Topic: Re: Opening ports in firewall

[Ashley]

I know that to open ports 15000 - 15010 I need to edit ipchains. My question is what specific file do I have to edit, where do I find this file, what do I type to edit IPchains and where do I type it. I have read the other posting on this topic, but I am still stuck.

Thanks
Ashley Shaw

[Nathan Fowler]

To help you along, the command you want to use is:

/sbin/ipchains -A input -p tcp --dport 15000:15010 -j ACCEPT

Create this directory, if it does not already exist:
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq

Pico the custom template you want:
pico 45AllowUserTraffic

Add:
/sbin/ipchains --append input -p tcp -s 0/0 -d $OUTERNET 15000:15010 -j ACCEPT

/sbin/ipchains --append output ! -y -p tcp -s 0/0 -d $OUTERNET 15000:15010 -j ACCEPT

Save your changes and run:
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
/etc/rc.d/init.d/masq restart

That should take care of your needs, if you have problems let me know.

Nathan

[Ashley]

I did exactly what you said, and I even specified the IP address (10.0.0.33) of the workstation (windows 95 with IE 5.5) on the network, but it cannot access the internet banking site. The site runs a java applet which accesses ports 15000 - 15010. A java application has to be installed on the client machine before it can access the site www.beb.standardbank.co.za (196.8.101.18). I installed the client software on a NT BDC, which sits in my office, and when it initialised it connected to the site and went into it just fine. The Windows NT 4.0 BDC (IE 6.0)  sits on the same switche as the SME Server and Gateway (which is the windows 95 workstation's and NT BDC default gateway and proxy), but the workstation sits on a hub connected to the switch. I have tried all sorts of combinations of things to get the banking applet to work, but no success for the workstation.
In the light of what I have just said, maybe someone out there can make some sense of all of this. It is a matter of extreme urgence!!!!!!!!!!!

Thank You
Ashley

[Nathan Fowler]

After opening the ports on the firewall you must also port forward them to the appropriate client.  Type:

/usr/sbin/ipmasqadm autofw -A -r tcp 15000 15010 -h 10.0.0.33

where 10.0.0.33 is the local host running the Java application.  I'm not sure what you mean when you said in the last post that you "even specified 10.0.0.33" but the last post regarding ipchains and opening the firewall should remain UNMODIFIED.  Do not modify the ipchain rules, they are correct.

This is a two step process.
1) Open the firewall ports.
2) Forward the ports.

This is now step 2 of 2.

Let me know if you have problems,
NF

[Ashley]

Where do I type this command:

/usr/sbin/ipmasqadm autofw -A -r tcp 15000 15010 -h 10.0.0.33

Do I put it into a custom-template as in the previous step

Thanks

Ashley

[Nathan Fowler]

At the console you would type that....if you wanted it to be permanent you would put it in the same custom template as in above and re-expand the template and restart masq.

[Chris]

Hi All,

I am having the same issues with the same banking company.

I did exectly as you have advised but it is not working for me.  I need to give all machines on the LAN access, running DHCP via Windows 2000 server.  I specified a specific port and all ports, no luck, the java test to their server still fails.

What are we missing?


Thanks

Chris

[Henry Gómez N.]

Hi Cris, I had a problem like you, I solve it, with default gateway. Put the Ip add from your internal linux to your clients.

Good luck.