Topic: IIS inside e-smith port forwading problem

[Darrell Lewis]

I am setting up an IIS4 server inside an E-Smith protected network.

The E-Smith connects via ADSL.

The IIS Server works with browsers on the internal network.

I followed the httpd://netsourced.com/servers/docs/ipportfw-howto.html and the /sbin/ipchains 0n -L input command shows (xxx's for security)
target     prot opt     source                destination           ports
icmpIn     icmp ------  0.0.0.0/0            0.0.0.0/0             * ->   *
ACCEPT     all  ------  0.0.0.0/0            0.0.0.0/0             n/a
denylog    tcp  ------  0.0.0.0/0            0.0.0.0/0             0:19 ->   *
denylog    udp  ------  0.0.0.0/0            0.0.0.0/0             0:19 ->   *
denylog    tcp  ------  0.0.0.0/0            0.0.0.0/0             * ->   0:19
denylog    udp  ------  0.0.0.0/0            0.0.0.0/0             * ->   0:19
DENY       all  ------  224.0.0.0/3          0.0.0.0/0             n/a
DENY       all  ------  0.0.0.0/0            224.0.0.0/3           n/a
ACCEPT     tcp  ------  0.0.0.0/0            xxx.xxx.238.34        * ->   80
ACCEPT     udp  ------  0.0.0.0/0            xxx.xxx.238.34        * ->   80
ACCEPT     all  ------  192.168.1.0/24       0.0.0.0/0             n/a
ACCEPT     tcp  !y----  0.0.0.0/0            0.0.0.0/0             * ->   *  
etc.

the /usr/sbin/ipmasqadm portfw -n -l comand shows
prot localaddr            rediraddr               lport    rport  pcnt  pref
UDP  xxx.xxx.238.34       192.168.1.7                80       80    10    10
TCP  xxx.xxx.238.34       192.168.1.7                80       80     9    10  

where do I look next?

[Bill Ebben]

Dear Darrell,

I've just gone through the same situation. All I wanted to do was forward internet traffic to a web server on the inside of my firewall. Leave port forwarding behind and use mfw (marked forward). This is the newest way to accomplish the same thing.

See man ipchains. I used the following rule to have ipchains mark the lead packet (and all the following packets in the chain) for forwarding.

ipchains -I input -p tcp -y -d yourcompany.com/32 80 -m 1

The use the following rule to have the ip masquerading redirect the marked packets to my internal web server (192.168.1.65):

ipmasqadm mfw -I -m 1 -r 192.168.1.65 80 -p 10

Instead of yourcompany.com in the first rule I had better luck by substituting the IP address instead of the domain name.

There is one gotcha that I have to resolve this evening after all my users go home. The rules will be forgotten the next time the linux firewall is rebooted. I need to find the place where e-smith keeps the rules template or add the rules to a start-up script to be executed after each reboot.

Hope this helps.

Bill

[Darrell Lewis]

Thanks for the idea Bill - however I tried an e-smith box in place of the NT box - and the web server worked.

This means that the problem is something to do with the IIS server.

Is there an NT/IIS forum as good as this?