Linksys Router DMZ / web server question

I have setup a Linux PC I want to use as a web server. I installed Apache
and everything seems to be working inside my network; E.G. all systems
are in 192.168.1.X segment.

But to really get it on the internet I need to get it outside my router so
in can see incoming requests. I went to my router and set 192.168.1.102
in the DMZ zone. As I understand it this should put it outside the firewall
the router has.
But since it still has the same IP address, 192..., I don't think it's
working.
Will DMZ allow me to put a PC on the internet or do I have to physically
move it off the router. And if I do this won't my ISP try to charge me more
it I need two IP addresses since it looks like a NAT address will not work
for what I want to do.

thanks, Ed

Ed in Calif wrote:
> I have setup a Linux PC I want to use as a web server. I installed Apache
> and everything seems to be working inside my network; E.G. all systems
> are in 192.168.1.X segment.
>
> But to really get it on the internet I need to get it outside my router so
> in can see incoming requests. I went to my router and set 192.168.1.102
> in the DMZ zone. As I understand it this should put it outside the firewall
> the router has.

You should be using the "port forwarding" feature (not DMZ) and limiting
your linux server's exposure to "only" http access.

Setup correctly, only inbound requests to the ports you specify (e.g.:
tcp port 80) would be forwarded to your linux server.

An additional IP address would not be required in such an
implementation. However, you will likely be violating your ISP's service
agreement as "most" specify you are not allowed to run servers from a
residential service.

I believe the DMZ feature exposes your server to to many more ports and
would not be desirable.

Admittedly, I have not read up on the DMZ feature of most of the
low-dollar routers. Refer to the manual.

> But since it still has the same IP address, 192..., I don't think it's
> working.
> Will DMZ allow me to put a PC on the internet or do I have to physically
> move it off the router. And if I do this won't my ISP try to charge me more
> it I need two IP addresses since it looks like a NAT address will not work
> for what I want to do.
>
> thanks, Ed
>

Best Regards,
News Reader

It looks like from the manual these ports are always open
to all connections to the router - the internet needs them to work.

7 (Echo), 21 (FTP), 23 (TELNET), 25 (SMTP), 53 (DNS), 79 (finger), 80
(HTTP), 110 (POP3)
119 (NNTP), 161 (SNMP), 162 (SNMP Trap)

I guess I could port forward all ports to the Linux server but I think it
having a NAT address
is still a problem.

thanks, Ed


"News Reader" <(E-Mail Removed)> wrote in message
news:UEPRj.56358$(E-Mail Removed)...
> Ed in Calif wrote:
>> I have setup a Linux PC I want to use as a web server. I installed Apache
>> and everything seems to be working inside my network; E.G. all systems
>> are in 192.168.1.X segment.
>>
>> But to really get it on the internet I need to get it outside my router
>> so
>> in can see incoming requests. I went to my router and set 192.168.1.102
>> in the DMZ zone. As I understand it this should put it outside the
>> firewall
>> the router has.
>
> You should be using the "port forwarding" feature (not DMZ) and limiting
> your linux server's exposure to "only" http access.
>
> Setup correctly, only inbound requests to the ports you specify (e.g.: tcp
> port 80) would be forwarded to your linux server.
>
> An additional IP address would not be required in such an implementation.
> However, you will likely be violating your ISP's service agreement as
> "most" specify you are not allowed to run servers from a residential
> service.
>
> I believe the DMZ feature exposes your server to to many more ports and
> would not be desirable.
>
> Admittedly, I have not read up on the DMZ feature of most of the
> low-dollar routers. Refer to the manual.
>
>> But since it still has the same IP address, 192..., I don't think it's
>> working.
>> Will DMZ allow me to put a PC on the internet or do I have to physically
>> move it off the router. And if I do this won't my ISP try to charge me
>> more
>> it I need two IP addresses since it looks like a NAT address will not
>> work
>> for what I want to do.
>>
>> thanks, Ed
>
> Best Regards,
> News Reader

Ed in Calif wrote:
> It looks like from the manual these ports are always open
> to all connections to the router - the internet needs them to work.

Not entirely true.

>
> 7 (Echo), 21 (FTP), 23 (TELNET), 25 (SMTP), 53 (DNS), 79 (finger), 80
> (HTTP), 110 (POP3)
> 119 (NNTP), 161 (SNMP), 162 (SNMP Trap)

I have not seen your manual, but I believe you are mis-interpreting it.

It is more likely that those are the "destination" ports that are open
on the LAN side of the router.

In other words, internal hosts can access Internet based resources using
FTP, SMTP, DNS, HTTP, POP3, and NNTP without additional configuration.

The other ports (Echo, TELNET, finger, SNMP, and SNMP Trap) may relate
to management of the router and/or Internet based systems.

