Re: port redirection
On Fri, Jul 02, 1999 at 03:24:50PM -0400, Jonathan Lupa wrote:
> On Thursday, July 01, 1999 10:37 AM, Dan Everton
> [SMTP:email@example.com] wrote:
> > On Thu, 1 Jul 1999, Ralf G. R. Bergs wrote:
> > There is a patch available. You can find it here
> > http://www.ox.compsoc.org.uk/~steve/portforwarding.html
> > I think it's packaged somewhere in the Debian distribution... *checks
> > package listing* yes it is. You can find it here:
> > http://www.debian.org/Packages/stable/net/ipportfw.html
> Wow. This opened some doors for me! But now, I get to flood with newbie
> questions. =)
> First of all, I have a 486-33dx4 acting as my masq-firewall. Its at Kernel
> 2.0.36, has a ppp0 properly set up and masquerades to a small network of
> 192.168.2.* addressed computers. The firewall rules are below.
> ipfwadm -F -p deny
> ipfwadm -F -a m -S192.168.2.0/24 -D 0.0.0.0/0
> ipfwadm -I -p accept
> # the following line blocks incoming telnets since I use ssh to
> ipfwadm -I -a r -DXXX.XXX.XXX.XXX/32 23 # address removed to protect
> the ignorant (me).
> I compiled in port forwarding support and added the following lines to my
> setup which allowed quicktime streaming to work for my Wife's machine:
> ipportfw -A -tXXX.XXX.XXX.XXX/554 -R 192.168.2.2/554
> # and a WHOLE BUNCH of udp routing lines.
> Now, what I want to do, but haven't been able to get working is a forwarding
> scheme for CVS. I want to have my gateway XXX.XXX.XXX.XXX box redirect its
> port 6060 to my workstations (192.168.2.1) cvspserver port (2401).
> To this affect I entered the following lines:
> ipportfw -A -tXXX.XXX.XXX.XXX/6060 -R 192.168.2.3/2401
> ipportfw -A -uXXX.XXX.XXX.XXX/6060 -R 192.168.2.3/2401
> Before I was doing portforwarding on 6060 when I telnet to that port on my
> box I get the message "telnet: Unable to connect to remote host: Connection
> refused". AFTER I add port forwarding on 6060 I get "telnet: Unable to
> connect to remote host: Connection timed out".
> The transactions are starting, they just aren't finishing. My pet theory is
> that this port forwarding thing isn't dealing with masquerading of the
> returned packets, but like I said, I'm pretty clueless with this.
> Any help appreciated!
> Jonathan Lupa
Near as I can tell, that should work. I've only used the port forwarding
patches in a very limited fashion, but similar lines have worked for all
services I've tried.
One thing I can think of is (and this is based on a very hazy grasp of
what ipmasq and ipportfw are actually doing) is that that the cvspserver is
trying to create another connection channel back to the originating server and
that isn't working for some reason. Anybody know if cvspserver does that (like
the control and data ports in ftp)?
Another possibility is that ipportfw doesn't like rewriting ports (although
I'm almost certain that does work). Have you tried just passing port 2401
one along as opposed to rewriting 6060 down to 2401?
Wish I could help you better.
Dan Everton <firstname.lastname@example.org> | "Have you tried thinking like a shower?"
www.psynet.net/fada | KBHR's Chris in the Morning