==update==
turns out the problem was in the ubuntu box. the previous gateway was a .1, the tomato router is a .2. changed the ubuntu network/interfaces gateway to .2
Previous setup
ZTE W300S running in bridge/router mode -> (DMZ) Ubuntu 12.04 box
I could access HTTP and SSH from the outside with this setup.
Current setup
Tomato Firmware 1.28.0280 MIPSR2 K26 USB Mega-VPN with "Shibby" and "Victek"
Tomato router is a local brand, made-in-china router with a 500Mhz Broadcom BCM5357 chip rev 2 pkg 8, 8MB Flash RAM. I've set it up to use a 2GB swap partition.
ZTE W300S bridge mode -> Tomato router -> (DMZ) Ubuntu 12.04 box
I cannot now access HTTP or SSH from the outside with the Tomato router. I did not change anything in the Ubuntu box. I did not even change the LAN IP addresses.
I can access the Ubuntu box through SSH using its local IP and HTTP using both local and public IPs. I configured the Firewall LAN loopback to "All".
Online open port checkers say that my port 80 and 22 are not accessible. But, if I open those same ports using my OS X machine, and point the DMZ to the OS X machine, the ports are accessible from the outside.
I tried to use port forwarding but it also doesn't work.
$ iptables -t filter -L -nv
and
$ iptables -t nat -L -nv
give the following for the DMZ setup
root@aramaki:/tmp/home/root# iptables -t filter -L -nv
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
129 16428 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
39655 12M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 64 shlimit tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
62 4403 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
685 64556 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
1 28 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:33434:33534 limit: avg 5/sec burst 5
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:51515
80 2240 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
1 52 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
3985 233K TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
40457 14M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2515 170K wanin all -- vlan1 * 0.0.0.0/0 0.0.0.0/0
2290 150K wanout all -- * vlan1 0.0.0.0/0 0.0.0.0/0
0 0 wanin all -- vlan2 * 0.0.0.0/0 0.0.0.0/0
0 0 wanout all -- * vlan2 0.0.0.0/0 0.0.0.0/0
2290 150K ACCEPT all -- br0 vlan1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br0 vlan2 0.0.0.0/0 0.0.0.0/0
2515 170K upnp all -- vlan1 * 0.0.0.0/0 0.0.0.0/0
0 0 upnp all -- vlan2 * 0.0.0.0/0 0.0.0.0/0
2515 170K ACCEPT all -- * br0 0.0.0.0/0 192.168.17.9
Chain OUTPUT (policy ACCEPT 3310 packets, 2794K bytes)
pkts bytes target prot opt in out source destination
Chain logdrop (2 references)
pkts bytes target prot opt in out source destination
80 2240 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW limit: avg 1/sec burst 5 LOG flags 39 level 4 prefix `DROP '
80 2240 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 39 level 4 prefix `REJECT '
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
Chain shlimit (1 references)
pkts bytes target prot opt in out source destination
1 64 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: shlimit side: source
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source
Chain upnp (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.17.30 tcp dpt:11300
Chain wanin (2 references)
pkts bytes target prot opt in out source destination
Chain wanout (2 references)
pkts bytes target prot opt in out source destination
root@aramaki:/tmp/home/root#
===============
Chain PREROUTING (policy ACCEPT 39 packets, 3121 bytes)
pkts bytes target prot opt in out source destination
1301 94122 WANPREROUTING all -- * * 0.0.0.0/0 110.55.65.25
0 0 DROP all -- vlan1 * 0.0.0.0/0 192.168.17.0/24
0 0 WANPREROUTING all -- * * 0.0.0.0/0 0.0.0.0
0 0 DROP all -- vlan2 * 0.0.0.0/0 192.168.17.0/24
0 0 upnp all -- * * 0.0.0.0/0 110.55.65.25
0 0 upnp all -- * * 0.0.0.0/0 0.0.0.0
Chain POSTROUTING (policy ACCEPT 97 packets, 7445 bytes)
pkts bytes target prot opt in out source destination
3443 216K MASQUERADE all -- * vlan1 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * vlan2 0.0.0.0/0 0.0.0.0/0
28 6784 SNAT all -- * br0 192.168.17.0/24 192.168.17.0/24 to:192.168.17.2
Chain OUTPUT (policy ACCEPT 43 packets, 2943 bytes)
pkts bytes target prot opt in out source destination
Chain WANPREROUTING (2 references)
pkts bytes target prot opt in out source destination
1 28 DNAT icmp -- * * 0.0.0.0/0 0.0.0.0/0 to:192.168.17.2
1300 94094 DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 to:192.168.17.9
Chain upnp (2 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:11300 to:192.168.17.30:11300
