Topic: Port Forwarding / Mapping

[Jules]

How can I setup e-smith to forwrad incoming request on the external IP to an internal IP on a windoze machine?
ie ...ftp requests on ip 24.x.x.x port 666 forwarded to a windows ftpserver (servu) running on the windows machine ip 10.0.0.135 port 666

I have a HUGE drive on the windows machine and minimal on the e-smith, I woudl liek NOT to have to swap the drives over


info - external ip 24.x.x.x internal ip 10.0.0.1 (DHCP giving out 10.0.0.100 - 200)

Thanks

Jules

[Franck ZOCCOLO]

You should try something like that :

ipmasqadm portfw -A -P tcp -L 24.x.x.x 666 -R 10.0.0.1 666

[Jules]

Works Great !!
Thanks

(Except it appears to be -a not -A )  

Now I have to setup the dran ftp servu with MultiHomed IP address as it won't return the reply back the right way ..DOH !!

Jules

[Jules]

Or --

Does this have anything to do with the return daat coming back on a port above 1024 ? Is the return path blocked by esmith or are ports above 1024 'open' ?

[Charlie Brady]

Jules wrote:

> Now I have to setup the dran ftp servu with MultiHomed IP
> address as it won't return the reply back the right way ..DOH
> !!

You might find this very difficult to get working, since ftp is a two connection protocol - and the second connection can be incoming or outgoing depending on the client configuration, and the port numbers are not fixed.

Charlie

[Jules]

Charlie Brady wrote:

>
> You might find this very difficult to get working, since ftp
> is a two connection protocol - and the second connection can
> be incoming or outgoing depending on the client
> configuration, and the port numbers are not fixed.
>
> Charlie

It is indeed proving to be problem ...PLEASE any help/suggestions woudl be appreciated.

I can log in but the reurn of the connection/data is messing me up <:-(>
and then dropping the connection (refused on return).

Has ANYONE done this already ??

Jules™

[Jules]

PS..

I have setup the windows servu with multihomed Ips so that is not the problem (err I think not anyway)

J™

[Jules]

one more Q. (well Maybe more)

I am forced at work to use PASV mode..Am I also forced to use Passive mode on incoming connectiosn on the e-smith server ? I think PASV is only on outgoing but I would liek to be sure.

tahnks
 oops
Thanks

J™

[aniston]

hello Jules,

try to see this page at http://ipmasq.cjb.net/  and look for the applications section, now towards the end of this section you will find a module which might help you I didn't go into looking it up but it seems very relevant to what you may want.

By the way I'myself am looking for some modules to be able to host a good bit (about 20 or so) of web servers from my inside network to the outside and havent as yet got it going ....any clues?

regards,
aniston.

[aniston]

hello Jules,

try to see this page at http://ipmasq.cjb.net/  and look for the applications section, now towards the end of this section you will find this module (New IP_MASQ_FTP Module) which might help you I didn't go into looking it up but it seems very relevant to what you may want.

By the way I'myself am looking for some modules to be able to host a good bit (about 20 or so) of web servers from my inside network to the outside and havent as yet got it going ....any clues?

regards,
aniston.

[Graeme Robinson]

Just thought I'd add that I've used this pmasqadm portfw command to successfully permit remote access (using a pcanywhere type program that uses full encryption) to an internal winbox on a specific port, something that's been on my todo list for a couple of weeks - thanks Franck!

[Chrisis]

A bit off topic, but along similar lines: how can I check the ports that my SME server is listening on for FTP?  Can I just assume that it will be ports 20-21?  I have configured my DSL router to forward ports 20-21 to my SME server, and I get "connection refused" whenever I try to connect.
My DSL router successfully forwards http requests via port 80 to my SME server.
TIA

[aniston]

To check the ports (including ftp) open on your e-smith server, Darrel May's website has a nice utility called 'portscan' http://myezserver.com/downloads/mitel/contrib/portscan/ that will show you the open ports on the server via nmap.

