Topic: Port Forwarding?

[Drifting]

Well I have now setup a test win2k server running terminal services, the has the default gatway set to the SME box. I am running all the right rpms (according to the above).

I have setup portforwarding for 3389 both TCP & UDP.

Not a sausage !!!

Ideas? because I am running out of patience, does this port forwarding work for anyone on 5.6 ? (Lack of patience is due to lack of knowledge on Linux & SME).

Any ideas? as I have run out of hair to pull out?

Paul.

[Daniel]

So from the top then, for e-smith 5.6:

This is how I read all this.  To OPEN ports, you need to install  install

dmc-mitel-portopening-0.0.1-3.noarch.rpm

This includes packet filter

e-smith-packetfilter-1.13.0-07.noarch.rpm

which doesn't work.

So then you need to get

e-smith-packetfilter-1.13.0-04.noarch.rpm

and type

# rpm -Uvh --force e-smith-packetfilter-1.13.0-04.noarch.rpm --nodeps
# /sbin/e-smith/signal-event post-upgrade
# service masq restart

That makes port OPENING work.  For port FORWARDING it seems that you need

e-smith-portforwarding-0.1.0-20.noarch.rpm

which also includes

e-smith-packetfilter-1.13.0-07.noarch.rpm

which doesn't work.

So then you need to get

e-smith-packetfilter-1.13.0-04.noarch.rpm

and type

# rpm -Uvh --force e-smith-packetfilter-1.13.0-04.noarch.rpm --nodeps
# /sbin/e-smith/signal-event post-upgrade
# service masq restart


Is anyone still with me?

So is all this correct? Last time I grabbed a port forwarding RPM on forum advice it was an older version still and it broke masq completely.

Can we hear from someone who got it working?

Anthony is especially stuck with the UDP vs TCP problem, but for everyone else all we're after is standard TCP forwarding -- not exactly cutting edge.  Personally, I need for VNC control of windows desktops to provide effective helpdesk support.

If there's no reply I will sit down and document every step until I get it, then post a howto.  If there is a reply, I'll sum all this up in a brand new thread.

Last of all, wouldn't it be nice if TCP and UDP port forwarding was a standard feature?

[Drifting]

By George he's got it !!

Well I am glad I am not the only one, I thought perhaps I had not sacrificed enough virgins, check to see if the wind blew from the east, or muttered other special Linux chants!

Seriously though, I have come to the same conclusion, whichever way go it breaks. I would love to know the answer to this one, as we were hoping to become a reseller and use this product for quite a number of customers. Port forwarding for us is an essential, as we require it for mail servers & support (Terminal services).

If you do manage to get it going I will turn myself toward the Great Land of Oz and click my heels three times

Regards Paul.

[darren]

how about just installing dmc-mitel-portopening-0.0.1-4.noarch.rpm it uses e-smith-packetfilter-1.10.0-08 and seems to work ok.

[Drifting]

Opening is not a problem, well not tried it yet. Infact I have not even installed in on this current test machine.

All I want is port forwarding to work, this will be the 5 th rebuild and not one of them will port forward. I have followed every instruction from multiple posts, all to no avail. Does any have a difinitive installation instruction that they honestly can say works?

Paul

[Lee Fakes]

I tried everything I could and it almost worked. I keep getting refused permission errors. I gave up and went back to 5.5 which works fine. As soon as I get some more time I'll have another crack at it though.

Good luck

[Drifting]

I shall assume then, seeing as very few have responded to my request on who actually got it to work, that it is broke. Wished I knew a bit more about Linux, as I was really keen on this product as had an immediate need.

Thanks Paul.Lee Fakes wrote:

[Daniel]

Drifting, e-smith is not the only linux choice, many others are easy(ish) also.

E-smith is an unusual distro in many ways, partly because it is intended primarily for use in a rack mount server sold by Mitel.

This means they write it to be what they want it to be.  It's not intended as a general sale distribution, so features that Mitel don't want or need are neglected.

The way things should work is one of the people on the forum should write a working port fwding rpm, it's probably more time than difficulty that stops most people here from doing that.

Linux overall is not as scary as it seems.  A large proportion if the executables are scripts (like .bat files) and it's usually not TOO hard to figure them out.

Someone mentioned that you can do the port forwarding from the shell, I'll investigate and let everyone know.

If that doesn't work, the other way around it is to grab a 486 or pentium and use freesco 0.27 or freesco 0.27 pppoe edition (for adsl /cable) from a floppy disk to handle the firewall / internet connection.

Freesco is far, far better than e-smith if you just need the router/firewall/gateway services.  It even has a http daemon.

