cannot access modem's config interface from LAN

Hello,

I have an adsl modem connected to a linux box which acts as a router.
The router machine has three interfaces:
eth1: 192.168.1.2, connected to the modem
eth0: 192.168.0.1, the wired LAN (192.168.0.0/24) using a switch
ath0: 192.168.5.1, the wireless lan (192.168.5.0/24)

The modem's LAN ip address is 198.168.2.1. The modem is working in
bridge mode and when a connection is established, ppp0 is formed on the
router machine.

The iptables script that I have on the router machine does the
forwarding and nat. All works okay between the wired and wireless LAN
and the internet and also within the wired and wireless LAN.

The problem is that I can access the modem's web interface (on
192.168.2.1) only from the router machine and not from any other LAN
machine. Could somebody tell me what are the iptables rules needed to
make this happen?

Thanks,
->HS
PS: It doesn't really matter much I guess, but this is on Debian
Testing, running 2.6.18.

> I have an adsl modem connected to a linux box which acts as a router.
> The router machine has three interfaces:
> eth1: 192.168.1.2, connected to the modem
> eth0: 192.168.0.1, the wired LAN (192.168.0.0/24) using a switch
> ath0: 192.168.5.1, the wireless lan (192.168.5.0/24)

> The modem's LAN ip address is 198.168.2.1. The modem is working in
> bridge mode and when a connection is established, ppp0 is formed on the
> router machine.

> The iptables script that I have on the router machine does the
> forwarding and nat. All works okay between the wired and wireless LAN
> and the internet and also within the wired and wireless LAN.

> The problem is that I can access the modem's web interface (on
> 192.168.2.1) only from the router machine and not from any other LAN
> machine. Could somebody tell me what are the iptables rules needed to
> make this happen?

I recently encountered the same situation.
See http://forum.openwrt.org/viewtopic.php?id=13307 for the
corresponding thread (my router is Linksys box running OpenWRT but
that shouldn't make much difference).

Basically, the problem is most likely that with a LAN machine wants to send
a packets to the modem, it correctly sends it to the router, which
correctly sends it to the modem but the modem then doesn't know how to
send it back because it doesn't know that it can reach 192.168.[05].NN
via your router. So you need to add a route on your modem.
If you can't or don't want to do that, you can instead use NAT
translation so your modem is triked into thinking that all connections
come from your router.

A rule like

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.1.2

on your router may do the trick. In my case it wasn't sufficient
because OpenWRT's default iptable config disallows patckets going from
(the equivalent of) eth0->eth1 (it only allows them to go from
eth0->ppp0), so I needed to add

iptables -A FORWARD -i eth0 -j ACCEPT

to get things to work.


Stefan

Hello,

H.S. a écrit :
>
> I have an adsl modem connected to a linux box which acts as a router.
> The router machine has three interfaces:
> eth1: 192.168.1.2, connected to the modem
> eth0: 192.168.0.1, the wired LAN (192.168.0.0/24) using a switch
> ath0: 192.168.5.1, the wireless lan (192.168.5.0/24)
>
> The modem's LAN ip address is 198.168.2.1.
> [...]
> The problem is that I can access the modem's web interface (on
> 192.168.2.1) only from the router machine

This should not work, because the modem address 192.168.2.1 and the
router's eth1 address 192.168.1.2 are not in the same IP subnet. The
subnet mask would need to be at most /22 (192.168.0.0 to 192.168.3.255)
but then it would overlap with the wired LAN 192.168.0.0/24 subnet on
eth0 (192.168.0.0 to 192.168.0.255), which is bad.

Pascal Hambourg wrote:
> Hello,
>
> H.S. a écrit :
>>
>> I have an adsl modem connected to a linux box which acts as a router.
>> The router machine has three interfaces:
>> eth1: 192.168.1.2, connected to the modem
>> eth0: 192.168.0.1, the wired LAN (192.168.0.0/24) using a switch
>> ath0: 192.168.5.1, the wireless lan (192.168.5.0/24)
>>
>> The modem's LAN ip address is 198.168.2.1.
>> [...]
>> The problem is that I can access the modem's web interface (on
>> 192.168.2.1) only from the router machine
>
> This should not work, because the modem address 192.168.2.1 and the
> router's eth1 address 192.168.1.2 are not in the same IP subnet. The
> subnet mask would need to be at most /22 (192.168.0.0 to 192.168.3.255)
> but then it would overlap with the wired LAN 192.168.0.0/24 subnet on
> eth0 (192.168.0.0 to 192.168.0.255), which is bad.

Sorry, that was a typo. The modem's LAN address is 192.168.1.1. That is
why my eth1 is given 192.168.1.x IP address.


->HS

H.S. <(E-Mail Removed)> wrote:

> Hello,

> I have an adsl modem connected to a linux box which acts as a router.
> The router machine has three interfaces:
> eth1: 192.168.1.2, connected to the modem
> eth0: 192.168.0.1, the wired LAN (192.168.0.0/24) using a switch
> ath0: 192.168.5.1, the wireless lan (192.168.5.0/24)

> The modem's LAN ip address is 198.168.2.1. The modem is working in
> bridge mode and when a connection is established, ppp0 is formed on the
> router machine.

> The iptables script that I have on the router machine does the
> forwarding and nat. All works okay between the wired and wireless LAN
> and the internet and also within the wired and wireless LAN.

