Re: Port forwarding

To: "debian-user@lists.debian.org" <debian-user@lists.debian.org>, "debian-firewall@lists.debian.org" <debian-firewall@lists.debian.org>
Subject: Re: Port forwarding
From: Fitsch <fitsch@gmx.net>
Date: Thu, 27 Jan 2000 14:06:01 +0100
Message-id: <[🔎] 389042B9.AD1004CF@gmx.net>
References: <[🔎] 20000127111257.A691@fam-meskes.de> <389041BA.6019B5F5@gmx.net>

Fitsch wrote:
> 
> Michael Meskes wrote:
> >
> > Could anyone send me a working example of port forwarding? I just tried to
> > get it going to no avail.
> >
> > I test setup has a firewall connecting 172.26.14.0/24 and 172.26.2.0/24
> > doing nothing but routing. Now i want it to redirect some ports (I tried
> > 23,25,80) from its own 172.26.2.1 address to 172.26.14.7. I tried
> > accomplishing that by adding
> >
> > ipmasqadm portfw -a -P tcp -L 172.26.2.1 80 -R 172.26.14.7 80
> >
> > With this setup I get a log entry that someone tried to initiate a session
> > on 172.26.14.7 but that session never is fully established since no data
> > arrive on the outside. Also there is no error log on any of the machines.
> >
> > Then I told my firewall to masquerade the internal network. With that I got
> > www going. However, with a respective rule added, smtp and telnet did not
> > work either. They do get a 'connection denied' icmp package back. But my
> > inside test machine does accept both protocols as I can see when directly
> > addressing it.
> >
> > I also tried to the ip command to redirect anotehr address (in my case
> > 172.26.2.2) completely to my internal machine. Using this setup I have the
> > same problem. I get the log that unknown@external-machine tries to
> > establish a connection and nothing more. Strangely enough about every 2nd
> > or 3rd try this log shows the correct user instead of unknown.
> >
> > Finally I tried marking packages to port 80 and add a special ip rule for these
> > packages but the result was the same.
> >
> > I think I missed something essential but right now I have no idea what that
> > could be. And yes CONFIG_IP_MASQUERADE_IPPORTFW is defined in the kernel.
> >
> > Thanks in advance for any help.
> >
> > Michael
> >
> > P.S.: PLease CC me on replies.
> > --
> > Michael Meskes                         | Go SF 49ers!
> > Th.-Heuss-Str. 61, D-41812 Erkelenz    | Go Rhein Fire!
> > Tel.: (+49) 2431/72651                 | Use Debian GNU/Linux!
> > Email: Michael@Fam-Meskes.De           | Use PostgreSQL!
> >
> > --
> > Unsubscribe?  mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null
> 
> I got ipmasqadm portfw working.
> 
> Perhaps you try something wrong, or I don't understand your setup. In
> common Port Forwarding is used to redirect traffic from the outside to
> an internal host behind your firewall. (e.g. webserver) this internal
> host may have an adress from the private space.
> When you specify the IP-Adresses, Source and Destination must be
> adresses on different machines, not of different nic's in one machine.
> If you have a strict policy on your firewall you have to allow this
> traffic, better you create an seperate chain for portforwarded traffic
> from the outside to the inside.
> 
> For traffic from the inside to the outside you don't need Port
> Forwarding, as this is handled by Masquerading or normal routing.
> 
> If this doesnt match your setup and you want to try anything else,
> append a -j REJECT -l to every chain to see exactly which packages are
> denied in /var/log/messages.
> 
> I'm not an expert in firewalling, but this worked for me.
> 
> HTH, Fitsch

Reply to:

Follow-Ups:
- Re: Port forwarding
  - From: Michael Meskes <meskes@debian.org>

References:
- Port forwarding
  - From: Michael Meskes <meskes@debian.org>

Prev by Date: Port forwarding
Next by Date: Re: Port forwarding
Previous by thread: Port forwarding
Next by thread: Re: Port forwarding
Index(es):
- Date
- Thread