Community discussions

MUM Europe 2020
 
User avatar
Synkronice
just joined
Topic Author
Posts: 10
Joined: Tue May 19, 2015 1:40 pm

Port forwarding issue. Help please.

Tue May 19, 2015 1:59 pm

Hi everybody!

I'm trying to forward the external port 4040 to the port 80 on my server.

The server is a Ubuntu Server 14.04 running as virtual machine in XEN, its network config is...
auto eth0
iface eth0 inet static
address 172.16.0.226
netmask 255.255.0.0
gateway 172.16.0.1
dns-nameservers 8.8.8.8 8.8.4.4

Apache is listening in port 80 for any ipaddress.
<VirtualHost *:80>

In my MikroTik RB2011UiAS-RM Router I made these changes through Webfig v6.27:

In IP > Firewall > Filter Rules I've created a new rule with these settings...
GENERAL GROUP
Enable: true
Chain: FORWARD-apps
Protocol: 6 (tcp)
Dst. Port: 4040
 
ACTION GROUP
Action: accept
Log: true
Log Prefix: My firewall rule

In IP > Firewall > NAT I've created a new rule with these settings...
GENERAL GROUP
Enabled: true
Chain: dstnat
Dst. Address: 62.x.x.x (my public ip address here)
Protocol: 6 (tcp)
Dst. Port: 4040
 
ACTION GROUP
Action: dst-nat
Log: true
Log Prefix: My nat rule
To Address: 172.16.0.226
To ports: 80

Then, If I try to go to the next URL from my phone outside the office network

http://62.x.x.x:4040

I don't see nothing in the browser and I get a time out message and an abort HTTP Status and I get the next message in the log of my MikroTik RB2011UiAS-RM Router...
Time May/dd/YYYY HH:mm:ss
Buffer memory
Topics
firewall
info
Message My nat rule dstnat: in:bridge-efm out:(none), src-mac d4:x:x:x:x:x, proto TCP (SYN), 82.x.x.x:13246->62.x.x.x:4040, len 60

In Apache log don't appear externals requests, but when I request to the private IP 172.16.0.226 the Apache log record the requests.

Someone can help me please?

Thank so much.
"La posibilidad de realizar un sueño es lo que hace que la vida sea interesante.", Paulo Coelho
 
User avatar
j7n
newbie
Posts: 43
Joined: Mon Jan 06, 2014 9:55 pm

Re: Port forwarding issue. Help please.

Tue May 19, 2015 2:55 pm

I think the Accept rule doesn't match your connection because, by the time you are filtering in the Forward chain, the dst-port is already 80, and dst-address is 172.16.0.226. Normally the ports are the same and this does not become an issue.
 
User avatar
Synkronice
just joined
Topic Author
Posts: 10
Joined: Tue May 19, 2015 1:40 pm

Re: Port forwarding issue. Help please.

Tue May 19, 2015 3:14 pm

I think the Accept rule doesn't match your connection because, by the time you are filtering in the Forward chain, the dst-port is already 80, and dst-address is 172.16.0.226. Normally the ports are the same and this does not become an issue.
Hi j7n,

thank so much for your answer.

Excuse me my ignorance, but I'm newbie, the English is not my native language and I don't understand very well your answer.

Could you be more explicit?

What suggest to do?

Apologies for the inconvenience.

Kind regards,

Synkronice
"La posibilidad de realizar un sueño es lo que hace que la vida sea interesante.", Paulo Coelho
 
User avatar
j7n
newbie
Posts: 43
Joined: Mon Jan 06, 2014 9:55 pm

Re: Port forwarding issue. Help please.

Tue May 19, 2015 4:26 pm

Since there is only 1 log entry for dst-nat, and none for "my firewall rule", it seems that port forwarding was done correctly, but the connection was subsequently dropped by the firewall. Dst-nat acts on the packet before Filter does, and has rewritten the destination address and port.

Try replacing the rule in IP > Firewall > Filter Rules with this:
GENERAL GROUP
Enable: true
Chain: FORWARD-apps
Dst. Address: 172.16.0.226
Protocol: 6 (tcp)
Dst. Port: 80
 
ACTION GROUP
Action: accept
Log: true
Log Prefix: My firewall rule
Depending on where later in the firewall the rules that Drop connections are, this might be sufficient.

If not, post the setup of your firewall, which you can get by connecting to your router via Winbox or Telnet, and executing the command:

/ip firewall filter export
 
User avatar
Synkronice
just joined
Topic Author
Posts: 10
Joined: Tue May 19, 2015 1:40 pm

Re: Port forwarding issue. Help please.