Also check basic settings in the admin panel under 'Remote Access' if ftp is disabled by mistake ? is ftp accessiable from the inside only ?

what specific dsl router are you using ?

a nice free ftp client for windows is smartftp from http://www.smartftp.com

regards
.aniston

[Chris]

aniston wrote:
>
> To check the ports (including ftp) open on your e-smith
> server, Darrel May's website has a nice utility called
> 'portscan'
> http://myezserver.com/downloads/mitel/contrib/portscan/ that
> will show you the open ports on the server via nmap.

Thanks for the reminder about nmap!  nmap tells me that my SME Server has tcp on the default port 21, but that my dsl router (an Asus 6000ev) does not have port 21 open.  My DSL config says I /do/ have a pinhole open for port 21 so I have to figure what I've done wrong there that the pinhole isn't being spotted by nmap (nmap correctly reports that port 80 on my router is open)

>
> Also check basic settings in the admin panel under 'Remote
> Access' if ftp is disabled by mistake ? is ftp accessiable
> from the inside only ?

I have enabled ftp access on my SME server -- both "public" and "normal" settings have been set -- it's just my router that needs a kick.  I'll report back my solution to that as soon as I've got one.

> regards
> .aniston

Thanks for your help
Chris

[Charlie Brady]

Chris wrote:

>  nmap tells me that my
> SME Server has tcp on the default port 21, but that my dsl
> router (an Asus 6000ev) does not have port 21 open.  My DSL
> config says I /do/ have a pinhole open for port 21 so I have
> to figure what I've done wrong there

My advice remains - do not use s DSL router. Just use a DSL modem. The extra level of firewalling/routing/port-forwarding/NAT just causes many problems and doesn't add much, if anything.

Charlie

[Greg Zartman]

> My advice remains - do not use s DSL router. Just use a DSL
> modem. The extra level of

Charlie,

I know you've stated this many times in the past, but I can't see what the problem is with DSL routers?  I've been using one (the Cisco 678) for nearly five years now with absolutely no trouble.   The issue isn't the router, but how the router is configured.    My Cisco router is not offering any firewalling functionality at all, for example.

> problems and doesn't add much, if anything.

The major bonus I get with my router is the ability to  access connection information and parameters.  I can hook a laptop up to my WAN hub and access the router directly if I'm having a problem with my connection.  I can also access my router via SSH from home, if needed.  This has been very useful on more than one occasion.

Regards,
Greg Zartman


>
> Charlie

[aniston]

Greg, you are a proud owner of a nice Cisco 678 which is good, but consider a Zyxel 642r which is really easy and quick to setup (for clients) and does no firewalling but the downfall of it is it does not route certain types of VoIP packets and effectively has problems with voice related programs that require packets to reach the destination with a public ip address.

On the topic of NAT a roundabout solutition was to setup an additional lunix based router with  VPN setup to give the one and only client the same address that was  the Zyxel's public ip in order for the VoIP to work.

Noteably the Cisco and Netgear DSL routers are actually VoIP certified and if someone does have a solutition to the Zyxel 642r DSL router do let me know else I have stuck to the Alcatel Speedtouch USB modem which aorks under RH 7.xx and kernel 2.4.18

Now the big task is to get it to work with the e-smith server gateway kernel 2.2.19-7.0.8 any starting point suggestions rather than recompiling this kernel ?

regards
.aniston

[Charlie Brady]

Greg Zartman wrote:

> I know you've stated this many times in the past, but I can't
> see what the problem is with DSL routers?  I've been using
> one (the Cisco 678) for nearly five years now with absolutely
> no trouble.   The issue isn't the router, but how the router
> is configured.    My Cisco router is not offering any
> firewalling functionality at all, for example.

Quite possibly then it isn't acting as a router at all, but is configured in bridged mode.

My beef is with the many newbies who naively use an inexpensive DSL/cable firewall/router, then immediately get into difficulties trying to reconfigure firewalls and port forward protocols that they do not understand, and without any of the troubleshooting skills that would help them get the job done smoothly. These people would all be better off to connect their SME server directly to their cable modem or DSL router, and have the system "just work", out of the box.