>
> I guess I could port forward all ports to the Linux server but I think it

The point of port forwarding is to selectively minimize the ports that
are forwarded to the internal server.

> having a NAT address
> is still a problem.

No, this is not a problem (as long as your router supports port
forwarding), this is done every day.

The port forwarding establishes a rule that says, e.g.: a packet
received on the WAN interface (sent to the ISP assigned address) with a
destination TCP port of 80, is to be forwarded to a specific internal
system (e.g.: 192.168.1.102) at port 80. Your Linux server will then
respond to the connection request, and serve up its web page.

Best Regards,
News Reader

OK. So Tomorrow then I'm going to open the full range of ports, 0 to 65536
for 192.169.1.102.

But what do I tell my users to use as an http:// address to get to me? They
can't use the NAT address
can they, every Linksys Router uses those addresses.

Ed


"News Reader" <(E-Mail Removed)> wrote in message
news:8gQRj.56378$(E-Mail Removed)...
> Ed in Calif wrote:
>> It looks like from the manual these ports are always open
>> to all connections to the router - the internet needs them to work.
>
> Not entirely true.
>
>>
>> 7 (Echo), 21 (FTP), 23 (TELNET), 25 (SMTP), 53 (DNS), 79 (finger), 80
>> (HTTP), 110 (POP3)
>> 119 (NNTP), 161 (SNMP), 162 (SNMP Trap)
>
> I have not seen your manual, but I believe you are mis-interpreting it.
>
> It is more likely that those are the "destination" ports that are open on
> the LAN side of the router.
>
> In other words, internal hosts can access Internet based resources using
> FTP, SMTP, DNS, HTTP, POP3, and NNTP without additional configuration.
>
> The other ports (Echo, TELNET, finger, SNMP, and SNMP Trap) may relate to
> management of the router and/or Internet based systems.
>
>>
>> I guess I could port forward all ports to the Linux server but I think
>> it
>
> The point of port forwarding is to selectively minimize the ports that are
> forwarded to the internal server.
>
>> having a NAT address
>> is still a problem.
>
> No, this is not a problem (as long as your router supports port
> forwarding), this is done every day.
>
> The port forwarding establishes a rule that says, e.g.: a packet received
> on the WAN interface (sent to the ISP assigned address) with a destination
> TCP port of 80, is to be forwarded to a specific internal system (e.g.:
> 192.168.1.102) at port 80. Your Linux server will then respond to the
> connection request, and serve up its web page.
>
> Best Regards,
> News Reader

On Tue, 29 Apr 2008 21:25:42 -0700, "Ed in Calif"
<(E-Mail Removed)> wrote:

>OK. So Tomorrow then I'm going to open the full range of ports, 0 to 65536
>for 192.169.1.102.

NO! Open only those ports necessary, such as port 80 (HTTP) and 443
(HTTPS). DO NOT OPEN ALL PORTS!

>
>But what do I tell my users to use as an http:// address to get to me? They
>can't use the NAT address
>can they, every Linksys Router uses those addresses.

You need to either have yuor users connect using your Internet IP
address, or get a domain name registered, and in the DNS system. If
you are on a typical residential dynamic system, without fixed IPs
then you need to find a DNS provider that will work with your IP
configuration (a dynamic IP DNS provider, there are many).

>
>Ed
>

On 2008-04-30 01:25:42, Ed in Calif wrote:

> OK. So Tomorrow then I'm going to open the full range of ports, 0 to 65536
> for 192.169.1.102.

Your web server only responds on one port (typically but not necessarily
port 80), and that's the only one you need to (should) forward (or "open").
Opening more than needed is for the ones who really know what they are
doing (and they probably don't either .

> But what do I tell my users to use as an http:// address to get to me?
> They can't use the NAT address can they, every Linksys Router uses those
> addresses.

The local addresses (e.g. 192.168.x.x) are just that, local addresses. You
have to use the IP address you get from your ISP (it's probably shown in
one of the admin pages of your router). If this address is reasonably
stable, you may be able to use it as-is, that is, connect to
http://123.45.67.89 (if that's it .

Or you can sign up with one of the dynamic IP services (search for "dynamic
IP") and get a domain name that "follows" your changing IP address. You
need a piece of software that runs on your server that updates that service
every time your IP address changes.

Gerhard

Ed in Calif wrote:
> OK. So Tomorrow then I'm going to open the full range of ports, 0 to 65536
> for 192.169.1.102.

That is not even remotely what I indicated. My post stated:

"The point of port forwarding is to selectively minimize the ports that
are forwarded to the internal server." Then I gave an example where you
"only" forwarded port 80.