Tue May 19, 2015 6:32 pm

Since there is only 1 log entry for dst-nat, and none for "my firewall rule", it seems that port forwarding was done correctly, but the connection was subsequently dropped by the firewall. Dst-nat acts on the packet before Filter does, and has rewritten the destination address and port....
Hi j7n,

I made the changes you proposed me, now the log give me the next messages:
LOG_FIREWALL.jpg
My firewall setup is...
add chain=input protocol=icmp
add chain=input connection-state=established,related
add chain=input in-interface=bridge-local
add chain=forward comment="ACCEPT established/related" connection-state=established,related
add action=drop chain=forward comment="DROP invalid" connection-state=invalid
add chain=forward dst-address=172.16.0.226 dst-port=80 log=yes log-prefix="My Firewall Rule" protocol=tcp
add action=jump chain=forward comment="FORWARD to apps.example.com" connection-state=new dst-address=62.xxx.xxx.xx6 in-interface=bridge-efm jump-target=FORWARD-apps
add action=jump chain=forward comment="FORWARD to mail.example.com" connection-state=new dst-address=62.xxx.xxx.xx7 in-interface=bridge-efm jump-target=FORWARD-mail
add chain=forward comment="FORWARD outbound (x4)" connection-nat-state=dstnat in-interface=vrrp-adsl
add chain=forward connection-nat-state=dstnat connection-state=new in-interface=bridge-adsl
add chain=forward in-interface=vrrp-local
add chain=forward in-interface=bridge-local
add chain=forward comment=VPN out-interface=bridge-local src-address=172.17.0.0/16
add chain=forward out-interface=bridge-adsl src-address=172.17.0.0/16
add chain=forward out-interface=bridge-efm src-address=172.17.0.0/16
add chain=forward comment="temporary admin rule" dst-address=172.16.0.0/16 src-address=192.168.1.0/24
add action=drop chain=forward
add chain=FORWARD-mail comment="FORWARD-mail rules" dst-port=25 protocol=tcp
add chain=FORWARD-mail dst-port=80 protocol=tcp
add chain=FORWARD-mail dst-port=143 protocol=tcp
add chain=FORWARD-mail dst-port=443 protocol=tcp
add chain=FORWARD-mail dst-port=993 protocol=tcp
add chain=FORWARD-mail dst-port=587 protocol=tcp
add chain=FORWARD-mail dst-port=22 protocol=tcp src-address-list=remote-admin
add action=reject chain=FORWARD-mail protocol=tcp reject-with=tcp-reset
add chain=FORWARD-mail protocol=icmp
add action=reject chain=FORWARD-mail
add chain=FORWARD-apps comment="FORWARD-apps rules" dst-port=80 protocol=tcp
add chain=FORWARD-apps dst-port=443 protocol=tcp
add chain=FORWARD-apps dst-port=22 protocol=tcp
add action=reject chain=FORWARD-apps log=yes log-prefix=REJECT protocol=tcp reject-with=tcp-reset
add chain=FORWARD-apps protocol=icmp
add action=reject chain=FORWARD-apps
I've reviewed the Apache log, and It isn't receiving externals requests, only It is answering from local requests.

Thank you so much for your support.

Kind regards,

Synkronice
You do not have the required permissions to view the files attached to this post.
"La posibilidad de realizar un sueño es lo que hace que la vida sea interesante.", Paulo Coelho
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1220
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: Port forwarding issue. Help please.

Tue May 19, 2015 6:40 pm

The firewall rules on your server and your web server must also accept requests from non-local sources (outside the 172.16.0.0/12 address space) since there is no source NAT on the incoming requests..

Check your firewall with "iptables --list" to have
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
somwhere in those rules, without any blocking rule before it, and review your server configuration.

Running tcpdump or a wireshark trace on the server could also give you info about requests reaching your server or not.
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.
 
User avatar
Synkronice
just joined
Topic Author
Posts: 10
Joined: Tue May 19, 2015 1:40 pm

Re: Port forwarding issue. Help please.

Tue May 19, 2015 7:00 pm

The firewall rules on your server and your web server must also accept requests from non-local sources (outside the 172.16.0.0/12 address space) since there is no source NAT on the incoming requests..

Check your firewall with "iptables --list" to have
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
somwhere in those rules, without any blocking rule before it, and review your server configuration.

Running tcpdump or a wireshark trace on the server could also give you info about requests reaching your server or not.
Hi docmarius,

The server's iptables are...
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
And Apache's configuration is...
<VirtualHost *:80>
In Apache's log don't appear any request.

PS: Thank you so much for your support.

Kind regards,

Jose Antonio
"La posibilidad de realizar un sueño es lo que hace que la vida sea interesante.", Paulo Coelho
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1220
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: Port forwarding issue. Help please.

