Port Forwarding and Web GUI Issue

[taylormade201]

Hey,
Has anyone noticed a problem trying to restrict access to the Zeroshell web interface? I am running Zeroshell beta 11, and when I try to restrict access to the web interface to my local subnet only or a VPN interface, it seems to ignore it and allow access from the external IP. I have also noticed the same strangeness when trying to configure virtual servers, where requests seem to just end up at the gateway and not forwarded to the servers. Has anyone noticed this or have a fix besides manually editing the iptable rules?

Thanks,
Jon

[ppalias]

I haven’t seen this ever. ZSbeta11 was working fine as far as I recall. Show us the rules you have applied on the web interface and the output of

iptables -L -v

iptables -t nat -L -v

[taylormade201]

iptables -L -v
Chain INPUT (policy ACCEPT 39046 packets, 4401K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 6017K packets, 5604M bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 35789 packets, 3900K bytes)
pkts bytes target prot opt in out source destination

iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 195K packets, 15M bytes)
pkts bytes target prot opt in out source destination
3 160 DNAT tcp — ppp0 any anywhere anywhere tcp dpt:http to:192.168.1.190:80
1 40 DNAT tcp — ppp0 any anywhere anywhere tcp dpt:http-alt to:192.168.1.190:8080
0 0 DNAT tcp — ppp0 any anywhere anywhere tcp dpt:domain to:192.168.1.190:53
0 0 DNAT tcp — ppp0 any anywhere anywhere tcp dpt:tacacs-ds to:192.168.1.190:8500

Chain POSTROUTING (policy ACCEPT 2642 packets, 109K bytes)
pkts bytes target prot opt in out source destination
181K 14M SNATVS all — any any anywhere anywhere
178K 14M MASQUERADE all — any ppp0 anywhere anywhere
2633 109K OpenVPN all — any any anywhere anywhere

Chain OUTPUT (policy ACCEPT 92598 packets, 7052K bytes)
pkts bytes target prot opt in out source destination

Chain OpenVPN (1 references)
pkts bytes target prot opt in out source destination
2 332 MASQUERADE all — any any anywhere anywhere source IP range 192.168.250.1-192.168.250.253

Chain SNATVS (1 references)
pkts bytes target prot opt in out source destination

Any requests for port 80 on the external IP go to the Zeroshell web interface, requests on the other ports are just dropped.

Under the HTTPS settings in ZS, I have access restricted to my subnet (192.168.1.0/24)

[ppalias]

This is weird, there are some chains missing. Are you sure that the configuration changes have been saved correctly?

[taylormade201]

As far as I can tell they are, although they do not seem to be updated in the iptable rules.

Not sure what is going on. Any ideas?

[ppalias]

I would suggest upgrading to beta12 if not beta13. Don’t forget to backup first! Maybe you’ve hit an old bug, as I haven’t seen that before.

[taylormade201]

I am using a special MLPPP version of Zeroshell that requires beta11. At first I thought that may be the problem, but it doesn’t seem like other users have that issue.

I am not an iptables expert, but would it be possible to manually add the correct iptables rules through the shell, or would interfere with Zeroshell?

[ppalias]

Yeah it is possible. You can add it at System -> Setup -> Startup/Cron and select NAT from the drop down lost. There you can add your custom rules.

[Author]

Posts