1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cant foward ports?

Discussion in 'Tomato Firmware' started by devlin016, Oct 17, 2013.

  1. devlin016

    devlin016 Addicted to LI Member

    Im trying to open port 80 I configured tomato correctly but no matter what port I open it gets block?

    my syslog

     
  2. koitsu

    koitsu Network Guru Member

    It looks like you've added a port forwarding rule (presumably, unless 10.0.2.1 is your routers' IP address) for TCP port 80, but you have not added an appropriate firewall rule that passes the traffic.

    The above log is helpful but what people need to see is output from the following within a "code" block (one per command please) from your router:

    iptables -L -n -v --line-numbers
    iptables -t nat -L -n -v --line-numbers
    iptables -t mangle -L -n -v --line-numbers


    Please do not change/hide any of the IP numbers shown in the output, and try to avoid editing your post after the fact (it messes up the monospace formatting; it's a forum bug).

    Please also describe your network topology, i.e. if you have two routers involved, are using VLANs, etc..

    And finally please disclose the exact filename of the firmware you're using (do not provide a "version", provide the actual filename of the firmware you uploaded/sent to your router).
     
  3. devlin016

    devlin016 Addicted to LI Member

    Last edited: Oct 17, 2013
  4. devlin016

    devlin016 Addicted to LI Member

  5. devlin016

    devlin016 Addicted to LI Member

    Im suspecting that maybe my isp doesnt allow me to open any ports? If that was the case would syslog still report the packet being dropped????
     
  6. ilovejedd

    ilovejedd Addicted to LI Member

    I think most home ISPs block ports such as 80, 21, etc. Try switching to different port (e.g. 8080) and see if that works.
     
  7. devlin016

    devlin016 Addicted to LI Member

    Ok this is odd I cant forward any ports with tomato unless I use unpn transmission can forward the port no problem. tested and confirmed :/ im confused
     
  8. Almaz

    Almaz Serious Server Member

    Try a different Tomato firmware and do 30 30 30 reset before and after.
     
  9. koitsu

    koitsu Network Guru Member

    In your nat table:
    Code:
    Chain WANPREROUTING (1 references)
    num pkts bytes target prot opt in out source destination
    1 0 0 DNAT icmp -- * * 0.0.0.0/0 0.0.0.0/0 to:10.0.1.1
    2 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.0.2.1:80
    3 0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:80 to:10.0.2.1:80
    
    Note that the packet counters do not appear to be incrementing here (for the 2nd and 3rd lines).

    This means the filtering is most likely occurring by your ISP. Otherwise, a port forward should work just fine; I don't see anything else wrong, but it would be good to have someone like @Bird333 review the tables, as your network topology is extreme complex.

    By the way, I have sent some ICMP to you (for testing line 1), as well as TCP SYN for port 80 (no response; just to test line 2), from a location that does not do any outbound filtering:

    Code:
    $ telnet 67.172.83.244 80
    Trying 67.172.83.244...
    ^C
    $ ping 67.172.83.244
    PING 67.172.83.244 (67.172.83.244): 56 data bytes
    ^C
    --- 67.172.83.244 ping statistics ---
    3 packets transmitted, 0 packets received, 100.0% packet loss
    
    So you can check your nat table once again and see if any of the packet counters in the WANPREROUTING section incremented. I'm betting the ICMP rule did increment (but who knows where the packets went -- as I said, your network is crazy complex), but I'm betting the tcp port 80 rule did not, which means your ISP is filtering.

    If you want to do further testing, the easiest way is to use tcpdump (specifically tcpdump -p -i `nvram get wan_iface` -l -n "tcp and dst port 80 and dst host `nvram get wan_ipaddr`") (you can install it from Entware (preferred) or Optware) and then try hitting port 80 from an Internet host (do not try it from inside of your LAN), or use a free port checker like this one. If you see lines that look remotely like this:

    Code:
    root@gw:/tmp/home/root# tcpdump -p -i `nvram get wan_iface` -l -n "tcp and dst port 80 and dst host `nvram get wan_ipaddr`"
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on vlan2, link-type EN10MB (Ethernet), capture size 65535 bytes
    19:35:42.669313 IP 208.79.90.130.53206 > 76.102.14.35.80: Flags [S], seq 477797881, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 2064516029 ecr 0], length 0
    
    Then it means the packets are arriving at your router, but your router is discarding them or doing something with them that doesn't match what you want (i.e. your iptables rules are a mess/wrong/causing issues). My guess is that this is what's happening, because you have iptables log entries in your initial post that prove packets are coming to your WAN IP address destination port 80 and are being dropped.

    BTW, just to be clear about the source and destination IP addresses in my above example:

    208.79.90.130 = a VPS box I rent that's on the Internet
    76.102.14.35 = WAN IP address of my router (matches what's in NVRAM variable wan_ipaddr)

    And you can see that SYN was sent, but nothing else went back/forth (because I do not have port 80 forwarded or any iptables rules for it; thus the packet gets dropped as part of the filter table INPUT chain default action).

    If you do not see such lines, then the filtering is happening somewhere upstream from you (at the device connected to your WAN port, for example, or your ISPs routers, etc. -- the possibilities are endless).
     
    Last edited: Oct 18, 2013
  10. devlin016

    devlin016 Addicted to LI Member

    Well tcpdump reports this. so im guessing my isp isnt doing any kind of port blocking


    idk what to do to fix this I need open ports badly.
     
  11. devlin016

    devlin016 Addicted to LI Member

    as I said when say my xbox opens a port via upnp. I can check with the online port scanner you linked and the port responds so Im forced to think its some kind of tomato bug? but I have so many customizations that I cant afford switching versions or resetting :(((((( idk what to do!!!!!
     
  12. devlin016

    devlin016 Addicted to LI Member

    i was able to open port 12214 and it responded and reported open by your online port scanner site. I dont understand whats going on here.
     
  13. devlin016

    devlin016 Addicted to LI Member

  14. koitsu

    koitsu Network Guru Member

    The previous post of yours indicates an ACK packet, followed by FIN+ACK, followed by ACK. You ran tcpdump near the tail end of the port scan, and cause the socket closing.

    So all I can say is that for port 12214 packets are flowing just fine between your router (67.172.83.244) and the port scanning site 198.199.98.246 (whose DNS PTR record is, amusingly, ports.yougetsignal. :) ).

    I've done as much as I can to help you, I'm sorry to say. The rest requires a lot of time (and hand-holding), which right now I do not have much of. I can assure you however that port forwarding works just fine on Tomato. The problem is almost certainly with your overly-complex setup.
     

Share This Page