Tue May 19, 2015 7:10 pm

Ok. Also check that in your apache virtual host definition you allow access to the web folders from all:
<VirtualHost *:80>
....
   <Directory /var/www/whatever/>
       ...
       Order allow deny
       Allow from all
   </Directory>
As last resort will still be to run tcpdump or wireshark to isolate the point of failure...
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.
 
User avatar
Synkronice
just joined
Topic Author
Posts: 10
Joined: Tue May 19, 2015 1:40 pm

Re: Port forwarding issue. Help please.

Tue May 19, 2015 7:25 pm

Ok. Also check that in your apache virtual host definition you allow access to the web folders from all:
<VirtualHost *:80>
....
   <Directory /var/www/whatever/>
       ...
       Order allow deny
       Allow from all
   </Directory>
As last resort will still be to run tcpdump or wireshark to isolate the point of failure...
Hi docmarius,

I've tried with with your suggestion but doesn't work...
        <Directory /var/www/html/>
                AllowOverride All
                Order Allow,Deny
                Allow from All
        </Directory>
I'm going to try to research with the tools that you suggest me "tcpdump" and "wireshark".

Thank you so much for your support (docmarius & j7n).

Kind regards.

Synkronice
"La posibilidad de realizar un sueño es lo que hace que la vida sea interesante.", Paulo Coelho
 
User avatar
Synkronice
just joined
Topic Author
Posts: 10
Joined: Tue May 19, 2015 1:40 pm

Re: Port forwarding issue. Help please.

Tue May 19, 2015 8:01 pm

Ok. Also check that in your apache virtual host definition you allow access to the web folders from all:
<VirtualHost *:80>
....
   <Directory /var/www/whatever/>
       ...
       Order allow deny
       Allow from all
   </Directory>
As last resort will still be to run tcpdump or wireshark to isolate the point of failure...
Hi docmarius,

I found a clue and maybe you can understand what happen.

After I've enabled the log in the next firewall rule:
Enabled: true
Chain: forward
Connection State: invalid
Action: drop
Log: true
Log prefix: INVALIDO
If I tried to enter trought the browser using the next address...
http://62.x.x.x:4040
using my phone outside the office network. (my phone has the next public ip address 83.132.x.x)

If open the firewall log I find the next message...
Time		May/19/2015 16:51:49
Buffer		memory
Topics		firewall, info
Message		INVALIDO forward: in:vrrp-local out:bridge-adsl, src-mac 00:x:x:x:x:x, proto TCP (SYN,ACK), 172.16.0.226:80->82.132.x.x:17218, len 60
I hope this give you a clue for help me.

Thank you so much.

Kind Regards,

Synkronice
"La posibilidad de realizar un sueño es lo que hace que la vida sea interesante.", Paulo Coelho
 
User avatar
j7n
newbie
Posts: 43
Joined: Mon Jan 06, 2014 9:55 pm

Re: Port forwarding issue. Help please.

Tue May 19, 2015 8:07 pm

Do you have multiple WAN links with policy routing: "efm" and "adsl"? I'm considering the possibility that the response from the webserver might be going out over a wrong interface by default, not "bridge-efm" where the connection came in from.

If you don't have Wireshark installed, you could use Tools > Packet Sniffer in Winbox to follow the packets going through the router. First filter by any interface, IP 172.16.0.226, press Apply, Start, try to load the page, Stop, then look at the list of captured Packets. If you see them going in both directions, try again filtered by port 4040 and see where the response is going out to.
 
User avatar
Synkronice
just joined
Topic Author
Posts: 10
Joined: Tue May 19, 2015 1:40 pm

Re: Port forwarding issue. Help please.

Tue May 19, 2015 8:30 pm

Do you have multiple WAN links with policy routing: "efm" and "adsl"?....
Yes j7n, I've two WAN links named efm and adsl.

After follow your recomendations I get the next log...
log_firewall_2.jpg
I think that you have reason, my server is trying to answer throug the adsl link, look the next log:

Time May/19/2015 16:51:49
Buffer memory
Topics firewall, info
Message INVALIDO forward: in:vrrp-local out:bridge-adsl, src-mac 00:x:x:x:x:x, proto TCP (SYN,ACK), 172.16.0.226:80->82.132.x.x:17218, len 60

I've started to work in this company and the Router setup was made by another person, for this reason I'm lost...

Thank you so much.

Kind regards,

Synkronice
You do not have the required permissions to view the files attached to this post.
"La posibilidad de realizar un sueño es lo que hace que la vida sea interesante.", Paulo Coelho
 
User avatar
j7n
newbie
Posts: 43
Joined: Mon Jan 06, 2014 9:55 pm

Re: Port forwarding issue. Help please.

