aparcar
commented
7 years ago Heinz:
Hi. I think this option is not necessary because modem forwarding all incoming traffic to DMZ IP (192.168.225.100) and webinterface is not "visible" from external IP.
Closed aparcar closed 7 years ago
aparcar
commented
7 years ago Heinz:
Hi. I think this option is not necessary because modem forwarding all incoming traffic to DMZ IP (192.168.225.100) and webinterface is not "visible" from external IP.
aparcar
commented
7 years ago zero:
Hi. At least I tested it and the httpd works in that address. About being necessary... The 4G modem (Android) has three interfaces:
bridge0 - 192.168.225.1 - which is the link to the LEDE router. (corresponding to usb0 in the LEDE router which in my case has address 192.168.225.143). rmnet0 - which is the external interface. rndis0 - which I do not know what is it.
In my case rmnet0 has an address like 10.x.y.z because I have Carrier Grade NAT, but if it were otherwise, it would have a public IP. If the httpd listens in 0.0.0.0 it would listen also in rmnet0 and I thought it would be visible from outside. So I thought it was better to restrict the listening interface to enhance security and avoid external access.
But I may be wrong as I do not know the exact behaviour in case of DMZ. I could not test if it was really accesible from outside or not. So I do not know.
aparcar
commented
7 years ago zero:
Could be an issue if IPv6 was enabled in the uplink ?
aparcar
commented
7 years ago Heinz:
I think You have right about IPv6. This traffic its not forwarding to WAN and its possible to get to modem webinterface.
I try start webinterface with "-p 192.168.225.1:80" parameter.
aparcar
commented
7 years ago Heinz:
I Check this and webserver run OK.
But I check iptables and I see:
/ # iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i rmnet0 -p tcp -m tcp --dport 443 -j DROP
-A INPUT -i rmnet0 -p tcp -m tcp --dport 80 -j DROP
-A INPUT ! -i bridge0 -p icmp -j DROP
-A INPUT -i bridge0 -p icmp -j DROP
-A FORWARD -i bridge0 -p tcp -m state --state INVALID -j DROP
It looks like TCP traffic from interface rmnet0 to port http(80) and https(443) are droped.
In my opinion add -p 192.168.225.1:80 is not necessary.
aparcar
commented
7 years ago zero:
In my case, iptables -S shows:
/ # iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -i rmnet0 -p tcp -m tcp --dport 443 -j DROP -A INPUT -i rmnet0 -p tcp -m tcp --dport 80 -j DROP -A FORWARD -i bridge0 -p tcp -m state --state INVALID -j DROP
It might not be strictly necessary, but it would protect us from any changes in iptables from modem updates or anything.
The only downside I see would be if the ip address of bridge0 changed, then it would not work, but in that case, anyway, we would need to know the new address to access it.
And if the IP changes, maybe the iptables also changes, so who knows.
I would like to have that option added. If it is not, I will consider patching my system as I have it patched now to listen in that interface only.
zero:
In LEDE 17.01.0-rc1 with TP-LINK Archer MR200, the web interface of the 4G modem is activated in file:
/etc/init.d/enablemodem
with:
adb shell httpd -h /WEBSERVER/www/ &
It might be better to listen only on the internal interface, like:
adb shell httpd -h /WEBSERVER/www/ -p 192.168.225.1:80 &