How to correctly port forward 80 for a local webserver

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

L81

New Around Here
Hi there,
I am running Merlin 384.19 firmware on my RT-AC68U router.
The configuration is so close to the one found in step-by-step tutorial here at SNBForums and I have just one script running (Diversion)

Furthermore I have a Raspberry Pi on my LAN running an Apache webserver at 192.168.<<raspberry local ip >>

I would like to access the web on Pi from Internet by: http://<my dynamic dns account>

How should I set Port Forward on Merlin GUI to achieve this?
Is setting a port 80 rule to raspberry local Ip enough?


I am concerned about this GUI warning: When your network's firewall is disabled and you set 80 as the HTTP server's port range for your WAN setup, then your http server/web server would be in conflict with RT-AC68U's web user interface

Does that mean that setting a port forward 80 may keep me unable to access my Merlin GUI from my LAN again, or is it related to Merlin GUI WAN access?

Thank you very much
 

ColinTaylor

Part of the Furniture
Yes you can simply forward port 80 to your Pi. However exposing a common port like 80 or 433 to the internet is asking for trouble. You can expect your Pi's web server to be under constant attack and if successful the attacker would have complete access to your internal network. It would be much better to use an obscure external port (e.g. something between 5001 and 32767) and map that to your web server's real port.

The warning is saying that there would be a conflict if you were also trying to expose the router's web interface (using the same port number) to the WAN (not LAN). That is something you never want to do.
 

dosborne

Very Senior Member
Personally, I find that changing the port makes no difference. Most hack attempts scan the full port range, although some are limited to common ports. But, depending on what you want to do with your web server, changing from 80 may be more problematic than it is worth. The raspberry Pi platform is very robust and if your keep it updated then it can be very secure and safe. Opening port 80 on an up to date Apache is minimal risk.

Following basic steps such as keeping up to date, only allowing services that you need and trust and perhaps running some anti-hacking tools (like fail2ban) will provide reasonable security for most people.

However, there are often some basic, cheap and easy ways to make your setup even more secure. Things like running the Pi between your ISP router and your internal network or multi-homing the pi (separating internal and external access) or both, are some examples.

Connecting anything to the internet is obviously not without risk. What you are proposing is at the very low end of the risk scale.
 

ColinTaylor

Part of the Furniture
@dosborne makes a valid point about Apache being a very secure web, provided it is kept up to date with patches.

I would respectfully disagree with his assertion that "most hack attempts scan the full port range". I have never seen general port scanners doing full range (65000+ ports) scans on a residential IP address. The only time I've seen such scans is when I've been administering the firewall of a large public facing company. That is a different scenario because they were directed attacks against a specific target.

There was a similar discussion, albeit about SSH, where I demonstrated changing the SSH port to a random one reduced the number of hack attempts to zero. RMerlin said in the same thread that his experience was the same. I've just reviewed my firewall's history again and there are no full range scans. To put it another way, unless you need to use port 80 why not use something else?
 

dosborne

Very Senior Member
I have never seen general port scanners doing full range (65000+ ports) scans on a residential IP address.
You've been lucky then. Since 1999 when input my first server online on the internet, through 4 moves and a half dozen ISP changes, my logs indicate at least weekly full port range sweeps hitting at least one of my residential internet services. Maybe I'm just lucky :)
 

Maverickcdn

Regular Contributor
I am concerned about this GUI warning: When your network's firewall is disabled and you set 80 as the HTTP server's port range for your WAN setup, then your http server/web server would be in conflict with RT-AC68U's web user interface
You won't be disabling your firewall right? So this can be ignored. Just a port forward is fine and you can access both. Albeit to access the router user interface it will need to be a device connected to your lan and you browse the router internal lan address

If you must have it on 80 I highly recommend installing fail2ban on the pi and learn about configuring jails. I've run a web server from home for years and my f2b is blocking someone every 10 mins
 

waeking

Regular Contributor
This is something that I found somwhere online and made some changes. It will open a port and forward to an ip. and also has brute force detection that you can play with.
Code:
#!/bin/sh

##EXAMPLE
#bfs_portforward QBELT up eth0 192.168.1.241 3443 udp 60 5

NAME=$1
UPDOWN=$2
IFACE=$3
SERVER=$4
PORT=$5
PROTO=$6
SECONDS=$7
HITCOUNT=$8 #max 20

if [ $UPDOWN == up ]
  then
    logger "firewall" "Applying $NAME Brute Force rules"
    # create a new chain $NAMEVSBFP
    iptables --new "$NAME"VSBFP --table nat
    # add rule: add the source IP to the $NAMEVS match list table using the 'recent' match extension
    iptables --append "$NAME"VSBFP --table nat --match recent --set --name "$NAME"VS --rsource
    # add rule: deny if address has been seen in the $NAMEVS match list more than $HITCOUNT times in the last $SECONDS seconds
    iptables --append "$NAME"VSBFP --table nat --match recent --update --name "$NAME"VS --seconds $SECONDS --hitcount $HITCOUNT --rsource --jump RETURN
    # add rule: forward packets on port $PORT to $SERVER using the DNAT target extension
    iptables --append "$NAME"VSBFP --table nat --proto $PROTO --dport $PORT --match state --state NEW --jump DNAT --to-destination $SERVER
    # add the chain created above to the VSERVER chain and apply to interface $IFACE (public interface)
    iptables --insert VSERVER --table nat --in-interface $IFACE --proto $PROTO --dport $PORT --match state --state NEW --jump "$NAME"VSBFP
  else
    logger "firewall" "Deleteing $NAME Brute Force rules"
    iptables --delete "$NAME"VSBFP --table nat
fi
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top