Topic: Opening ports on SME

[steve288]

I have a couple of questions that I cant seems to find the answer for. I really did look and it has to be somewhere just can t seem to see it.
I have been asked to open the following ports
443, 1494, 2598.
We have been having problems with specific software connecting to a citrix site which hosts a DB that we use. There are frequent connects disconnect indicated in their software. This is the problem we are trying to resolve with the companies support people, thus they have asked us to open these ports.

I run the command
netstat -nap |egrep [port number]
and see that 443 is already open.
But when I look at the other ports they dont appear to be.

To test IF this is a problem eg closed ports I have done a port forward to one of the specific machines using this software.
My first question is regarding the Port Forwarding window. I confused by what Im suppose to put into Destination host VS Allow hosts.
I have put the destination machine in both those fields eg 10.1.0.56 but is that right. I dont understand the difference.
If I understand I will try to go into the wiki and update it. I dont see alot of info on this topic. Maybe its obvious?

If I have dont this properly set both to the destination ip. Why is it when I type netstat -nap |egrep [ipaddress] dont I see the allowed Ip.

Finally. .. If I want to permenently open a port which Im sure has been discused before can someone point me to where that is or tell me how.  I can see discussions regaring it but cant seem to find a clear how to. Perhaps I could add this to the wiki.

Regards

[CharlieBrady]

I have a couple of questions that I cant seems to find the answer for. I really did look and it has to be somewhere just can t seem to see it.
I have been asked to open the following ports
443, 1494, 2598.
We have been having problems with specific software connecting to a citrix site which hosts a DB that we use. There are frequent connects disconnect indicated in their software. This is the problem we are trying to resolve with the companies support people, thus they have asked us to open these ports.

Those ports are already open outbound (to the Internet). The inbound port 443 on your server is not relevant to connections from your LAN to their server.

The rest of your questions are irrelevant - there's no need to open inbound ports, and no point in opening ports if no software on your server is waiting for connections on those ports.

Your supplier needs to do a better job at diagnosing the "frequent connect disconnect" problem. Perhaps those connections are idle. Linux NAT will eventually time out and disconnect idle connections.

[steve288]

Ok let me quote what they said exactly. After reading it I admint that it isnt exactly what I said although the effect is the same I think.
 
Quote -------------
Another thing I would like you to check on your firewall please, would be the timeout on the below ports:
443
1494
2598
if any of these are set to 15 minutes or less, could you please (even as a trial) increase the timeout to 30+ minutes for testing purposes?
---------------
But I think if I understand you, your saying that the 1494 and 2598 are outbound and that they are already open.
My inquisitive mind wants to know are ALL outbound ports open or is there a command to see what is open. It appears the  netstat -nap  command is not the right one?

Based on the message from the supplier is there any reason why the existing setup would not work.
Do you think the timeout could be an issue?

Thanks.

[CharlieBrady]

Ok let me quote what they said exactly. After reading it I admint that it isnt exactly what I said although the effect is the same I think.

No, it is nothing like what you said. They haven't asked about open ports at all.

My inquisitive mind wants to know are ALL outbound ports open

SME server doesn't block any outbound traffic - but it does intercept SMTP and HTTP traffic to proxy it.

Based on the message from the supplier is there any reason why the existing setup would not work.
Do you think the timeout could be an issue?

Yes, I did mention 'idle connections' - i.e. ones which might timeout.

You can see what the current NAT (conntrack) timeout is via:

cat /proc/sys/net/ipv4/ip_conntrack_max

You'll see that it is much more than 30 minutes.

[steve288]

All very helpfull information.

Thanks very much.

[mmccarn]

You could remove the SME server from the equation by setting up a workstation connected directly to the internet - if you still have issues, the problem would be with your ISP.

If your internet connection uses a username and password (PPPoE), you may have problems with an MTU mismatch between your SME server and your ISP; there is some possibly relevant information here: http://bugs.contribs.org/show_bug.cgi?id=6888

I assume that the citrix connection does not have any secondary requirements (such as a VPN connection to another network).  If I'm wrong and you are using a PPTP VPN for the Citrix connections, you'd get erratic behavior any time you had more than one LAN client connect to the VPN.

[steve288]

Thanks for your thoughts.

I don’t know if it is a vpn or not really.

You connect via the DB's companies own software. (BLACKBAUD) So everything is set up by them, in their software. We certainly do not use any standard way of connecting eg through some sort of Windows connect to etc.

The truth of the matter is that I don’t believe it has anything to do with the SME computer. But somewhere else, but of course you must try to follow through with the requests that support has for you. We have two gateways. One is SME and the other another firewall. No matter which firewall we use the db disconnects and then reconnects.  So it’s probably not the SME.
 
I have learned some things in my request which CB answered. That all outgoing ports are open. Good to know for future.

Just for educational purposes I would like to see if there is a way to see the outgoing ports when they are in operation, (if that’s possible)
It’s my understanding the if there is a time to see it it is only when they are open(?) Maybe I can do that through various logs or squidguard. I really don’t know.  This point is just for me learning purposes. The area is not one that I’m familiar with. Perhaps the few sentences above will incur comments due to my miss understanding.


Thank you for the added tip.

Regards

[CharlieBrady]

Just for educational purposes I would like to see if there is a way to see the outgoing ports when they are in operation, (if that’s possible)

To see all masqueraded/NAT'd passthrough connections, do:

cat /proc/net/ip_conntrack

To see the same information, in top-like style, updated in real time, run the command:

/usr/sbin/iptstate

[steve288]

Great.
Thanks again.