Ben Biddington

My weekend project for the last couple of weeks has been to find out how to expose a website from my home computer.

And after doing so, it appears there are two requirements:

1. Instructing firewall to forward ports
2. Allowing requests through firewall on the target computer

I am using a SpeedTouch 585 forwarding to a laptop running Windows 7.

It is also recommended of course that you have a static ip address.

How to instruct router to forward a port

TIP: Ensure you don’t have an ip address conflict (i.e., more than one computer on the same ip address) on your network, perhaps that confuses things for forwarding. Giving whatever machine you’re forwarding to a static ip address probably makes sense — you won’t need to change anything when that machine joins network then.

I have a SpeedTouch 585, and I did it through the web interface:

• Go to: “Home > Home Network > Devices > [device name]”
• Select “Configure” from the upper right part of the screen (between “Overview” and “Help”)
• From the “Connection Sharing” section, select “HTTP Server (World Wide Web)” from the list and press the “Add” button
• You’re now forwarding all HTTP requests to your public ip address on port 80 to your selected device on port 80.

There are full also instructions for port forwarding on a SpeedTouch 585.

TIP: You can telnet straight in to router on default port (23), bypassing the web UI.

TIP: Windows 7 has telnet disabled. Search for “turn Windows features on or off” to get the applet for enabling it.

Adding new firewall rules

Firewall rules are edited and applied through the “Game & Application Sharing” section.

For example. you may wish to host a website on port 99 on your laptop:

• Go to “Home > Toolbox > Game & Application Sharing”
• From the “Pick a task…” section, choose “Create a new game or application”
• From the “Clone Existing Game or Application” list, choose “HTTP Server (World Wide Web)”
• Check “Manual Entry of Port Maps”
• Press “Next”
• Enter 80 and 80 as the “Port Range”
• Enter 99 as the “Translate to”
• That’s it

Here’s the resultant mapping:

Protocol  Port Range	Translate To ...  Trigger Protocol  Trigger Port
Any	  80 - 80	99 - 99		  -		    -

TIP: You cannot edit anything in the “Home > Toolbox > Game & Application Sharing > Game or Application Definition” list if it is assigned to something (The edit link is missing). Unassign it before you edit it.

TIP: You have to explicitly enable logging for each “Game of Application” you attach to a device, otherwise you’ll get no logging at all.

What forwarding rules really look like

In the event logs, here’s what I get when I run a test with port 80:

FIREWALL rule (1 of 1) : Protocol: TCP
Src ip: 69.163.149.200
Src port: 47603
Dst ip: 192.168.1.65
Dst port: 99
Chain: forward_host_service
Rule Id: 2
Action: accept

Even though it does display an amber light instead of green, I think this is just a forwarding record, not a warning.

That stuff about the forward_host_service chain is available via telnet. Telnet in to your router and open the chains list.

Here are the chains I have:

Name                                             Description
-----------------------------------------------------------------
sink                                             system
forward                                          system
source                                           system
sink_fire                                        system
forward_fire                                     system
source_fire                                      system
forward_host_service                             system
forward_level                                    system
sink_system_service                              system
forward_multicast                                system
forward_level_BlockAll                           system
forward_level_Standard                           system
forward_level_Disabled                           system

Which includes forward_host_service, which contains these rules (including number 3):

:firewall rule list chain=forward_host_service format=cli

:firewall rule add chain=forward_host_service index=1
    name=_f_u_192.168.1.65:55768_55768
    dstip=_u_192.168.1.65
    serv=_u_17:55768_55768
    log=disabled
    state=enabled
    action=accept

:firewall rule add chain=forward_host_service index=2
    name=_f_sv_192.168.1.65:80_80
    dstip=_sv_192.168.1.65
    serv=_sv_6:99_99
    log=disabled
    state=enabled
    action=accept

:firewall rule add chain=forward_host_service index=3
    name=_f_sv_192.168.1.65:3128_3128
    dstip=_sv_192.168.1.65
    serv=_sv_6:3128_3128
    log=enabled
    state=enabled
    action=accept

How to allow connections through your firewall

Depends on your vendor obviously, but I am running ESET and I did this:

1. Setup > Personal firewall > Configure rules and zones…
2. Add new rule: TCP & UDP, port 80, All remote ports, All addresses

Coping with rejection

If you’ve gotten this far, then your router is forwarding as expected, but the test may still be failing. The next place to look then is on the machine being forwarded to.

Inspect the firewall logs on the target machine and you should have something like:

Packet blocked by active defense (IDS)
192.168.1.65:99
69.163.149.200:41791
TCP

So I had to add a new firewall rule.

If you have problems with your rules, put the firewall into interactive mode (this will prompt you to allow or deny all incoming requests), run the test, accept the connection and inspect the rule it generates.

TIP: Take care with the executable, try the rule with and without to see if it makes a difference.

How to test your router is open on a particular port

Try this utility.

Troubleshooting

Where are the SpeedTouch router log files?

Home > SpeedTouch > Event Logs

References

• Squid (Windows)
• You get signal (tests port forwarding)
• Illustrated instructions for configuring port forwarding in SpeedTouch 585