# Web server behind cable modem router

## paul_chany

Hi,

at home I have a small web server on a Raspberry Pi Model 2. It is connected to a cable modem router. On this router there is running firewall ( Filter Proxy, Filter Cookies, Filter Java Applets, Filter ActiveX, Filter Popup Windows, Block Fragmented IP Packets, Port Scan Detection, IP Flood Detection are all enabled ) and the Firewall Protection is HIGH, moreover port forwarding:

```
192.168.0.14   80   80   217.17.98.71   80   80   TCP   HTTP Server   Yes. 

192.168.0.14   443   443   217.17.98.71   443   443   TCP   HTTPS Server   Yes
```

The Raspberry Pi gets it's IP address dinamically so far and I was used a DDNS service. But now I am using a static IP address given from my Internet Provider and this is a different situation. This static IP address is for the Internet but the eth0 NIC on RasPi still gets it's IP dinamically.

On RasPi:

```
ifconfig
```

```
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.0.14  netmask 255.255.255.0  broadcast 192.168.0.255

        inet6 fe80::ba27:ebff:feac:cbf1  prefixlen 64  scopeid 0x20<link>

        ether b8:27:eb:ac:cb:f1  txqueuelen 1000  (Ethernet)

        RX packets 2078  bytes 180482 (176.2 KiB)

        RX errors 0  dropped 2  overruns 0  frame 0

        TX packets 815  bytes 254578 (248.6 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 0  (Local Loopback)

        RX packets 14445  bytes 5376842 (5.1 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 14445  bytes 5376842 (5.1 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
```

My domain is cspl.hu:

```
nslookup cspl.hu
```

```
Server:         91.102.231.242

Address:        91.102.231.242#53

Non-authoritative answer:

Name:   cspl.hu

Address: 217.17.98.71
```

```
nslookup www.cspl.hu
```

```
Server:         91.102.231.242

Address:        91.102.231.242#53

Non-authoritative answer:

Name:   www.cspl.hu

Address: 217.17.98.71
```

So it past 24 hours after I deleted the dinamic DNS service.

I have two A records and one SOA record too.

I have shorewall firewall on RasPi.

There is a rule in shorewall's rules file:

```
Web(ACCEPT)     net     $FW
```

and the interfaces file is:

```
net     eth0            dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0
```

I can't open my webserver's home page from my LAN ( this LAN is provided from cable modem), and it can't be opened from Internet also. Why?

[Moderator edit: changed [quote] tags to [code] tags to preserve output layout. -Hu]

----------

## szatox

You're firewalled with policy DROP.

So, the first thing to check is firewall rules on your router.

Second thing is the forwarding direction. Router must redirect packets arriving at its own IP to your internal IP, not the other way around. It's hard to determine its set behaviour from the lines you included.

Third one, firewall on Pi itself, though this thing should _not_ actually require any changes when moving from dynamic IP to static.

Finally, you say it's not available from within your LAN. How do you try to connect? Using domain name? Can you connect using its local IP instead?

----------

## paul_chany

 *szatox wrote:*   

> You're firewalled with policy DROP.
> 
> So, the first thing to check is firewall rules on your router.
> 
> Second thing is the forwarding direction. Router must redirect packets arriving at its own IP to your internal IP, not the other way around. It's hard to determine its set behaviour from the lines you included.
> ...

 

The router's ( cable modem ) firewall rules

The cable modem / router has a web interface which I can open at http://192.168.0.1 .

So I can not get firewall rules other ways but only by seeing it's webpages.

There I can see these:

 *Quote:*   

> Allowed Services
> 
> DNS TCP	53 	53 	TCP
> 
>  DNS UDP	53 	53 	UDP
> ...

 

 *Quote:*   

> Trusted Computers
> 
> 1. MAC address of my RasPi
> 
> 2. MAC address of my laptop

 

Forwarding

 *Quote:*   

> Port Forwarding
> 
> Internal 	External 	 
> 
> IP Address	Start Port	End Port 	IP Address	Start Port	End Port 	Prot	Description	Enabled 		
> ...