>
> But what do I tell my users to use as an http:// address to get to me? They

Then my post stated: "a packet received on the WAN interface (sent to
the ISP assigned address)"

i.e.: http://ISP-Assigned-Address

> can't use the NAT address
> can they, every Linksys Router uses those addresses.
>
> Ed
>
>
> "News Reader" <(E-Mail Removed)> wrote in message
> news:8gQRj.56378$(E-Mail Removed)...
>> Ed in Calif wrote:
>>> It looks like from the manual these ports are always open
>>> to all connections to the router - the internet needs them to work.
>> Not entirely true.
>>
>>> 7 (Echo), 21 (FTP), 23 (TELNET), 25 (SMTP), 53 (DNS), 79 (finger), 80
>>> (HTTP), 110 (POP3)
>>> 119 (NNTP), 161 (SNMP), 162 (SNMP Trap)
>> I have not seen your manual, but I believe you are mis-interpreting it.
>>
>> It is more likely that those are the "destination" ports that are open on
>> the LAN side of the router.
>>
>> In other words, internal hosts can access Internet based resources using
>> FTP, SMTP, DNS, HTTP, POP3, and NNTP without additional configuration.
>>
>> The other ports (Echo, TELNET, finger, SNMP, and SNMP Trap) may relate to
>> management of the router and/or Internet based systems.
>>
>>> I guess I could port forward all ports to the Linux server but I think
>>> it
>> The point of port forwarding is to selectively minimize the ports that are
>> forwarded to the internal server.
>>
>>> having a NAT address
>>> is still a problem.
>> No, this is not a problem (as long as your router supports port
>> forwarding), this is done every day.
>>
>> The port forwarding establishes a rule that says, e.g.: a packet received
>> on the WAN interface (sent to the ISP assigned address) with a destination
>> TCP port of 80, is to be forwarded to a specific internal system (e.g.:
>> 192.168.1.102) at port 80. Your Linux server will then respond to the
>> connection request, and serve up its web page.
>>
>> Best Regards,
>> News Reader
>

Best Regards,
News Reader

Got it working now. Thanks for the education.

Ed

"News Reader" <(E-Mail Removed)> wrote in message
news:9Z_Rj.57116$(E-Mail Removed)...
> Ed in Calif wrote:
>> OK. So Tomorrow then I'm going to open the full range of ports, 0 to
>> 65536 for 192.169.1.102.
>
> That is not even remotely what I indicated. My post stated:
>
> "The point of port forwarding is to selectively minimize the ports that
> are forwarded to the internal server." Then I gave an example where you
> "only" forwarded port 80.
>
>>
>> But what do I tell my users to use as an http:// address to get to me?
>> They
>
> Then my post stated: "a packet received on the WAN interface (sent to the
> ISP assigned address)"
>
> i.e.: http://ISP-Assigned-Address
>
>> can't use the NAT address
>> can they, every Linksys Router uses those addresses.
>>
>> Ed
>>
>>
>> "News Reader" <(E-Mail Removed)> wrote in message
>> news:8gQRj.56378$(E-Mail Removed)...
>>> Ed in Calif wrote:
>>>> It looks like from the manual these ports are always open
>>>> to all connections to the router - the internet needs them to work.
>>> Not entirely true.
>>>
>>>> 7 (Echo), 21 (FTP), 23 (TELNET), 25 (SMTP), 53 (DNS), 79 (finger), 80
>>>> (HTTP), 110 (POP3)
>>>> 119 (NNTP), 161 (SNMP), 162 (SNMP Trap)
>>> I have not seen your manual, but I believe you are mis-interpreting it.
>>>
>>> It is more likely that those are the "destination" ports that are open
>>> on the LAN side of the router.
>>>
>>> In other words, internal hosts can access Internet based resources using
>>> FTP, SMTP, DNS, HTTP, POP3, and NNTP without additional configuration.
>>>
>>> The other ports (Echo, TELNET, finger, SNMP, and SNMP Trap) may relate
>>> to management of the router and/or Internet based systems.
>>>
>>>> I guess I could port forward all ports to the Linux server but I think
>>>> it
>>> The point of port forwarding is to selectively minimize the ports that
>>> are forwarded to the internal server.
>>>
>>>> having a NAT address
>>>> is still a problem.
>>> No, this is not a problem (as long as your router supports port
>>> forwarding), this is done every day.
>>>
>>> The port forwarding establishes a rule that says, e.g.: a packet
>>> received on the WAN interface (sent to the ISP assigned address) with a
>>> destination TCP port of 80, is to be forwarded to a specific internal
>>> system (e.g.: 192.168.1.102) at port 80. Your Linux server will then
>>> respond to the connection request, and serve up its web page.
>>>
>>> Best Regards,
>>> News Reader
>>
>
> Best Regards,
> News Reader