[lug] DSL FRII/Qwest Actiontec modem
Elyse M. Grasso
emgrasso at data-raptors.com
Sun Nov 13 08:44:41 MST 2005
On Saturday 12 November 2005 03:20 pm, Lee Woodworth wrote:
> Elyse M. Grasso wrote:
> > I know we've been throught this before, but following the recommendations
in
> > the previous threads doesn't seem to be helping me.
> >
> > I have a fixed IP address.
> > Wireless is off
> > Lan IP address for the modem is 192.168.0.1
> > DHCP is off
> > No services blocked
> > No websites blocked
> > Remote managment and telnet are off
> > Ports 22 and 80 are forwarded to 192.168.0.2
> > DMX hosting is on, directed to 192.168.0.2
> > Firewall Basic (documented as NAT only, no ports blocked)
> > Dynamic Routing off
> > NAT on
> > Static routing 192.168.1.0/255.255.255.0,192.168.0.2
> > Telnet timeout setting 30 minutes
> >
> > Right after I make these settings, if I hit the external IP address with a
> > browser, I get a response that suggests I'm getting through to the server.
If
> > I try ssh-ing, I get
> > [emgrasso at bast ~]$ ssh local.data-raptors.com
> > ssh: connect to host local.data-raptors.com port 22: Connection refused
> >
> > and then retrying the external web address gives me the Actiontec login
> > screen.
> >
> > 192.168.0.2 is static IP address of a Linksys Wireless-G Broadband router
> > whose lan address is 192.168.1.1.
> > DDNS is disabled
> > MAC address cloning is on
> > Advanced routing is Gateway, no static routing settings
> > Wireless is on,
> > Firewall is enabled, with Block Anonymous, Filter Multicast, and Filter
IDENT
> > checked, Filter NAT is not checked
> > Access restrictions disabled
> > Ports including 80 and 22 are redirected to 192.168.1.2
> > No port triggering set
> > DMZ is disabled
> > QOS is disabled
> > UPnP is enabled
> >
> > The server has a static Lan IP of 192.168.1.2 with a wired connection, not
> > wireless. It can be reached by ssh using its LAN IP.
> >
> > I would appreciate any suggestions for Actiontec and Linksys settings
changes
> > that will let me actually hit the server from outside: I'm on the road a
lot
> > these days.
> I'm interpreting this to mean you want to host a web-server on the LAN that
is
> visible externally and not that you want to get to the admin page from
outside.
>
> Telnet into the router from the LAN side and check the IP-tables. If its the
> same kind of actiontec I was fiddling with a while ago, you will see some
> rules with QUEUE targets redirecting certain ports to user space. If you
know
> the interaction of forwarding, DNAT and user-space queueing better than I
do,
> you may be able fix the ipt rules so the WAN packets don't get swallowed.
>
> If Sean is so inclined, I expect he would make it work in routing or bridged
> mode.
> >
> > Should I try updating the modem software?
> Actiontec's paid support told me turning off the packet swallowing wasn't
> possible (they hijack ports 53 and 80).
> >
> > Should I buy a different modem? Will Qwest let me use one I didn't buy
from
> > them?
> Qwest won't officially support anything but the modems they supply. Others
can
> still work. On a recommendation from the list, we switched to a ZOOM ADSL
X5.
> They are around $90 mail-order from PC-connection, $100 at Microcenter in
> south Denver.
>
> The Zoom has a much better admin interface and it doesn't interfere with the
> routing. Works for the DSL with a static ip that qwest provides in
> Eldorado Springs.
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>
I thiink the modem is actually defective. Ignoring the "feature" of eating
port 80, both the basic and low firewall levels should be passing port 22
through to the DMZ box, and they don't.
These are the settings for basic:
# iptables -n -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
QUEUE udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
QUEUE udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53
QUEUE udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 state
INVALID,NEW,RELATED,UNTRACKED tcp dpt:23 flags:!0x02/0x02 reject-with
tcp-reset
ACCEPT all -- 0.0.0.0/0 192.168.0.2
sLog all -- 0.0.0.0/0 0.0.0.0/0 sLog max_num 50
timeout 300
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
QUEUE udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:520
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 state INVALID
# iptables -t nat -n -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
to:192.168.0.2
DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:22
to:192.168.0.2
DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:80
to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
to:192.168.0.2
DNAT all -- 0.0.0.0/0 0.0.0.0/0 to:192.168.0.2
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Interestingly, those first 2 DROP settings in the filters must be hardcoded
somehow: they aren't specified in any of the files in /etc.
I think I'll be ordering the zoom modem the next time I get back into town.
--
Elyse Grasso
http://www.data-raptors.com Computers and Technology
http://www.astraltrading.com Divination and Science Fiction
More information about the LUG
mailing list