Coupe-feu du modem SpeedTouch

La misère des coupe-feu. Rarement sujet a été aussi mal expliqué.
Pour le speed touch
Utiliser FirewallManager (un programme en visual Basic pour faciliter la communication avec le modem

Il faut aussi laisser passer la connexion VPN
(extrait de Guide to Pinholing the Alcatel SpeedTouch Pro)

Version 0.11
21-August-2001 Nik Kitson
trouvé sur

note établie le 11/01/2006 23:06

nat create protocol=47 inside_addr= outside_addr=0
nat create protocol=tcp inside_addr= inside_port=1723 oustide_addr=0 outside_port=1723

11/01/2006 23:06

Om met meerdere personen te kunnen surfen moet je de DHCP server en firewall herconfigureren.
De DHCP server kun je gemakkelijk herconfigureren via de webinterface.
De firewall echter heeft geen webinterface. Deze moet je via de commandline herconfigureren.

Telnet naar je router : telnet
Je geeft volgende commando’s in :
Voor het verwijderen van de bestaande regels :
firewall rule delete chain=forward index=2
firewall rule delete chain=forward index=4

Nu maken we nieuwe regels voor in en uitgaand verkeer :
firewall rule create chain=forward index=2 src= srcmsk= action=accept
firewall rule create chain=forward index=4 dst= dstmsk= action=accept

Nu nog eens alle bekijken met
firewall rule list
en als alles er goed uitziet de wijzigingen bewaren met
Nu zou alle moeten werken naar behoren.

Guide to Pinholing the Alcatel SpeedTouch Pro

Version 0.11

21-August-2001 Nik Kitson

This information has been summarised from the Alcatel SpeedTouch CLI guide. This can be downloaded from

1. Telnet to the Alcatel ST Pro by using a standard Telnet client. The default IP address of the ST Pro is There is no password by default. However, if a password has been added via the HTTP interface, this must be entered before you can access the CLI configuration.

2. NAT entries are of the format below. It does not appear that multiple port ranges are supported by the Alcatel, so each port will require a nat entry. Port numbers are only supported for TCP and UDP. By default, the router will not respond to ICMP ping requests.

nat create protocol=[type] inside_addr=[ip.address] inside_port=[port#] outside_addr=[ip.address] outside_port=[port#]

Some examples below are included for a range of different IP services.
All of the examples below use an internal host address of and are configured for a dynamic external IP address (outside_addr=0), as shown in Figure 1 below.
Vary the internal host and external address as required for your specific network.

Figure 1: Example network with Alcatel SpeedTouch Pro router

HTTP pinhole
nat create protocol=tcp inside_addr= inside_port=80 outside_addr=0 outside_port=80

SMTP pinhole
nat create protocol=tcp inside_addr= inside_port=25 outside_addr=0 outside_port=25

POP3 pinhole
nat create protocol=tcp inside_addr= inside_port=110 outside_addr=0 outside_port=110

SSH pinhole
nat create protocol=tcp inside_addr= inside_port=22 outside_addr=0 outside_port=22

FTP pinholes
nat create protocol=tcp inside_addr= inside_port=20 outside_addr=0 outside_port=20
nat create protocol=tcp inside_addr= inside_port=21 outside_addr=0 outside_port=21

DNS/BIND pinholes
nat create protocol=udp inside_addr= inside_port=53 outside_addr=0 outside_port=53
nat create protocol=tcp inside_addr= inside_port=53 outside_addr=0 outside_port=53

IPSec-ESP VPN pinholes
nat create protocol=50 inside_addr= outside_addr=0
nat create protocol=udp inside_addr= inside_port=500 outside_addr=0 outside_port=500

PPTP VPN pinholes
nat create protocol=47 inside_addr= outside_addr=0
nat create protocol=tcp inside_addr= inside_port=1723 oustide_addr=0 outside_port=1723

H.323 pinholes (incoming calls to a single host)
nat create protocol=tcp inside_addr= inside_port=1503 outside_addr=0 outside_port=1503
nat create protocol=tcp inside_addr= inside_port=522 outside_addr=0 outside_port=522
nat create protocol=tcp inside_addr= inside_port=389 outside_addr=0 outside_port=389
nat create protocol=tcp inside_addr= inside_port=1720 outside_addr=0 outside_port=1720
nat create protocol=tcp inside_addr= inside_port=1731 outside_addr=0 outside_port=1731
(NOTE: There is no NAT H.323 support in the router firmware as at August 2001. However, the ST Pro manual does have config info for H.323, FTP, IRC and Real Audio. Presumably, H.323 support will be built into the router at a later stage. In the meantime, you will need to configure inbound call support manually as above)

3. Once you have added all of your required pinholes, type « nat save » to make the changes permanent. Resetting the router before entering the « nat save » command will erase all of your changes. To review your current NAT entries, type « nat list ».

4. To remove entries, use the « nat delete » command

eg Remove SMTP pinhole to host

nat delete protocol=tcp inside_addr= inside_port=25 outside_addr=0 outside_port=25

5. The Alcatel has a feature to forward all unknown inbound packets to a specific internal host. This is quite a useful if you would like to log traffic on a firewall, or if you want all requests to come to a single server without the need to configure pinholes/NAPT. The command for this is

nat defserver addr

This will forward all unknown packets to the internal host on IP address