Archive for May 2010
My weekend project for the last couple of weeks has been to find out how to expose a website from my home computer.
And after doing so, it appears there are two requirements:
- Instructing firewall to forward ports
- Allowing requests through firewall on the target computer
I am using a SpeedTouch 585 forwarding to a laptop running Windows 7.
It is also recommended of course that you have a static ip address.
How to instruct router to forward a port
TIP: Ensure you don’t have an ip address conflict (i.e., more than one computer on the same ip address) on your network, perhaps that confuses things for forwarding. Giving whatever machine you’re forwarding to a static ip address probably makes sense — you won’t need to change anything when that machine joins network then.
I have a SpeedTouch 585, and I did it through the web interface:
- Go to: “Home > Home Network > Devices > [device name]”
- Select “Configure” from the upper right part of the screen (between “Overview” and “Help”)
- From the “Connection Sharing” section, select “HTTP Server (World Wide Web)” from the list and press the “Add” button
- You’re now forwarding all HTTP requests to your public ip address on port 80 to your selected device on port 80.
There are full also instructions for port forwarding on a SpeedTouch 585.
TIP: You can telnet straight in to router on default port (23), bypassing the web UI.
TIP: Windows 7 has telnet disabled. Search for “turn Windows features on or off” to get the applet for enabling it.
Adding new firewall rules
Firewall rules are edited and applied through the “Game & Application Sharing” section.
For example. you may wish to host a website on port 99 on your laptop:
- Go to “Home > Toolbox > Game & Application Sharing”
- From the “Pick a task…” section, choose “Create a new game or application”
- From the “Clone Existing Game or Application” list, choose “HTTP Server (World Wide Web)”
- Check “Manual Entry of Port Maps”
- Press “Next”
- Enter 80 and 80 as the “Port Range”
- Enter 99 as the “Translate to”
- That’s it
Here’s the resultant mapping:
Protocol Port Range Translate To ... Trigger Protocol Trigger Port Any 80 - 80 99 - 99 - -
TIP: You cannot edit anything in the “Home > Toolbox > Game & Application Sharing > Game or Application Definition” list if it is assigned to something (The edit link is missing). Unassign it before you edit it.
TIP: You have to explicitly enable logging for each “Game of Application” you attach to a device, otherwise you’ll get no logging at all.
What forwarding rules really look like
In the event logs, here’s what I get when I run a test with port 80:
FIREWALL rule (1 of 1) : Protocol: TCP Src ip: 220.127.116.11 Src port: 47603 Dst ip: 192.168.1.65 Dst port: 99 Chain: forward_host_service Rule Id: 2 Action: accept
Even though it does display an amber light instead of green, I think this is just a forwarding record, not a warning.
That stuff about the forward_host_service chain is available via telnet. Telnet in to your router and open the chains list.
Here are the chains I have:
Name Description ----------------------------------------------------------------- sink system forward system source system sink_fire system forward_fire system source_fire system forward_host_service system forward_level system sink_system_service system forward_multicast system forward_level_BlockAll system forward_level_Standard system forward_level_Disabled system
Which includes forward_host_service, which contains these rules (including number 3):
:firewall rule list chain=forward_host_service format=cli :firewall rule add chain=forward_host_service index=1 name=_f_u_192.168.1.65:55768_55768 dstip=_u_192.168.1.65 serv=_u_17:55768_55768 log=disabled state=enabled action=accept :firewall rule add chain=forward_host_service index=2 name=_f_sv_192.168.1.65:80_80 dstip=_sv_192.168.1.65 serv=_sv_6:99_99 log=disabled state=enabled action=accept :firewall rule add chain=forward_host_service index=3 name=_f_sv_192.168.1.65:3128_3128 dstip=_sv_192.168.1.65 serv=_sv_6:3128_3128 log=enabled state=enabled action=accept
How to allow connections through your firewall
Depends on your vendor obviously, but I am running ESET and I did this:
- Setup > Personal firewall > Configure rules and zones…
- Add new rule: TCP & UDP, port 80, All remote ports, All addresses
Coping with rejection
If you’ve gotten this far, then your router is forwarding as expected, but the test may still be failing. The next place to look then is on the machine being forwarded to.
Inspect the firewall logs on the target machine and you should have something like:
Packet blocked by active defense (IDS) 192.168.1.65:99 18.104.22.168:41791 TCP
So I had to add a new firewall rule.
If you have problems with your rules, put the firewall into interactive mode (this will prompt you to allow or deny all incoming requests), run the test, accept the connection and inspect the rule it generates.
TIP: Take care with the executable, try the rule with and without to see if it makes a difference.
How to test your router is open on a particular port
Try this utility.
Where are the SpeedTouch router log files?
Home > SpeedTouch > Event Logs