Topic: Port forwarding to other subnet

[Brian High]

> dmc-mitel-portforwarding-0.0.1-4.noarch.rpm
> http://myEZserver.com/downloads/mitel

The panel installation and usage seems to work,
but when I try to access the port, I am
not successful (times out).

I am port forwarding POP3 (110) from
the e-smith gateway (64.65.164.122) to
an internal mail server (192.168.0.214).

The internal IP of the e-smith gateway is 192.168.1.1
and there is a VPN connecting it to another internal
LAN at 192.168.0.x.  All VPN traffic
works fine, but is it possible that the firewall
settings are somehow blocking this port forwarding
(because it is not on the internal subnet)?

I tried the test logging mentioned on your web page:
http://myezserver.com/docs/mitel/ipportfw-howto.html

But I see nothing in the messages log.  (The last entry
matching 'Packet log' is quite old.)

Here are my other tests:

C:\>telnet 192.168.0.214 110
+OK POP3 server arilabs.dnsalias.com ready
<00225.342446328@arilabs.dnsalias.com
>


C:\>telnet 64.65.164.122 110
Connecting To 64.65.164.122...Could not open a connection to host on port
110 :
Connect failed

I even tried from a server accross town (a different ISP):

$ telnet 64.65.164.122 110
Trying 64.65.164.122 ...
telnet: connect: Connection timed out

(Without using port forwarding I am able to telnet to
my e-smith's port 110 and see the POP3 welcome text message.)

/sbin/ipchains -n -L input | grep "110"
ACCEPT  tcp  ------  0.0.0.0/0   64.65.164.122 * -> 110
ACCEPT  tcp  ------  0.0.0.0/0   64.65.164.122 * -> 110

/usr/sbin/ipmasqadm portfw -n -l | grep "110"
TCP  64.65.164.122  192.168.0.214   110 110 10 10

Any help will be greatly appreciated!  

--Brian

[Dan G.]

Make sure you have 192.168.0.0 network specified, under Security/Local Networks/Click Here to Add...

[Brian High]

Yes, it is ... here is my routing table:

[root@linux /root]# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
255.255.255.255 0.0.0.0         255.255.255.255 UH        0 0          0 eth0
192.168.1.189   0.0.0.0         255.255.255.255 UH        0 0          0 ppp0
64.65.164.120   0.0.0.0         255.255.255.252 U         0 0          0 eth1
192.81.96.0     192.168.1.249   255.255.255.0   UG        0 0          0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 ppp0
192.168.0.0     192.168.1.189   255.255.255.0   UG        0 0          0 eth0
192.81.95.0     192.168.1.189   255.255.255.0   UG        0 0          0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         64.65.164.121   0.0.0.0         UG        0 0          0 eth1


Here is what is listed in the e-smith-manager:

Network Subnet mask Number of hosts Router  
192.168.0.0 255.255.255.0 256 192.168.1.189 Remove...
192.81.95.0 255.255.255.0 256 192.168.1.189 Remove...
192.81.96.0 255.255.255.0 256 192.168.1.249 Remove...


Any other thoughts?

--Brian


Dan G. wrote:
>
> Make sure you have 192.168.0.0 network specified, under
> Security/Local Networks/Click Here to Add...

[Dan G.]

Hmmm....if I recall correctly, doesn't the route to the remote subnet need to go out via ipsec0, or something like that?  ppp0 would send it to your default gateway at your ISP, which is not where you want it to go.  It doesn't look like the manager panel lets you specify a dev as a route --- you might try playing with your routes from the command line.

What does ifconfig give you?

[Brian High]

Dan,

Here is the ifconfig on the ppp interface:

ppp0      Link encap:Point-to-Point Protocol
          inet addr:192.168.1.1  P-t-P:192.168.1.189  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:18 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:10

This is not the link to the ISP, but the PPTP link to
the other subnet (VPN).  We are not using an IPSEC
vpn but instead are using a PPTP vpn to another
(e-smith) machine in another town).

So, this all works fine.  The only thing that
is not working is that the port forwarding
is being blocked or otherwise not getting through ..
could this be a firewall issue?

Here are some ipchains listings:

[root@linux /root]# ipchains -L | grep "110"
[root@linux /root]# ipchains -L | grep "192.168.0."
ACCEPT     all  ------  192.168.0.0/24       anywhere              n/a
ACCEPT     all  ------  192.168.0.0/24       192.168.0.0/24        n/a
MASQ       all  ------  192.168.0.0/24       anywhere              n/a
ACCEPT     icmp ------  192.168.0.0/24       anywhere              any ->   any
ACCEPT     all  ------  anywhere             192.168.0.0/24        n/a
[root@linux /root]# ipchains -L | grep "pop"
ACCEPT     tcp  ------  anywhere             64.65.164.122         any ->   pop3
ACCEPT     tcp  ------  anywhere             64.65.164.122         any ->   pop3
-          tcp  ------  anywhere             anywhere              any ->   pop3
ACCEPT     tcp  !y----  64.65.164.122        anywhere              pop3 ->   any


Thanks for your help!

--Brian

[Dan G.]

Sorry, this really isn't my strongest area

The only thing I am wondering:

192.168.0.0 192.168.1.189 255.255.255.0 UG 0 0 0 eth0

Isn't .189 at the far end of ppp0?  

That's all I can think of...sorry I can't be more help.

Dan

[Brian High]

Dan,

Well, yes it is at the other end of the PPTP (ppp) link.

Here is a traceroute to the POP3 server I am trying to
port-forward to ... from the machine that
is doing the port-forwarding (192.168.1.1):

[root@linux log]# traceroute 192.168.0.214
traceroute to 192.168.0.214 (192.168.0.214), 30 hops max, 38 byte packets
 1  pc-00189 (192.168.1.189)  177.676 ms  178.122 ms  158.861 ms
 2  192.168.0.214 (192.168.0.214)  163.115 ms  144.701 ms  166.030 ms

So, the first hop is to the other end of the PPTP link
(192.168.1.189) which also has an IP on the other
subnet (192.168.0.235).  The next hop is to the
internal POP3 server.

So, the VPN is working fine and routing is working fine, so
I am totally stumped ... and it looks like only internal users will
be able to get their mail via POP3.   Oh well.

Thanks for helping me with this, Dan!  I really appreciated it.
Sorry we could not solve it.

--Brian

[Lloyd Keen]

Brian,
Another method that you may want to look at is using putty to do the port forwading. Here's some more info:
http://www.acl.lanl.gov/users/technotes/ssh_portforwarding.html#pop
http://www.tartarus.org/~simon/putty-snapshots/x86/putty.exe

[Brian High]

Lloyd,

Yes, thanks for that advice.  I had looked into using stunnel
for this ... I don't know much about putty, but I
assume it is the same thing.  I used stunnel to create
an encrypted port for POP3 access.  It allowed Oulook
Express users to get POP3 through port 995.

I will see if this (stunnel) or putty could be
used to port forward to another machine, not
just qmail on the same machine, as I had
previously done.

Thanks!

--Brian

Lloyd Keen wrote:
>
> Brian,
> Another method that you may want to look at is using putty to
> do the port forwading. Here's some more info:
> http://www.acl.lanl.gov/users/technotes/ssh_portforwarding.html#pop
> http://www.tartarus.org/~simon/putty-snapshots/x86/putty.exe