> The problem is that I can access the modem's web interface (on
> 192.168.2.1) only from the router machine and not from any other LAN
> machine. Could somebody tell me what are the iptables rules needed to
> make this happen?

That probably would depend on the firewall and the port for web
access used by the firewall. Here to allow packets from any source
to the usual web port it is basically

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
....
$IPTABLES -N allowed
....
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
....
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed

but you might want to restrict the packets' source to the LAN networks
by using two rules with "-s 192.168.0.0/24" and "-s 192.168.5.0/24
in place of the last rule.

--
Clifford Kite
/* Domain names are for water/carbon units that don't think in binary.
--Allen Kistler */

Stefan Monnier wrote:
>> I have an adsl modem connected to a linux box which acts as a router.
>> The router machine has three interfaces:
>> eth1: 192.168.1.2, connected to the modem
>> eth0: 192.168.0.1, the wired LAN (192.168.0.0/24) using a switch
>> ath0: 192.168.5.1, the wireless lan (192.168.5.0/24)
>
>> The modem's LAN ip address is 198.168.2.1. The modem is working in
>> bridge mode and when a connection is established, ppp0 is formed on the
>> router machine.
>
>> The iptables script that I have on the router machine does the
>> forwarding and nat. All works okay between the wired and wireless LAN
>> and the internet and also within the wired and wireless LAN.
>
>> The problem is that I can access the modem's web interface (on
>> 192.168.2.1) only from the router machine and not from any other LAN
>> machine. Could somebody tell me what are the iptables rules needed to
>> make this happen?
>
> I recently encountered the same situation.
> See http://forum.openwrt.org/viewtopic.php?id=13307 for the
> corresponding thread (my router is Linksys box running OpenWRT but
> that shouldn't make much difference).
>
> Basically, the problem is most likely that with a LAN machine wants to send
> a packets to the modem, it correctly sends it to the router, which
> correctly sends it to the modem but the modem then doesn't know how to
> send it back because it doesn't know that it can reach 192.168.[05].NN
> via your router. So you need to add a route on your modem.

I just tried this and it worked. In that modem, there are two networks,
192.168.1.0 and 192.168.2.0, for the wired and for the USB networks
respectively. I added the route:
Dest. Netmask NextHop IF Name RouteType RouteOrigin
192.168.0.0 255.255.255.0 192.168.1.2 eth-0 Indirect Local

And now it works.

> If you can't or don't want to do that, you can instead use NAT
> translation so your modem is triked into thinking that all connections
> come from your router.
>
> A rule like
>
> iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.1.2

I tried this first actually but it didn't work. I probably will look
into this further, since this is appears to be my preferred method.

thanks a ton,
->HS



> on your router may do the trick. In my case it wasn't sufficient
> because OpenWRT's default iptable config disallows patckets going from
> (the equivalent of) eth0->eth1 (it only allows them to go from
> eth0->ppp0), so I needed to add
>
> iptables -A FORWARD -i eth0 -j ACCEPT
>
> to get things to work.
>
>
> Stefan

Stefan Monnier wrote:
>> I have an adsl modem connected to a linux box which acts as a router.
>> The router machine has three interfaces:
>> eth1: 192.168.1.2, connected to the modem
>> eth0: 192.168.0.1, the wired LAN (192.168.0.0/24) using a switch
>> ath0: 192.168.5.1, the wireless lan (192.168.5.0/24)
>
>> The modem's LAN ip address is 198.168.2.1. The modem is working in
>> bridge mode and when a connection is established, ppp0 is formed on the
>> router machine.
>
>> The iptables script that I have on the router machine does the
>> forwarding and nat. All works okay between the wired and wireless LAN
>> and the internet and also within the wired and wireless LAN.
>
>> The problem is that I can access the modem's web interface (on
>> 192.168.2.1) only from the router machine and not from any other LAN
>> machine. Could somebody tell me what are the iptables rules needed to
>> make this happen?
>
> I recently encountered the same situation.
> See http://forum.openwrt.org/viewtopic.php?id=13307 for the
> corresponding thread (my router is Linksys box running OpenWRT but
> that shouldn't make much difference).
>
> Basically, the problem is most likely that with a LAN machine wants to send
> a packets to the modem, it correctly sends it to the router, which
> correctly sends it to the modem but the modem then doesn't know how to
> send it back because it doesn't know that it can reach 192.168.[05].NN
> via your router. So you need to add a route on your modem.

I replied earlier that the approach you gave below worked. But I was
playing around with telnet on the modem and realized that the packets
originating on the modem and destined for 192.168.[05].n will not be
sent by the modem since it doesn't know what to do with that traffic (it
knows only about 192.168.1.0 and 192.168.2.0 networks which are its LAN
and USB networks). Am I correct? For this to work, the above method will
have to used, right?

thanks,
->HS


> If you can't or don't want to do that, you can instead use NAT
> translation so your modem is triked into thinking that all connections
> come from your router.
>
> A rule like
>
> iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.1.2
>
> on your router may do the trick. In my case it wasn't sufficient
> because OpenWRT's default iptable config disallows patckets going from
> (the equivalent of) eth0->eth1 (it only allows them to go from
> eth0->ppp0), so I needed to add
>
> iptables -A FORWARD -i eth0 -j ACCEPT
>
> to get things to work.
>
> Stefan