 

where 192.168.0.14 is the internal IP address of my RasPi and it's static IP address given from my Internet Provider is 217.17.98.71. This IP 217.17.98.71 is associated with the MAC address of the RasPi's NIC - ethernet card.

Shorewall firewall on RasPi

 *Quote:*   

> /etc/shorewall/interfaces
> 
> ```
> #ZONE   INTERFACE       OPTIONS
> 
> ...

 

 *Quote:*   

> /etc/shorewall/policy
> 
> ```
> #SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
> 
> ...

 

 *Quote:*   

> /etc/shorewall/rules
> 
> ```
> # Drop packets in the INVALID state
> 
> ...

 

 *Quote:*   

> /etc/shorewall/shorewall.conf
> 
> ```
> IP_FORWARDING=Yes
> ```
> ...

 

 *Quote:*   

> /etc/shorewall/zones
> 
> ```
> #ZONE   TYPE    OPTIONS                 IN                      OUT
> 
> ...

 

Within router's LAN I am trying to open my web site by using it's FQDN: cspl.hu or www.cspl.hu, or it's external IP 217.17.98.71 or internal IP 192.168.0.14 address without any success. What am I missing here?

----------

## szatox

 *Quote:*   

>  or internal IP 192.168.0.14 address without any success.

 So.... Firewall on your Pi?

I'd launch a sniffer to check whether or not you can see any traffic at all on your pi.

Also, can you ping it within your LAN?

And I'm pretty sure you are behind a firewall:

```
Nmap scan report for 71-98-17-217.cpe.stcable.net (217.17.98.71)

Host is up (0.027s latency).

Not shown: 997 filtered ports

PORT     STATE  SERVICE

25/tcp   open   smtp

113/tcp  closed ident

1720/tcp open   h323q931

```

----------

## paul_chany

 *szatox wrote:*   

>  *Quote:*    or internal IP 192.168.0.14 address without any success. So.... Firewall on your Pi?
> 
> I'd launch a sniffer to check whether or not you can see any traffic at all on your pi.
> 
> Also, can you ping it within your LAN?
> ...

 

I can run tcpdump on RasPi.

I run it with these options on RasPi:

```
tcpdump -i eth0 -c 6
```

but first start ping on my laptop:

```
ping 192.168.0.14
```

 *Quote:*   

> PING 192.168.0.14 (192.168.0.14) 56(84) bytes of data.

 

and there is no other output from ping command

and try to open my web site on RasPi from my laptop,

and then on RasPi get output:

 *Quote:*   

> dropped privs to tcpdump
> 
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> 
> listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
> ...

 

and I run it again, and get this output:

 *Quote:*   

> dropped privs to tcpdump
> 
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> 
> listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
> ...

 

No, I can't ping RasPi from LAN, that is from my laptop that is also connected to cable modem / router.

However, on RasPi in /etc/shorewall/rules I have:

```
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..

Ping(DROP)      net             $FW

# Enged Ping -et LANrol

Ping(ACCEPT)    net:192.168.0.10        $FW
```

and on my laptop in /etc/shorewall/rules I have:

```
Ping(ACCEPT)    $FW             net
```

Still can't ping RasPi from laptop, but only when I clear the shorewall firewall rules out there with command:

```
shorewall clear
```

----------

## paul_chany

Finally works something!

I ask my ISP to give me instructions how to setup Thomson modem:

at web page of the modem (192.168.0.1) choose

Network / Portbase PassThrough

Here must add MAC address of RasPi's NIC, the eth0.

After this is set, RasPi gets it's static IP and not internal

(192.168.0.x) IP address.

I removed every other settings for this, like port forwarding.

So at last I can see my homepage out there: http://cspl.hu.

I can ssh into RasPi after that too.

Just can't ping it from my laptop. But, this is not interesting and

not important at all.

So my problem is solved.

----------

## chiefbag

 *Quote:*   

> Finally works something! 
> 
> I ask my ISP to give me instructions how to setup Thomson modem: 
> 
> at web page of the modem (192.168.0.1) choose 
> ...

 

Are you sure that this is what you want, Passthrough in this instance on this router means that your Pi is now directly connected to the internet.

Ensure your Pi firewall is up to scratch.

Port forwarding might be a safer solution for you.

----------

