Topic: Port forward not working

[chuzz]

I have SME 9.1 in servergateway mode. Creating port-forward rules to an internal server with 2 NICs only works to 1 NIC.

sme-01 has IP 10.0.0.138
win2k8 has IP 10.0.0.2 and 10.0.0.3

I create 2 port-forward rules on sme-01:
protocol: TCP srcport: 10002 dsthost: 10.0.0.2 dstport: 3389
protocol: TCP srcport: 10003 dsthost: 10.0.0.3 dstport: 3389

1st rule works, 2nd rule does not work.

I confirmed that sme-01 can ping both IPs and vice-versa. Here is a gist-pastebin:

 <https://gist.github.com/anonymous/49ccc53b0f340cf284f0d877ee11c78e>

Any idea why rule #2 does not work?

[guest22]

Hi and welcome,

iptables -L on SME Server will show you if SME Server is doing its job.

If it is doing its job, what is between the two servers and what is managing any firewall or other settings on the win2k box?

HTH

[chuzz]

Hi and welcome,

Hi and thank you.

iptables -L on SME Server will show you if SME Server is doing its job.

I suspected iptables as well but the rule is there:

[root@sme-01 ~]# iptables -L -n
...
Chain ForwardedTCP_1318 (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            10.0.0.2            tcp dpt:3389
ACCEPT     tcp  --  0.0.0.0/0            10.0.0.3            tcp dpt:3389
...

Keep in mind though I do not fully understand how iptables works.

If it is doing its job, what is between the two servers and what is managing any firewall or other settings on the win2k box?

Nothing is in between, everything on the LAN is connected to a single switch.

The firewall on the win2k8 server is disabled.

I am very confused why the port forward does not work seeing as pings are fine.

[chuzz]

I am very confused why the port forward does not work seeing as pings are fine.

I forgot to mention I have confirmed that RDP to both 10.0.0.2 and 10.0.0.3 works from a workstation on the LAN.

[guest22]

please note that 'ping' is using a different port.

the iptables -L output looks good, so there must be something on outside SME Server that is blocking...

[guest22]

correction, iptables output seems not to be what you want. What is missing are the source ports 10002 and 10003. So every request from anybody towards SME Server will always go to 10.0.0.2.

[chuzz]

That's weird, so how does sme know which port to forward?

I have another port-forward rule (TCP port 443 -> 10.0.0.2) that works (I cut the line out before).

So the iptables rules look like this:

Chain ForwardedTCP_1318 (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            10.0.0.2            tcp dpt:3389
ACCEPT     tcp  --  0.0.0.0/0            10.0.0.3            tcp dpt:3389
ACCEPT     tcp  --  0.0.0.0/0            10.0.0.2            tcp dpt:433

As I said, I am not iptables savvy. Is the source-port column missing?

Also, this is a standard sme9.1 with no contribs. Brand new install from scratch, no backup/restore involved.

I've been using sme since 6.x and have never seen a problem like this before.

[chuzz]

Probably not relevant because ping works, but:

[root@sme-01 ~]# arp -an
? (10.0.0.2) at a4:ba:db:38:a3:04 [ether] on eth0
? (10.0.0.3) at a4:ba:db:38:a3:06 [ether] on eth0

(I cut non-relevant lines out)

[guest22]

Probably not relevant because ping works, but:

[root@sme-01 ~]# arp -an
? (10.0.0.2) at a4:ba:db:38:a3:04 [ether] on eth0
? (10.0.0.3) at a4:ba:db:38:a3:06 [ether] on eth0

(I cut non-relevant lines out)

removed comment, was a dumb question

[chuzz]

Thanks for being interested in this most perplexing problem.

I think I'll install wireshark on the win2k8 server and see if it actually receives any packets. That will eliminate that side.

[Stefano]

please, post here the output of:

Code: [Select]

db portforward_tcp show

and

Code: [Select]

/sbin/e-smith/audittools/templates

thank you

[chuzz]

[root@sme-01 ~]# db portforward_tcp show
10002=forward
    AllowHosts=
    Comment=
    DenyHosts=
    DestHost=10.0.0.2
    DestPort=3389
10003=forward
    AllowHosts=
    Comment=
    DenyHosts=
    DestHost=10.0.0.3
    DestPort=3389
443=forward
    AllowHosts=
    Comment=HTTPS
    DenyHosts=
    DestHost=10.0.0.2
[root@sme-01 ~]#
[root@sme-01 ~]# /sbin/e-smith/audittools/templates
[root@sme-01 ~]#

[Stefano]

ok

Code: [Select]

iptables -L | grep 1000


[chuzz]

Nothing:

[root@sme-01 ~]# iptables -L | grep 1000
[root@sme-01 ~]#

It seems iptables -L is not showing any src-port columns. See previous posts where I showed "Chain ForwardedTCP_1318".

Again, I am not too familiar with iptables. My background is with FreeBSD's ipfw.

Note: I am not ruling out a problem on the win2k8 side, but I find it unlikely due to all the tests I've done so far.

[Daniel B.]

Multihoming must be managed on your final box, that's not an SME Server issue. My guess (which you can verify using wireshark or tcpdump) is that connections going to 10.0.0.3 are replied by your w2k8 box using 10.0.0.2 IP address. Can you explain why you want to different IP addresses here ?

[Daniel B.]

As for iptables output, use iptables -L -vn if you want more details

[DanB35]

...and it's somewhat orthogonal to the original question, but it looks like you're trying to connect to two different computers via RDP from the WAN.  I have no idea how secure RDP is (though I don't think I'd be optimistic), but a completely different way to address this, that would certainly work, and would almost certainly be more secure, is to set up a VPN connection--I like OpenVPN, but there are a few different contribs for VPNs.  That way, you can simply connect to the desired remote IP address using your client machine.

[CharlieBrady]

Multihoming must be managed on your final box, that's not an SME Server issue. My guess (which you can verify using wireshark or tcpdump) is that connections going to 10.0.0.3 are replied by your w2k8 box using 10.0.0.2 IP address. Can you explain why you want to different IP addresses here ?

I agree that this is likely a win2k problem.

[CharlieBrady]

My guess (which you can verify using wireshark or tcpdump) is that connections going to 10.0.0.3 are replied by your w2k8 box using 10.0.0.2 IP address.

If that is the case, the return traffic would be dropped by iptables, and logged in /var/log/iptables/current.

[chuzz]

To all who have taken time to respond, thank you. The issue has been resolved.

Turns out it was actually my fault - the firewall on the remote workstation I was trying to connect from was blocking it. So I offer my humble apologies to all those who wasted time thinking about what could be wrong.

 

The reason I never thought to check the firewall on the connecting box (my firewall) was because it used to work before I installed sme in the remote site. It seems I had manually added the firewall rules to allow ports 10002 & 10003 out (so it used to work before sme was installed) and then thought I had better add them to the firewall startup script. At some stage I rebooted my firewall. Turns out I had only added port 10002 to the startup script. D'oh.

PS. For those interested, the reason for 2 IPs on the win2k8 box is 1) the box has 2 built-in NICs to start with, and 2) it runs hyper-v so I channel the VM traffic out the 2nd NIC.

[edit] add embarrassment