Topic: Port forward not working

[chuzz]

I have SME 9.1 in servergateway mode. Creating port-forward rules to an internal server with 2 NICs only works to 1 NIC.

sme-01 has IP 10.0.0.138
win2k8 has IP 10.0.0.2 and 10.0.0.3

I create 2 port-forward rules on sme-01:
protocol: TCP srcport: 10002 dsthost: 10.0.0.2 dstport: 3389
protocol: TCP srcport: 10003 dsthost: 10.0.0.3 dstport: 3389

1st rule works, 2nd rule does not work.

I confirmed that sme-01 can ping both IPs and vice-versa. Here is a gist-pastebin:

 <https://gist.github.com/anonymous/49ccc53b0f340cf284f0d877ee11c78e>

Any idea why rule #2 does not work?

[guest22]

Hi and welcome,

iptables -L on SME Server will show you if SME Server is doing its job.

If it is doing its job, what is between the two servers and what is managing any firewall or other settings on the win2k box?

HTH

[chuzz]

Hi and welcome,

Hi and thank you.

iptables -L on SME Server will show you if SME Server is doing its job.

I suspected iptables as well but the rule is there:

[root@sme-01 ~]# iptables -L -n
...
Chain ForwardedTCP_1318 (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            10.0.0.2            tcp dpt:3389
ACCEPT     tcp  --  0.0.0.0/0            10.0.0.3            tcp dpt:3389
...

Keep in mind though I do not fully understand how iptables works.

If it is doing its job, what is between the two servers and what is managing any firewall or other settings on the win2k box?

Nothing is in between, everything on the LAN is connected to a single switch.

The firewall on the win2k8 server is disabled.

I am very confused why the port forward does not work seeing as pings are fine.

[chuzz]

I am very confused why the port forward does not work seeing as pings are fine.

I forgot to mention I have confirmed that RDP to both 10.0.0.2 and 10.0.0.3 works from a workstation on the LAN.

[guest22]

please note that 'ping' is using a different port.

the iptables -L output looks good, so there must be something on outside SME Server that is blocking...

[guest22]

correction, iptables output seems not to be what you want. What is missing are the source ports 10002 and 10003. So every request from anybody towards SME Server will always go to 10.0.0.2.

[chuzz]

That's weird, so how does sme know which port to forward?

I have another port-forward rule (TCP port 443 -> 10.0.0.2) that works (I cut the line out before).

So the iptables rules look like this:

Chain ForwardedTCP_1318 (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            10.0.0.2            tcp dpt:3389
ACCEPT     tcp  --  0.0.0.0/0            10.0.0.3            tcp dpt:3389
ACCEPT     tcp  --  0.0.0.0/0            10.0.0.2            tcp dpt:433

As I said, I am not iptables savvy. Is the source-port column missing?

Also, this is a standard sme9.1 with no contribs. Brand new install from scratch, no backup/restore involved.

I've been using sme since 6.x and have never seen a problem like this before.

[chuzz]

Probably not relevant because ping works, but:

[root@sme-01 ~]# arp -an
? (10.0.0.2) at a4:ba:db:38:a3:04 [ether] on eth0
? (10.0.0.3) at a4:ba:db:38:a3:06 [ether] on eth0

(I cut non-relevant lines out)

[guest22]

Probably not relevant because ping works, but:

[root@sme-01 ~]# arp -an
? (10.0.0.2) at a4:ba:db:38:a3:04 [ether] on eth0
? (10.0.0.3) at a4:ba:db:38:a3:06 [ether] on eth0

(I cut non-relevant lines out)

removed comment, was a dumb question

[chuzz]

Thanks for being interested in this most perplexing problem.

I think I'll install wireshark on the win2k8 server and see if it actually receives any packets. That will eliminate that side.

[Stefano]

please, post here the output of:

Code: [Select]

db portforward_tcp show

and

Code: [Select]

/sbin/e-smith/audittools/templates

thank you

[chuzz]

[root@sme-01 ~]# db portforward_tcp show
10002=forward
    AllowHosts=
    Comment=
    DenyHosts=
    DestHost=10.0.0.2
    DestPort=3389
10003=forward
    AllowHosts=
    Comment=
    DenyHosts=
    DestHost=10.0.0.3
    DestPort=3389
443=forward
    AllowHosts=
    Comment=HTTPS
    DenyHosts=
    DestHost=10.0.0.2
[root@sme-01 ~]#
[root@sme-01 ~]# /sbin/e-smith/audittools/templates
[root@sme-01 ~]#

[Stefano]

ok

Code: [Select]

iptables -L | grep 1000


[chuzz]

Nothing:

[root@sme-01 ~]# iptables -L | grep 1000
[root@sme-01 ~]#

It seems iptables -L is not showing any src-port columns. See previous posts where I showed "Chain ForwardedTCP_1318".

Again, I am not too familiar with iptables. My background is with FreeBSD's ipfw.

Note: I am not ruling out a problem on the win2k8 side, but I find it unlikely due to all the tests I've done so far.

[Daniel B.]

Multihoming must be managed on your final box, that's not an SME Server issue. My guess (which you can verify using wireshark or tcpdump) is that connections going to 10.0.0.3 are replied by your w2k8 box using 10.0.0.2 IP address. Can you explain why you want to different IP addresses here ?