it). If you want to keep access to webfig, then you have to set in-interface (or in-interface-list) as well ...
BR,
Metod
 
sindy
Forum Guru
Forum Guru
Posts: 3945
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port 80 redirect

Wed Jul 24, 2019 11:46 am

Your understanding is absolutely correct :)
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
KowaI
just joined
Topic Author
Posts: 2
Joined: Thu Jun 21, 2018 7:05 am

Re: Port 80 redirect

Wed Jul 24, 2019 3:06 pm

Thanks a lot. Problem solved.
 
Sob
Forum Guru
Forum Guru
Posts: 4806
Joined: Mon Apr 20, 2009 9:11 pm

Re: Port 80 redirect

Wed Jul 24, 2019 3:51 pm

@mkx: Or you can use "dst-address-type=local dst-address=!<where WebFig should be available>", assuming that you don't need WebFig accessible from internet. Compared to in-interface=WAN, this also works well together with hairpin NAT.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
mkx
Forum Guru
Forum Guru
Posts: 3185
Joined: Thu Mar 03, 2016 10:23 pm

Re: Port 80 redirect

Wed Jul 24, 2019 4:30 pm

@mkx: Or you can use ...

I know there are plenty of ways to "skin the sheep" ... I was just pointing out potential side effect if OP followed advice by @sindy as it was originally written. After one is aware of the problem, it's quite easy to find the way around ...
BR,
Metod
 
anav
Forum Guru
Forum Guru
Posts: 3116
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Port 80 redirect

Wed Jul 24, 2019 5:05 pm

@mkx: Or you can use ...

I know there are plenty of ways to "skin the sheep" ... I was just pointing out potential side effect if OP followed advice by @sindy as it was originally written. After one is aware of the problem, it's quite easy to find the way around ...
I think the quote is "skin the cat" one shears sheep! ;-P
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mkx
Forum Guru
Forum Guru
Posts: 3185
Joined: Thu Mar 03, 2016 10:23 pm

Re: Port 80 redirect

Wed Jul 24, 2019 5:09 pm

I think the quote is "skin the cat" one shears sheep! ;-P
I don't eat cats and I don't know any other reason to skin an animal :wink:
BR,
Metod
 
sindy
Forum Guru
Forum Guru
Posts: 3945
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port 80 redirect

Wed Jul 24, 2019 5:46 pm

It seems that on the contrary, in Canada they don't eat sheep so @anav thought you actually had in mind shearing for wool. But it's surprising he's used a cat as an example of an animal you would skin for food or fur.

Btw one of my biggest surprises in your country (apart from the infamous price of the 5-day highway vignette of course) was to find a stallion on the menu of a normal restaurant. Nothing bad about that, you could buy horse salami here as well still a few years ago an half of Europe was occasionally eating horse meat unconsciously a few years ago, but I've never seen it in a restaurant anywhere else.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
mkx
Forum Guru
Forum Guru
Posts: 3185
Joined: Thu Mar 03, 2016 10:23 pm

Re: Port 80 redirect

Wed Jul 24, 2019 10:28 pm

Btw one of my biggest surprises in your country was to find a stallion on the menu of a normal restaurant.
Yeah, I know ... I guess this is the real reason for the horse-loving Brits to leave EU :wink:

Regarding the highway vignettes: it's a simple tax on all those Czechs and Polaks hoarding towards summer holidays in Croatia ;-) You should be applying for a refund just because you stopped at local restaurant :lol:
BR,
Metod
 
sindy
Forum Guru
Forum Guru
Posts: 3945
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port 80 redirect

Wed Jul 24, 2019 10:50 pm

it's a simple tax on all those Czechs and Polaks hoarding towards summer holidays in Croatia ;-) You should be applying for a refund just because you stopped at local restaurant :lol:
Hehe. I think I've spent much more on them when driving to Lj than when transiting to Croatia even though one was usually sufficient whereas for a week in Croatia one needs two (which makes the purpose so much obvious). But of course I do get the idea and even understand the reasons. Your ministry of tourism should seriously consider your suggestion that the receipt for the vignette should act as a free ticket at least to some museums. Except that the Austrians might sue you for that, like they sue Germans for the intention to compensate the price of the newly introduced vignette to own citizens by subtracting it from the road tax they have to pay :)

But it's sad that the vignette pricing policy has become the first association for such a nice country and damages its reputation.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
mkx
Forum Guru
Forum Guru
Posts: 3185
Joined: Thu Mar 03, 2016 10:23 pm

Re: Port 80 redirect

Wed Jul 24, 2019 10:56 pm

I can understand the sentiment of tourists passing by. Anyhow I'm inviting you for a beer (or if you dislike non-native beer which I would understand fully) some other beaverage when you hapoen to pass by ...
BR,
Metod
 
sindy
Forum Guru
Forum Guru
Posts: 3945
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port 80 redirect

Wed Jul 24, 2019 11:12 pm

I'm not as beerly as most of my fellow citizens so feeding me with beer is a waste of beer. But I like another thing I haven't seen elsewhere yet, the blueberry juice. Unfortunately the cooperation for which I used to visit Lj has ended a few years ago so it is unpredictable when I get there next time. But if you sometimes travel northwards, I'd be glad to have a beer or something else with you here.

BTW, our highways are not famous by the vignette prices but for their ability to trap even the U.S. army :)
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Google [Bot] and 101 guests