[Dan Brown]

Daniel wrote:

> This means they write it to be what they want it to be.  It's
> not intended as a general sale distribution, so features that
> Mitel don't want or need are neglected.

This is _very_ incorrect.  First, e-smith long pre-dates Mitel involvement in the product.  Second, Mitel continues to sell e-smith (now SME) for general usage, so they apparently intend it as a general sale distro.

The issue (and most of the limitations) come in with the purpose of the system.  It's intended to be very simple to install, configure, and administer.  As a result of that, it isn't as flexible as, say, a full Redhat installation, but it's also more secure.  Also, some of the individual server functions (like Samba) impose limits on the rest of the server--this accounts for the oft-mentioned issue of a single user namespace (i.e., even with virtual domains, each user exists on all domains).

Now, I think it'd be nice to have a good port forwarding panel included in the server manager.  I don't have any real need for it myself (everything I need can be handled through SSH tunnelling, and more securely too), but it's obviously something that a lot of people want.

[Drifting]

Thank you both for your input. Perhaps with any luck Mitel will take a look at the port forward issue. I expect we are not the only ones who have to support win2k boxes? the mitel seemed to fit in rather nicely for the average sme who requires email etc without the cost or hardware requirements of Exchange, ISA, etc. Many have win2k servers running SQL, so a terminal session into them would be handy.

I did recently download a copy of clark connect, which is very similar to SME server, have not confirmed yet if portforward version works on clark, but it is a hell of a lot cheaper than the commercial version of Mitel.

Will take a look at freesco, thanks for the hint.

Paul.

[Daniel Rose]

Okay....

Now I make NO representations that this is safe, or that it's a good idea.  

So here's a code snippet, both lines are required for one port opening.

# Copied from http://board.protecus.de/showtopic.php?threadid=3361

# With minor modifications by Daniel Rose 12/4/03

        /sbin/iptables -A FORWARD -i $OUTERIF -o $INTERNALIF -p tcp --dport 5900 -j ACCEPT

        /sbin/iptables -t nat -A PREROUTING -p tcp --dport 4661:4662 -j DNAT --to-destination 192.168.0.10:5900

It's double-spaced so you can see where the line breaks are.

You might want to change "tcp" to "upd" and you'll probably want to change 192.168.0.10 to the address of your choice.

You need that code in a file at

/etc/e-smith/templates-custom/etc/rc.d/init.d/masq/

My filenames for this start with 82, eg

82-VNC-Forward-to-192-168-0-10

of course once it's there you'll need a

/sbin/e-smith/expand-template /etc/rc.d/init.d/masq

then a

/etc/rc.d/init.d/masq restart


All this brings me on to another point; On the client, I've given it a fixed IP address, because using DHCP if it changes the forwarding will go to the wrong PC.

Suppose you have a windows dhcp client called fred.  I want to put "fred" instead of the IP address in the forwarding commands above. From e-smith server, fred doesn't resolve -- "ping fred" gives "unknown  host."

This annoys me.  Does anyone know how to make e-smith "see" the hostnames of the PCs it gives IP addresses to or do the clients need to be configured to tell e-smith?

[Daniel Rose]

Okay....

Now I make NO representations that this is safe, or that it's a good idea.  

So here's a code snippet, both lines are required for one port opening.

# Copied from http://board.protecus.de/showtopic.php?threadid=3361

# With minor modifications by Daniel Rose 12/4/03

        /sbin/iptables -A FORWARD -i $OUTERIF -o $INTERNALIF -p tcp --dport 5900 -j ACCEPT

        /sbin/iptables -t nat -A PREROUTING -p tcp --dport 4661:4662 -j DNAT --to-destination 192.168.0.10:5900

It's double-spaced so you can see where the line breaks are.

You might want to change "tcp" to "upd" and you'll probably want to change 192.168.0.10 to the address of your choice.

You need that code in a file at

/etc/e-smith/templates-custom/etc/rc.d/init.d/masq/

My filenames for this start with 82, eg

82-VNC-Forward-to-192-168-0-10

of course once it's there you'll need a

/sbin/e-smith/expand-template /etc/rc.d/init.d/masq

then a

/etc/rc.d/init.d/masq restart


All this brings me on to another point; On the client, I've given it a fixed IP address, because using DHCP if it changes the forwarding will go to the wrong PC.

Suppose you have a windows dhcp client called fred.  I want to put "fred" instead of the IP address in the forwarding commands above. From e-smith server, fred doesn't resolve -- "ping fred" gives "unknown  host."

This annoys me.  Does anyone know how to make e-smith "see" the hostnames of the PCs it gives IP addresses to or do the clients need to be configured to tell e-smith?