Topic: portforwarding and terminal services...

[guest-ish]

I have a e-smith 5.6 server installed as a gateway as a client site. I recently have been requested to allow external access (from a single Ip address) to a terminal services on an internal server. I installed portforwarding, then modified the iptables rule (adding the restriction of the single ip), but without any luck. I then backed up, allowing access from anywhere to see if the access rule in iptables got any hits (from anywhere to anywhere tcp port 3389).

No luck, I don't see any packets getting as far as the allow 3389 chain. I'm also having problems finding out exactly where it's stopping, as either the iptables counts don't update immediately, or the program is sending uneven amounts of packets (so it's hard to see a pattern)..

Anyone have any experience with troubleshooting problems like this?

[verhoem]

Hi,

your rule doesn't sound like a forwarding rule, as far i know sme 5.6 works with iptables so your rule should be given with command iptables-save, in this output there are tables and you should be concentrating on the PREROUTING table, it should be something like:

iptables -A PREROUTING -p tcp -m tcp -sourceip <ipnumber> -destport 3389 -j DNAT ipnumber internal network.

Goor luck !

[Anonymous]

Hi,

your rule doesn't sound like a forwarding rule, as far i know sme 5.6 works with iptables so your rule should be given with command iptables-save, in this output there are tables and you should be concentrating on the PREROUTING table, it should be something like:

iptables -A PREROUTING -p tcp -m tcp -sourceip <ipnumber> -destport 3389 -j DNAT ipnumber internal network.

Goor luck !

Actually, I installed the portforwarding contrib, I'm assuming the contrib creates rules like that.

You don't know of any way to list the PREROUTING chain do you?

BTW, it'd be iptables -t nat -A PREROUTING.. and after DNAT you need --to-destination <internal ip>

Which I've tried.

Still no luck, and no way to easily tell if the rule is duplicated, or if the packets are even arrivng there.

[guest-ish]

I've found out how to list the PREROUTING chain..

*nat
:PREROUTING ACCEPT [337825:36403427]
:POSTROUTING ACCEPT [18936:2667819]
:OUTPUT ACCEPT [148955:10738822]
:PortForwarding - [0:0]
:PortForwarding_10107 - [0:0]
:TransProxy - [0:0]
-A PREROUTING -p tcp -m tcp --dport 80 -j TransProxy
-A PREROUTING -j PortForwarding
-A POSTROUTING -o eth1 -j MASQUERADE
-A PortForwarding -d 192.168.3.1 -j PortForwarding_10107
-A PortForwarding_10107 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.1.10:3389
-A PortForwarding_10107 -p udp -m udp --dport 3389 -j DNAT --to-destination 192.168.1.10:3389

As I suspected, the requests aren't arriving at the Portforwarding chain.

[Anonymous]

Hi,

don't you need to specify source port or/and source ip in the -A PREROUTING -j PortForwarding chain ?

Greetings Marcel

[verhoem]

Hi,

another thing I find strange you said, specific ipnumber from the internet to be able to connect to an internal system. So why -A PortForwarding -d 192.168.3.1 -j PortForwarding_10107
An destination adres comming from the internet with 192.168.3.1 isn't possible. Or did I misunderstood ?

Greetings Marcel

[msoulier]

I have a e-smith 5.6 server installed as a gateway as a client site.

I suggest you upgrade to 6.0. It's more secure, and there is a portforwarding panel built-in now.

Cheers,
Mike

[guest-sih]

Marcel, I don't think the --sport is absolutely necessary, as you normally only have to specify it when it's different, or you're trying to filter on that.. As this should be TCP 3389 from start to finish, it shouldn't be required.

The server is behind a NAT router, whose default behavior is to forward all incoming traffic to the external interface. 192.168.3.1 is eth1. All other protocols originating externally (ssh, smtp, http, https, etc etc) work, I see them logged in the INBOUND_TCP chain.

I was hoping to resolve this without going to the client, but if 6.01 is where I have to go... I'll make the appointment.

[verhoem]

Hi,

sorry for the mis-com.

Good luck !