Topic: Iptables opening ports

[ivan]

Hi all

Hope you can asssit:

I need to open a number of incoming ports on the SME7.4 running in server gateways mode.
That is a site based on the internet needs to communicate into my network.
I can't use port forwarding in this case.
So I created a file 90Allowports in custom templates with the following enties:

/sbin/iptables -A $NEW_InboundTCP --proto tcp --dport 500 --destination $OUTERNET --src 0.0.0.0/0 --jump ACCEPT
/sbin/iptables -A $NEW_InboundTCP --proto tcp --dport 1000 --destination $OUTERNET --src 0.0.0.0/0 --jump ACCEPT
/sbin/iptables -A $NEW_InboundTCP --proto tcp --dport 1812:1813 --destination $OUTERNET --src 0.0.0.0/0 --jump ACCEPT
/sbin/iptables -A $NEW_InboundTCP --proto tcp --dport 5000 --destination $OUTERNET --src 0.0.0.0/0 --jump ACCEPT
/sbin/iptables -A $NEW_InboundTCP --proto tcp --dport 10000:10001 --destination $OUTERNET --src 0.0.0.0/0 --jump ACCEPT

The template expands but on masq restart errors are returned that --dport is an invalid parameter.

Please indicate what is wrong with the syntax or positon of the file number as this seems to all be correct iptables syntax

Thank you
Ivan

[Stefano]

Hi

please describe your network topology and what you are trying to achieve..

you'd not need any custom template: use port-forwarding panel in server-manager and/or read here

hth

[ivan]

Hi

Thanks for the quick response:

Access to a bank is required that has software to manage connections they say won't work unless they can connect to a number of ports on each station. ( I don't belive them but this is political)
All workstations (40) on the site must use this software
Port forwarding seems to work only for a incoming port to a single give internal ip, is it possible to do this for the full internal range ie 192.168.0.0/24 ?
The server is in server gateway mode behind a DSL router, the DSL device does no filtering, SME manages the connection.

I hope this is enough info.

Thanks
Ivan

[ivan]

Hi

Thanks
I took a look at your link.

The problem is this requiement is not part of any service on the server.
So how would I open e.g port 500 for incoming traffic using the DB variables?
I see I don't quite understand some thing here.

Thanks
Ivan

[janet]

ivan

So how would I open e.g port 500 for incoming traffic using the DB variables?

Also see Firewall FAQ. It should be obvious what to do, eg say for udp or tcp protocols or both if required, if not ask again.
Remember sme does not block any outgoing ports.
http://wiki.contribs.org/SME_Server:Documentation:FAQ#Firewall

[Stefano]

Access to a bank is required that has software to manage connections they say won't work unless they can connect to a number of ports on each station. ( I don't belive them but this is political)
All workstations (40) on the site must use this software

if I understand it right, they say they have to connect form outside to your lan clients?

if so, how do they think you can connect with, let's say, 5 client at the same time?

all your clients are natted.. and one port can't be forwarded to many clients..

just a (maybe stupid) question: did you try to connect to that bank service without opening any port?

[ivan]

Hi Mary

Thanks for the response
I just issued the TCPports command against the masq service as there is no service on SME that the software is commuicating with I just require a pass though. I will see if it works.

Regards
Ivan

[CharlieBrady]

Access to a bank is required that has software to manage connections they say won't work unless they can connect to a number of ports on each station. ( I don't belive them but this is political)

You are quite right not to believe them. What they are asking for is not possible.

Unless you are installing additional software on the SME server, there is no need for you to use iptables to open any additional ports.

[arne]

Isn't it likely to belive that what is really needed, is the automatic opening for return traffic, so that the SME server will do the job unmodified and "as is" ? (As the oter alternative is as mentioned impossible.)

So then the requirement should eventually be red:

"Access to a bank is required that has software to manage connections they say won't work unless they can connect to a number of ports on each station, after the traffic first has been initiated from the client." or more simple "There is a requirement for a Statefull inspection Filewall, like that one of the unmodified SME server/gateway".

[CharlieBrady]

Isn't it likely to belive that what is really needed, is the automatic opening for return traffic, so that the SME server will do the job unmodified and "as is" ?

Probably, but I don't see much value in speculating. The bank should know. Just try it.

[ivan]

Hi All

Thanks for all the input. The problems is resoved 
The banks software is not compatible with vista. 

I did open the port by using TCPports and adding this to the masq service as described in the doc's.
It did not help.

So you were all correct 
But I lrean something any SME is tops

Thanks guys

[janet]

ivan

I did open the port by using TCPports and adding this to the masq service...

You should undo that change, if not already done.