Tue May 19, 2015 9:06 pm

Looks like we are on to something. The connection is "invalid" because we webserver is sending Syn,Ack over what to the firewall appears to be a new, entirely different connection, not yet started with Syn. (this is probably wrong)

If you want the web service to be available on both WANs simultaneously, you'll have to mark the incoming connections in Mangle and then put routing marks on the packets consistently according to the connection marks. It's somewhat easier to redirect everything from this server not destined to LANs over to "bridge-efm" (in Mangle). See this example. Be careful so that incorrect changes to routes don't cause downtime on the network.

If you require assistance with this configuration, and can reveal these details, post the following relevant pages:

/ip firewall mangle export
/ip route export
/ip route print
Last edited by j7n on Wed May 20, 2015 4:40 pm, edited 3 times in total.
 
User avatar
Synkronice
just joined
Topic Author
Posts: 10
Joined: Tue May 19, 2015 1:40 pm

Re: Port forwarding issue. Help please.

Tue May 19, 2015 9:10 pm

Looks like we are on to something. The connection is "invalid" because we webserver is sending Syn,Ack over what to the firewall appears to be a new, entirely different connection, not yet started with Syn.

If you want the web service to be available on both WANs simultaneously, you'll have to mark the incoming connections in Mangle and then put routing marks on the packets consistently according to the connection marks. It's somewhat easier to redirect everything not destined to LANs over to "bridge-efm" (in Mangle). See this example. Be careful so that incorrect changes to routes don't cause downtime on the network.

If you require assistance with this configuration, and can reveal these details, post the following relevant pages:

/ip firewall mangle export
/ip route export
/ip route print
Thank you j7n, I will review all your tips and tomorrow I will give feedback.

Thank you so much.

Kind regards,

Synkronice
"La posibilidad de realizar un sueño es lo que hace que la vida sea interesante.", Paulo Coelho
 
ALX1S
newbie
Posts: 40
Joined: Mon Apr 27, 2015 5:28 pm
Location: Buenos Aires, Argentina

Re: Port forwarding issue. Help please.

Fri May 29, 2015 7:40 pm

Hi to everyone.

I'm having the exactly same issue, but my external port for the Ubuntu is the 8000 (and with internal pptp and RDP services)

When I connect from internal network to the "external IP:8000" the Nat rule see traffic, but I can´t see the page and then the timeout...

I Try with 2 setting (checked on this forum), but did not work.

Firewall > Nat > add chain=dstnat dst-address="the public ip" protocol=6 (tcp) Dst. Port=8000 action netmap to-addresses= "10.0.0.221" to-ports="80" comment="Web Server Wan Access"

and

Firewall > Nat > add chain=dstnat dst-address="the public ip" protocol=6 (tcp) Dst. Port=8000 action dst-nat to-addresses= "10.0.0.221" to-ports="80" comment="Web Server Wan Access 2"

Could someone help me, please.
 
User avatar
Synkronice
just joined
Topic Author
Posts: 10
Joined: Tue May 19, 2015 1:40 pm

Re: Port forwarding issue. Help please.

Fri May 29, 2015 11:01 pm

Hi to everyone...
Hi ALX1S,

only I want to say you that I don´t fix my problem yet.

I need more knowledges for to resolve it.

Regards.
"La posibilidad de realizar un sueño es lo que hace que la vida sea interesante.", Paulo Coelho
 
User avatar
j7n
newbie
Posts: 43
Joined: Mon Jan 06, 2014 9:55 pm

Re: Port forwarding issue. Help please.

Sat May 30, 2015 3:19 pm

ALX1S, please keep your posts related to this problem into your own single thread. It's unlikely that your setup matches what is discussed here, aside from the fact that it also involves NAT.

Synkronice, I'm afraid I do not have a good understanding how VRRP works. I didn't notice it at first. :oops: Maybe others will advise. You should probably post your full configuration ( /export hide-sensitive ) with IP addresses and how the ADSL modem and EFM are connected to the router. The response from the server is arriving but getting lost. We must follow it through mangle and routes with exact ips ..6, ..7 or ..x ... You can delete the info after the problem is solved.
 
Abt
just joined
Posts: 1
Joined: Fri Feb 14, 2020 2:11 am

Re: Port forwarding issue. Help please.

Fri Feb 14, 2020 3:01 pm

AM HAVING SAME ISSUE, a have a lan with IP 164.254.15.220 and port 8080. Firewall nat: chain dst nat, dst address 192.168.100.200, protocol 6 (tcp) port 8080. Action chain dst nat. 168.254.15.220. Port 80
Firewall filter rule general, chain forward, dst address :192.168.100.200, protocol 6(tcp) dst.port 8080
Action: accept. Actually want other devices to access it wireless with the ip 192.168.100.200. Once I type this address in the url, it fails to connect .

Who is online

Users browsing this forum: No registered users and 4 guests