Topic: Port Forwarding?

[Drifting]

Little bit dazed and confused.
I downloaded a number of rpm's from myez.... one was port forwarding, the other port opening.

Problem now is which file should I install? Port forward has a version ending in 04, and the port open has the file below: -

e-smith-packetfilter-1.13.0-07.noarch.rpm

Reason I ask is that I have as yet not been able to get anything to forward! The whole idea was to put the SME box infront of an Exchange server and port forward port 25. Basically this is only a temporary measure so that we can share an ADSL line for email between two companies. One uses the SME box the other uses all MS.

Have I lost the plot with the forwarding? the menu item appears ok in server manager, I perhpas wrongly chose to install the latest versions of the above file?

Any help with this would be good, as I am rather out of my depth on knowing where to look.

Paul.

[Bill Talcott]

Port forwarding and port opening are two totally separate (though similar) packages. Opening just opens incoming ports, useful if you want to run another server program on your SME. Forwarding passes incoming data to a separate LAN server. I have no personal experience with the new version, but the old version works great on 5.0 and 5.5. FYI, the packetfilter RPM is just an updated version of some files, which are needed for the forwarding/opening stuff. It's not actually a part of it.

If you're forwarding port 25, you may just be able to specify the other server as the delegate mail server. I'm not exactly sure what all that does, but it may be the easiest way if that's all you're trying to do...

[Drifting]

Yes I sussed that part out. The bit that was bothering me was that I cannot seem to forward any ports. I even went so far as to load the portopen rpm so as to allow me then to do a port forward from 1000 (SME) to 25 Exchange box. Still no joy.
Woinder if anyone has ever got this to work on 5.6 ? I have foloowed a couple of other threads, but they don't match my setup.
(adsl router fixed ip) - (SME box fixed IP) - (Exchange box now on 198.162.1.101)

I can telnet to port 25 on the SME box. When I try to do a port forward for external 25 request they just vanish into a void..

I can see me buying a router to do this more expense!!

Regards Paul.

[Jon Blakely]

Paul,

I have discovered there is a problem with e-smith-packetfilter-1.13.0-07 which was installed with the port opening rpm. It does not allow ports to be forwarded.

You will need to revert back to e-smith-packetfilter-1.13.0-04. You can download it at
http://www.khunjarnet.com/downloads/portopening-SME5.6-only/

then

# rpm -Uvh --force e-smith-packetfilter-1.13.0-04.noarch.rpm --nodeps
# /sbin/e-smith/signal-event post-upgrade
# service masq restart

This will allow both port forwarding and port opening to work

Jon

[Anthony de Waal]

> I have discovered there is a problem with
> e-smith-packetfilter-1.13.0-07 which was installed with the
> port opening rpm. It does not allow ports to be forwarded.

Now THAT is the kind of answer I was hoping to hear for the last two weeks!
This is exactly my setup to forward some ports for letting my son play DirectPlay games on a single  computer in the network.
Everybody keeps pointing to the contributed rpm's, without believing when I say I tested it thoroughly but it keeps failing....
I do hope someone with better knowledge of this matter will be able to make a better version, since as I recall it, the previous packetfilter does not allow UDP forwarding.
Thanks,
Thony

[Anthony de Waal]

I just did what was needed to replace the packet filter with the old version.

I was surprised to see that after erasing and then reinstalling the portforwarding rpm the ports I had enter came back again.
Trying to delete them made my server-manager freeze, and I couldn't get ssh access, too.
After a reboot everything was fine.
Now the forwarding could be confirmed with Portdetective.
Alas, that program only checks tcp, not udp.
I need udp forwarding for DirectPlay.

Can anybody confirm that in this setup udp forwarding is not allowed?

Thanks,
Thony

[Henrik]

Hi,

UDP protocol sends a package and do not check for if the packet arrives or not, hence you can not "forward" a UDP packet - only listen for it. So forwarding a UDP packet in fact only just opens the port for the client to listen for it. This is pure "network topoligies" and have nothing specific to do with SME server or linux so you cant really blame anyone...

Im using the portforward rpm from that works with no problem. I run a SOF2 gameserver which uses UDP port 20102.

The files you need is: e-smith-portforwarding-0.1.0-20.noarch.rpm
and: e-smith-packetfilter-1.13.0-04.noarch.rpm

In fact the rpm's just enables newbies like us to configure it from a easy interface.
The command: iptables --help for the "hard" way or iptables --list for seeing the chains currently in use.

/Henrik

[Anthony de Waal]

Henrik wrote:

> UDP protocol sends a package and do not check for if the
> packet arrives or not, hence you can not "forward" a UDP
> packet - only listen for it. So forwarding a UDP packet in
> fact only just opens the port for the client to listen for
> it. This is pure "network topoligies" and have nothing
> specific to do with SME server or linux so you cant really
> blame anyone...

