Tomato port forwarding (80) for thttpd-php

Discussion in 'Tomato Firmware' started by ulyan, Jun 22, 2012.

  1. ulyan

    ulyan Networkin' Nut Member

    Hi there everyone,

    I recently thought about trying to install a web server on my tomato firmware based router. First I installed lighttpd, and it seemed to work fine from inside my lan but not from outside, so I tought it was the server's fault (bad package, bad compile etc). Then I uninstalled it and installed thttpd-php. The same problem occured.

    The problem I am talking about is that the page is visible from inside my lan using my router's ip:80 or my dydndns free domain:80 but not from the outside (the internet), a blank page is displayed.

    My configuration is as follows:
    I have a dlink dsl320b adsl modem configured in bridge mode (adsl cable). Then I have a linksys E3000 with the shibby's latest firmware revision 93 (mega-vpn mod, the biggest of them all) connected to the modem, that does the pppoe connexion and manages all my network devices.

    I configured thttpd-php to use port 80 and I changed my router's web management interface to 8080. Everything seem to work ok from inside my lan.

    Now the problem is from the internet. Digging around I understood that having port 80 opened is a must so that the webpage can be accessed from outside. On the original lighttpd thread in tomatoUSB forums it was recomended adding this to the firewall script in administration:

    iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
    I did it, restarted firewall service, rebooted router, nothing happened. The I thought doing the port forwarding to my router's ip from the tomato gui:


    Again no change. Then I thought about using a port scanner to see if the port is actually opened. I used shieldup from grc. Before doing this I activated the ftp from the GUI, to see if the port 21 is opened aswell. This is the result :


    Now, why is the port 21 opened and the port 80 or 40 (that i forwarded optionally to see if there is any problem with the port 80) not ? I found this command to list the ports that are listened:
    netstat -a
    . This is what I see :

    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address State
    tcp 0 0 Cerebro-lan1:5280* LISTEN
    tcp 0 0 localhost:40* LISTEN
    tcp 0 0 Cerebro:netbios-ssn* LISTEN
    tcp 0 0 Cerebro-lan1:webcache* LISTEN
    tcp 0 0 Cerebro:webcache* LISTEN
    tcp 0 0* LISTEN
    tcp 0 0* LISTEN
    tcp 0 0* LISTEN
    tcp 0 0* LISTEN
    tcp 0 0* LISTEN
    tcp 0 0 Cerebro:445* LISTEN
    tcp 0 0 :::zebra :::* LISTEN
    tcp 0 0 :::ripd :::* LISTEN
    tcp 0 0 :::domain :::* LISTEN
    tcp 0 0 :::ssh :::* LISTEN
    tcp 0 0 :::telnet :::* LISTEN
    tcp 0 0 ::ffff: ::ffff: ESTABLISHED
    udp 0 0 Cerebro-lan1:6017*
    udp 0 0*
    udp 0 0 Cerebro:netbios-ns*
    udp 0 0*
    udp 0 0 Cerebro:netbios-dgm*
    udp 0 0*
    udp 0 0*
    udp 0 0 localhost:38032*
    udp 0 0 Cerebro:18599*
    udp 0 0 localhost:40*
    udp 0 0*
    udp 0 0*
    udp 0 0 Cerebro-lan1:5351*
    udp 0 0 Cerebro:5351*
    udp 0 0*
    udp 0 0*
    udp 0 0 localhost:38000*
    udp 0 0 Cerebro:31231*
    udp 0 0 :::domain :::*
    raw 0 0* 255
    raw 0 0 :::58 :::* 58

    I see no 80 port anywhere, meanwhile that port 40 I was forwarding just for testing yes. Why the two bold/red expressions differ ? (I don't know I was supposing that the port 80 should be listed or forwarded the same way ftp is)

    I even put my router's ip in the DMZ and nothing.

    Any help appreciated. Thanks. :(
  2. BikeHelmet

    BikeHelmet Addicted to LI Member

    Does your ISP block port 80? It's extremely common that they do. That's the first thing that I'd look into...

    I'm afraid I don't know enough about netstat to tell you why it isn't in there.

    Edit: You don't need to set the internal ports in the port forwarding section, and TCP should catch all HTTP traffic.
  3. ulyan

    ulyan Networkin' Nut Member

    Yeah thing is I even put my router's ip in the DMZ and nothing. Does this means some strange ISP-related blocking happens or some strange NAT behaviour ?! Thanks.
  4. mstombs

    mstombs Network Guru Member

    use "netstat -an" to keep all IPs/ports in numerics

    There's something on port 5280?


    iptables -nvL -t nat
    iptables -nvL
    To see how Tomato has configured the iptables netfilter 'firewall'

    Check also the state of "wan ip local nat loopback", default is "forwarded only"

    If you haven't already done this a thorough nvram erase and re-type in config may be needed!
  5. ulyan

    ulyan Networkin' Nut Member

    I am sorry If I am spamming too much.

    Page-01.jpeg . Page-02.jpeg . Page-03.jpeg . Page-04.jpeg

    This is what the three commands show me. I'm not an expert, don't know how to interpret all this actually.

    Not that I know of.

    If you are refering to the NAT loopback in the Advaced -> Firewall, I had it configured as ALL not FORWARD ONLY.

    You mean reconfigure it from scratch ? :D I tried to avoid that. I'll do it eventually.

  6. ulyan

    ulyan Networkin' Nut Member

    Problem solved, although It costed me the reinstallation :confused:. On alot of websites on the internet there is one syntax that is recommended but it doesn't work, but, there is another one that works.

    iptables -A INPUT -p tcp --dport 80 -j ACCEPT <- this one does not work

    iptables -t filter -I INPUT 1 -p tcp --dport 80 -j ACCEPT <- this one does

    You have to add this las line to Administration -> Scripts -> Firewall tab and save. Then the easy way is to reboot, but if you can access via telnet then connect and execute the following so that you don't have to restart.

    service iptables restart
    service firewall restart


    If some experienced user can explain why this change is necessary and if it is safe, then I think we can close the thread. Thanks everyone.
  7. shibby20

    shibby20 Network Guru Member

    i have in firewall

    iptables -I INPUT -p tcp --dport 80 -j ACCEPT

    and it works :)
  8. ulyan

    ulyan Networkin' Nut Member

    Ok, thanks shibby. :cool:
  9. mstombs

    mstombs Network Guru Member

    "-I" inserts the accept rule above a rule that blocks external access to the router "-A" adds below and doesn't get acted on. 5280 is probably upnpd
  10. ulyan

    ulyan Networkin' Nut Member

    Thanks. ;)
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice