What's new

Asuswrt-Merlin Port 80 DNAT's

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

garycnew

Senior Member
All:

I've run into an issue where I'm trying to run a web service on the Asuswrt-Merlin br0 Dynamic IP Address, but it appears that there are Port 80 DNAT's that already exist.
Code:
# iptables -t nat -S | grep 80
-A VSERVER -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1:62299
-A VSERVER -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1:46326
Does anyone else have similar Port 80 DNAT's? If so, do you know the purpose of them?

Presently, I don't see any services running on the referenced high-ports, but it could be related to an on-demand service such as acme.sh's standalone method, etc. The Asuswrt-Merlin Web UI listens on 127.0.01:80 and 192.168.0.1:80.
Code:
# netstat -anp|grep :80                                                      
tcp        0      0 xxx.xxx.xxx.xxx:80         0.0.0.0:* 
           LISTEN      8130/nginx: master             
tcp        0      0 192.168.0.3:80          0.0.0.0:* 
           LISTEN      8130/nginx: master             
tcp        0      0 192.168.0.2:80          0.0.0.0:* 
           LISTEN      8130/nginx: master             
tcp        0      0 127.0.0.1:80            0.0.0.0:* 
           LISTEN      24007/httpd                    
tcp        0      0 192.168.0.1:80          0.0.0.0:* 
           LISTEN      24007/httpd                    
tcp        0      0 0.0.0.0:8082            0.0.0.0:* 
           LISTEN      24197/lighttpd
Any clue as to the purpose of these Port 80 DNAT's and their importance is greatly appreciated.

Respectfully,


Gary
 
Last edited:
Try using the following command to see what process/service is listening on those ports.

Code:
netstat -tulpn | egrep ':62299|:46326'

UPDATE: Ok, I see you've now done that. Those are pretty obscure ports, so I agree it's probably coming from some on-demand service. But I don't recognize them specifically. It's definitely not found in my own firewall script.
 
Last edited:
BTW, does it have to be port 80? Many ISPs don't allow port 80/443 w/ consumer accounts. And even if they do, port 80/443 will typically get hammered by hackers/bots looking for vulnerabilities. It's why we don't ever recommend exposing the GUI to the internet. Or any other well-known ports (22, 1194, etc.). Just too risky.
 
Last edited:
Try using the following command to see what process/service is listening on those ports.

Code:
netstat -tulpn | egrep ':62299|:46326'

UPDATE: Ok, I see you've now done that. Those are pretty obscure ports, so I agree it's probably coming from some on-demand service. But I don't recognize them specifically. It's definitely not found in my own firewall script.
It's a bit confusing because of the re-edited post. But as of this moment in time he appears not to have issued the correct netstat statement. His netstat is grepping port 80 whereas, as you say, it should be ports 46326 and 62299.
 
Last edited:
Pretty sure that's for letsencrypt certificate issuing renewal as it works exactly like that.. it uses nginx on port 80 to do the verification cause that's how letsencrypt works with the web authentication option.
I know it for sure because I've tested it to see the implementation as I'm not interested in opening the router to the public and I want to script dns authentication instead.

PS I'm also debating having one of my servers acquire the certificate via DNS method and just upload it to the router with a certbot posthook script. That's probably lighter.
 
It's definitely not found in my own firewall script.
@eibgrad

Port 80 DNAT not found on your Asuswrt-Merlin Firewall is a good baseline. I had searched for those high-ports in my original post, but didn't provide the output (just stated the the result).

Thank you for the reply.

Respectfully,


Gary
 
BTW, does it have to be port 80? Many ISPs don't allow port 80/443 w/ consumer accounts. And even if they do, port 80/443 will typically get hammered by hackers/bots looking for vulnerabilities. It's why we don't ever recommend exposing the GUI to the internet. Or any other well-known ports (22, 1194, etc.). Just too risky.
@eibgrad

Risky or not... If I want to use my router as a Nginx loadbalancer, I'll simply have to make sure nginx is up to date.

Thanks, again.

Respectfully,


Gary
 
It's a bit confusing because of the re-edited post. But as of this moment in time he appears not to have issued the correct netstat statement. His netstat is grepping port 80 whereas, as you say, it should be ports 46326 and 62299.
@ColinTaylor

Please refer to my reply to @eibgrad

As always, I appreciate your reply.

Respectfully,


Gary

P.S. Thanks, again, for your assistance troubleshooting nginx Tor loadbalancing. It seems to be working well, but it's taking months to burn in and validate. I'll put together a tutorial, once validation is complete. On the upside, I've leaned a ton about Tor in the process.
 
Last edited:
Pretty sure that's for letsencrypt certificate issuing renewal as it works exactly like that.. it uses nginx on port 80 to do the verification cause that's how letsencrypt works with the web authentication option.
I know it for sure because I've tested it to see the implementation as I'm not interested in opening the router to the public and I want to script dns authentication instead.

PS I'm also debating having one of my servers acquire the certificate via DNS method and just upload it to the router with a certbot posthook script. That's probably lighter.
@Nodens

I agree... My gut tells me it's related to the Asuswrt-Merlin acme.sh standalone implementation, which I've been developing an asus-wrapper-acme.sh script to manipulate to use the --dns method.

Perhaps, the Asuswrt-Merlin acme.sh process didn't remove the --standalone method Port 80 DNAT'S from it being terminated mid-process and not cleaning up.

I've removed the Port 80 DNAT's and have successfully PERMITed nginx port 80 access. I'll watch to see if I run into any issues, but we're live in Port 80, now.

Thank you for your reply.

Respectfully,


Gary
 
Last edited:
@ColinTaylor

Please refer to my reply too @eibgrad
Sorry, I don't understand this reference.

In your OP you found DNAT rules that appear to be directed at ports 62299 and 46326 (although both can't be true at the same time). So to see if there is in fact something listening on either of those ports you need to netstat/grep those ports. My confusion comes because although you said "I don't see any services running on the referenced high-ports" the netstat output you show is for port 80 and not ports 62299 and 46326.

I've never seen the router put ports like that in the VSERVER chain. So my guess is that it must come from a user script of some sort.
 
@eibgrad

Port 80 DNAT not found on your Asuswrt-Merlin Firewall is a good baseline. I had searched for those high-ports in my original post, but didn't provide the output (just stated the the result).

Thank you for the reply.

Respectfully,


Gary
@ColinTaylor

The above response to @eibgrad was what I was referencing you to. Please see my other responses in this post, as well.

I have to agree with your assessment.

Respectfully,


Gary
 
Thanks for the clarification. It looks like it probably does come from the letsencrypt prebuilt blob:
Code:
# strings /usr/lib/libletsencrypt.so | grep VSERVER
iptables -t nat -I VSERVER -p tcp --dport %d -j DNAT --to-destination %s:%u
 
Last edited:
Thanks for the clarification. It looks like it probably does come from the letsencrypt prebuilt blob:
Code:
# strings /usr/lib/libletsencrypt.so | grep VSERVER
iptables -t nat -I VSERVER -p tcp --dport %d -j DNAT --to-destination %s:%u
@ColinTaylor

Wow... It's actually in the libletsencrypt.so. I hope you didn't spend too much time hunting down that strings output. I was thinking it would more likely be in the Asuswrt-Merlin kernel as that's how the related acme.sh output is referenced in the System Logs.

Now, I can rest at ease knowing that by removing the Port 80 DNAT rules I won't break anything.

Thanks, again, for your second-set-of-eyes.

With Much Respect,


Gary
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top