Not quite.
In fact, the portforwarding rpm now inserts the portforwarding chain in /etc/rc.d/init.d/masq :
 /sbin/iptables --table nat --append PortForwarding_$$ --protocol udp \
--destination-port 2301 -j DNAT --to-destination 192.168.0.205:2301
    adjust_udp_in 2301 ACCEPT InboundUDP_$$

In a previous message (http://forums.contribs.org/index.php?topic=16495.msg63815#msg63815) you can read:
Author: Charlie Brady (charlieb_AT_e-smith.com)
Date:   02-11-03 17:40

>Jon Blakely wrote:

>> Sorry, I put you on the wrong track in your previous post. I
>> made an assumption that if there was an 'Allow_tcp_in' sub
>> routine there was a, 'Allow_udp_in' subroutine. Unfortunately
>> that is not the case.

>There is, but only in the updated e-smith-packetfilter RPM in my contrib >directory.

>You'll also need to call the function correctly. You'll need to write a loop and call >the function once for each port you wish to open.

>Charlie

In other words: you can't use the latest packetfilter because of a mistake in the portforwarding, but I can't use the old version as well, because the UDP forwarding is not yet implemented (I tested it, and it indeed did not work).

So now I am back to my original question again: what can I do to make it work?

Charlie, are you planning to work on the packetfilter?

Or, can I just disable the packetfilter of e-smith entirely, and implement one of the numerous ones around on the Internet? In that case: how do I disable it (rather than just flush the rules)?
That would of course break the automatic coupling of ports opened with activation of services, so this is only a last resort when all else fails.

Good luck to those who want to improve the program,
and thanks to all for looking into other peoples' problems on this forum.
Kind greetings,
Thony

[Michael Soulier]

Henrik wrote:
> UDP protocol sends a package and do not check for if the
> packet arrives or not, hence you can not "forward" a UDP
> packet - only listen for it. So forwarding a UDP packet in
> fact only just opens the port for the client to listen for
> it. This is pure "network topoligies" and have nothing
> specific to do with SME server or linux so you cant really
> blame anyone...

Not quite. While it is true that udp protocol is connectionless, and there is nothing built into the protocol itself to ensure that the packet arrives, it's still an IP packet nonetheless. Port-forwarding simply involves changing the destination IP address of the packet, and the destination port, before the routing decision is made for the packet. TCP vs. UDP is irrelevant, both can be forwarded.

Mike

[Michael Soulier]

Anthony de Waal wrote:
>
> >There is, but only in the updated e-smith-packetfilter RPM
> in my contrib >directory.

> In other words: you can't use the latest packetfilter because
> of a mistake in the portforwarding, but I can't use the old
> version as well, because the UDP forwarding is not yet
> implemented (I tested it, and it indeed did not work).

That's not how I read Charlie's response at all. I believe he's suggesting that you take the updated e-smith-packetfilter rpm from his contrib directory. I don't see any mention of a problem with the latest version. Where did you get that impression?

Mike

[Anthony de Waal]

Michael Soulier wrote:
>
> That's not how I read Charlie's response at all. I believe
> he's suggesting that you take the updated
> e-smith-packetfilter rpm from his contrib directory. I don't
> see any mention of a problem with the latest version. Where
> did you get that impression?
>
> Mike

Hi Mike,
it is in this thread: John Blakely mentioned he found a problem.
Unfortunately he didn't mention what he exactly found.
That there is a problem I can confirm from my own observations.
I can forward a port with the old packetfilter, and not with the new one.
The old version does not let me have DirectPlay gaming work, I guess because of the UDP.

Previous questions I asked about this:
http://forums.contribs.org/index.php?topic=6750.msg24264#msg24264
Especially I like to know more about the structure of the templating system, and where the variables are stored. If I knew that I had probably contributed solutions as well as questions.
Kind greetings,
Thony

[Drifting]

I followed you instructions, but I still cannot get this to work? I can only assume that I have made a mistake somewhere?

What I have done is set a portforward for port 1000 to port 25 on another server (MS Exchange) I have also opened port 1000 with portopen.

Any ideas on how I can check what is happening? Tried to telnet to the Esmith server on port 1000 and get nothing? apart from a timeout.

Any suggestions welcome

Regards Paul.

[Anthony de Waal]

Hi Paul,
Jon's instructions above fixed my problem with TCP forwarding.
You need the 04 version of Charly's Packetfilter
I only wait for UDP forwarding, that should not affect your goals.
I think you should remove the opening by the portopening panel. That is supposed to open the ports for processes running on localhost, i.e. your sme box.
To test: telnet your.ip.address.here 1000
This should probably be performed from the outside.
You should see the banner text of your Exchange server.
Send me your IP to my personal mail and I will test it for you.
Kind greetings,
Thony
Drifting wrote:
>
> I followed you instructions, but I still cannot get this to
> work? I can only assume that I have made a mistake somewhere?
>
> What I have done is set a portforward for port 1000 to port
> 25 on another server (MS Exchange) I have also opened port
> 1000 with portopen.
>
> Any ideas on how I can check what is happening? Tried to
> telnet to the Esmith server on port 1000 and get nothing?
> apart from a timeout.
>
> Any suggestions welcome
>
> Regards Paul.

[Drifting]

I have now remove the port open as suggested, still no forwarding. The SME box is sitting in our offices connected to the net, so it's not local to me anyway.

Really wished I knew why, this is the main reason for wanting the SME box.

Regards Paul.

[Anthony de Waal]

Is the Exchange box having a route to the SME server?
Perhaps the forwarding works, but the Exchange can't connect back?