> The major bonus I get with my router is the ability to access
> connection information and parameters. I can hook a laptop
> up to my WAN hub and access the router directly if I'm having
> a problem with my connection. I can also access my router
> via SSH from home, if needed.

Pretty much all of this is also true of the SME server itself, when it is managing the connection, rather than an independent box.

Charlie

[Charlie Brady]

aniston wrote:

> I have stuck to the
> Alcatel Speedtouch USB modem which aorks under RH 7.xx and
> kernel 2.4.18
>
> Now the big task is to get it to work with the e-smith server
> gateway kernel 2.2.19-7.0.8 any starting point suggestions
> rather than recompiling this kernel ?

The fundamental sticking point with the Alcatel Speedtouch USB modem is that a proprietary module must be downloaded into the modem before it will work, and Alcatel do not permit the redistribution of the module, so it can't be bundled with the SME server software.

If you're interested in trying to use it, have a look at the latest 5.6beta, and start with that. The kernel used is 2.4.18. Be sure to write up a howto when you are done.

Charlie

[aniston]

thankx charlie,
as of now i have a connection going with the alcatel speet touch USB adsl modem, on an e-smith 5.1.2 with update 3 and no kernel level modifications. Since i copied the procedure from the web site of soundforge http://speedtouch.sourceforge.net/ and first checked it to work with a standard RH 8 distro. Then I moven onto the stock e-smith 5.1.2 and set up the server gateway as if it was using a standard com port modem  (dial up access) giving in fake values durning the e-smith setup (su admin) after that i got thru the installation of the usb driver and the  set up the scripts in /etc/e-smith/templates-custom and did the modprobe for n_hdlc and usbcore and usb-uhci finally i loaded alcatel's firmware driver and did a pppd call adsl, deleted the default route manually and added the new default route with route add default ppp0.

I know all this is hap-hazzardly written but it was the quick and easy way to get onlinewith an e-smith 5.1.2 server and alcatel speedtouch adsl USB modem, there is a lot of ground to be covered like starting an dstopping the connection and alsi figuring out if we are connected or not , also i did a lot of manual entries too and need to clarify first before i can post further. further as indicated the new 2.4.18 kernel is a good candidate to this as the stock RH 8 is built on it so there should not be much problems, ofcourse i do understand that alcatel does not allow redistribution of the firmware but downloading it too is not that difficult for the tiny odd bit of us who own this modem.

Anyone who has a 3ware 7400 card acn has tried to install it on a dev version of 5.6 can you tell me how to include the kernel level driver durning installation time (the 5.1.2 and earlier versions allowed that by saying accept dd)

best...
.aniston

[Charlie Brady]

aniston wrote:

> Anyone who has a 3ware 7400 card acn has tried to install it
> on a dev version of 5.6 can you tell me how to include the
> kernel level driver durning installation time (the 5.1.2 and
> earlier versions allowed that by saying accept dd)

As far as I know 3ware 7400 will work just out of the box.

Charlie

[aniston]

charlie,

    ... I will be able to confirm the 3ware 7400 IDE RAID card tomorrow morning with 5.6beta7 as we have a test card in the office.

w.r.t. Alcatel speed touch USB DSL modem I have a tiny script that starts-up the pppd connection with the USB modem (after the driver and templates have been installed and tested manually) ... the problem is later monitoring the line if/when it goes down and I cant seem to get the pppd to stop/drop the line if need be (except via a kill pid).

here is the scriplet ...
---------------------------------------------------------------------------
modprobe n_hdlc
modprobe usbcore
modprobe usb-uhci
/usr/local/sbin/modem_run -f /usr/local/bin/mgmt.o -m
pppd call adsl
route del default
route add default ppp0
route add gw berzek.ath.cx
--------------------------------------------------------------------------
i still need a few basics on the script ...
1)   a wait procedure and try again if the ADSL loop line is not up
2)   some way where i can the direct ppp0 ip address rather than the servers name.

does adding the default gateway route manually degrade the e-smith server's security in anyway ?

regards,
.aniston