Topic: Port Forwarding : Source address verification

[Tony De Keizer]

I was wondering if anyone had tried to setup port forwarding but only for packets originating from a specific IP address.  The Port Forwarding panel does not support a source address and I noticed that the ipchains command generated in /etc/rc.d/init.d has a -s 0/0 option which will forward all external ip address's to the specified internal network address on the specified port.

I have tried to directly modifying the ipchains command by adding a specific host ip in the source option and then restart masq as a test and it doesn't seem to work.  The ipchains -L command lists the correct forwarding and chain entry but the port is still forwarded no matter what IP you connect from.

Any ideas ?  

Regards
Tony De Keizer

[Nathan Fowler]

From my understanding, Ipchains doesn't handle the actual port fowarding.  You probably will want to look at:

ipmasqadm autofw
ipmasqadm portfw
ipmasqadm mfw

I believe the Port Forwarding panel is a front end to these programs.

Hope this helped,
Nathan

[Tony De Keizer]

Nathan,

Thanks for the reply.

I am happy to say that I have worked the problem out.  

I had a look at the /etc/rc.d/init.d/masq entries generated by the portforwarding panel and it creates two entries.

One 'ipmasqadm portfw .... ' for the actual port forwarding.
A 'ipchains -append input .... ' to allow access on the specified port on the outer network ip address.

The ipchains command uses a -s 0/0 thus allowing any source address to be forwarded.  I was trying  to limit the source address to a single host I.P.

I tried modifying the  -s 0/0  to -s w.x.y.z/32 and it didn't work.  Hence the forum message.

Further investigation found that the I needed to add a second ipchains entry to stop access on this port for all other ip's.. i.e

ipchains -Append input -p tcp -s 0/0 -d $OUTERNET -j denylog  (I wanted to log attempts)

I found this interesting as I would have thought the input policy would have been DENY not ACCEPT.

Obviously I will create some custom templates to add the necessary commands to masq but I believe it would be a good addition to the port forwarding panel to allow specification of a source address and mask.  What do you think ?

Thanks again for the reply.

Regards

Tony De Keizer

[Dan]

The other thing the Port Forwarding Panel needs is the ability to specify a block of ports ( eg: 2300-2400) to be forwarded to a given internal network address.  I have yet to find a way to handle this.  If anyone can help me please let me know.