Problems with Port Forwarding Through Internal Firewall

To: debian-user@lists.debian.org
Subject: Problems with Port Forwarding Through Internal Firewall
From: Hal Vaughan <hal@thresholddigital.com>
Date: Thu, 24 Feb 2005 08:20:03 -0500
Message-id: <[🔎] 200502240820.03953.hal@thresholddigital.com>
Reply-to: hal@thresholddigital.com

I don't know if this is a firewall problem, a DNS problem, or some other kind 
of configuration problem, but I need to get this resolved, so any help is 
greatly appreciated.

I've described my setup before in another post, but I'll go over it again.

I have my 1st firewall connected to the Internet, with the old LAN hooked up 
to that.  Then I have a 2nd firewall, connected to the LAN (i.e. not directly 
to the Internet), with a new LAN behind that.  The idea is that when 
everything in the new LAN is working the way it needs to, I'll remove the old 
LAN (which is ready to qualify for the hand-me-down-to-the-parents thing), 
and use just the new LAN.  The 2nd firewall was running IPCop.  At this 
moment it is running Smoothwall (which works about the same) as a test.  The 
problem is under both IPCop and Smoothwall.   (I changed to Smoothwall as a 
control test.  I don't want to change back until I figure out what is wrong, 
then I'll have IPCop up again.)

In the meantime, I need to have a few things working, and I also want to know 
how to do this so I can deal with similar problems in the future.

I want to be able to use 2 services, each to 2 systems, through the firewall.  
I want to be able to use SSH and RSYNC from the old LAN, through the 2nd 
firewall (as described above), to the new LAN's server and my production 
system.  I set up IPCop/Smoothwall to forward port 50022 to port 22 (ssh) on 
the server, 50023 to port 22 on the production system, 50837 to port 873 
(rsync) on the new server, and 50874 to port 873 on the production box.  It 
sounds good, and seemed to work a few days ago, before I took the server down 
and upgraded it to Mepis (newer kernel, and some other nice things over the 
older Libranet -- both are Debian based distros).  Now I can ssh through port 
50022 to the server, but not though 50023 to the production system.  When I 
try rsync through 50873, I connect to the server.  When I try it through port 
50874 (which should go to the production system), it goes to the server.

I had a lot of trouble setting up the new DNS (I used Bind 9, which was a 
disaster, and when I downgraded to Bind, version 8, it worked almost 
immediately).  I can't recall whether I had a DNS server working on the older 
system (I think I just used /etc/hosts since it was a small LAN).  I don't 
know if this has any effect on what is happening.

Basically, it seems I can't connect to the production system, only to the 
server and when I use rsync to reach the production system, I get the server.  
I've checked the logs in IPCop and Smoothwall.  When I first started looking 
at the IPCop logs, it looked like every time I tried to connect (through 
either ssh or rsync), it showed up on the logs in IPCop, showing the correct 
destination IP address in the new LAN.  When I started working with it this 
morning, many ssh and rsync attempts started showing the destination address 
as the firewalls external address (in other words, on the old LAN side, not 
the side I'm trying to reach).  It also no longer shows the correct 
destination port.

Any help is appreciated.  At this point I don't know if it's a firewall 
problem, or something else (I suspect it's got something to do with the DNS, 
since that was what I messed with, but I don't see how that would effect the 
firewall and result in screwy logs).

Thanks.

Hal

Reply to:

Prev by Date: Re: crypto file system
Next by Date: Re: Take me out of the newsletter, please
Previous by thread: Synaptic/dpgk issue after updates
Next by thread: printing or postscript probs
Index(es):
- Date
- Thread