Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: Brian High on January 14, 2002, 10:02:35 PM
-
> dmc-mitel-portforwarding-0.0.1-4.noarch.rpm
> http://myEZserver.com/downloads/mitel
The panel installation and usage seems to work,
but when I try to access the port, I am
not successful (times out).
I am port forwarding POP3 (110) from
the e-smith gateway (64.65.164.122) to
an internal mail server (192.168.0.214).
The internal IP of the e-smith gateway is 192.168.1.1
and there is a VPN connecting it to another internal
LAN at 192.168.0.x. All VPN traffic
works fine, but is it possible that the firewall
settings are somehow blocking this port forwarding
(because it is not on the internal subnet)?
I tried the test logging mentioned on your web page:
http://myezserver.com/docs/mitel/ipportfw-howto.html
But I see nothing in the messages log. (The last entry
matching 'Packet log' is quite old.)
Here are my other tests:
C:\>telnet 192.168.0.214 110
+OK POP3 server arilabs.dnsalias.com ready
<00225.342446328@arilabs.dnsalias.com
>
C:\>telnet 64.65.164.122 110
Connecting To 64.65.164.122...Could not open a connection to host on port
110 :
Connect failed
I even tried from a server accross town (a different ISP):
$ telnet 64.65.164.122 110
Trying 64.65.164.122 ...
telnet: connect: Connection timed out
(Without using port forwarding I am able to telnet to
my e-smith's port 110 and see the POP3 welcome text message.)
/sbin/ipchains -n -L input | grep "110"
ACCEPT tcp ------ 0.0.0.0/0 64.65.164.122 * -> 110
ACCEPT tcp ------ 0.0.0.0/0 64.65.164.122 * -> 110
/usr/sbin/ipmasqadm portfw -n -l | grep "110"
TCP 64.65.164.122 192.168.0.214 110 110 10 10
Any help will be greatly appreciated! :-)
--Brian
-
Make sure you have 192.168.0.0 network specified, under Security/Local Networks/Click Here to Add...
-
Yes, it is ... here is my routing table:
[root@linux /root]# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
255.255.255.255 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
192.168.1.189 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
64.65.164.120 0.0.0.0 255.255.255.252 U 0 0 0 eth1
192.81.96.0 192.168.1.249 255.255.255.0 UG 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 ppp0
192.168.0.0 192.168.1.189 255.255.255.0 UG 0 0 0 eth0
192.81.95.0 192.168.1.189 255.255.255.0 UG 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 64.65.164.121 0.0.0.0 UG 0 0 0 eth1
Here is what is listed in the e-smith-manager:
Network Subnet mask Number of hosts Router
192.168.0.0 255.255.255.0 256 192.168.1.189 Remove...
192.81.95.0 255.255.255.0 256 192.168.1.189 Remove...
192.81.96.0 255.255.255.0 256 192.168.1.249 Remove...
Any other thoughts?
--Brian
Dan G. wrote:
>
> Make sure you have 192.168.0.0 network specified, under
> Security/Local Networks/Click Here to Add...
-
Hmmm....if I recall correctly, doesn't the route to the remote subnet need to go out via ipsec0, or something like that? ppp0 would send it to your default gateway at your ISP, which is not where you want it to go. It doesn't look like the manager panel lets you specify a dev as a route --- you might try playing with your routes from the command line.
What does ifconfig give you?
-
Dan,
Here is the ifconfig on the ppp interface:
ppp0 Link encap:Point-to-Point Protocol
inet addr:192.168.1.1 P-t-P:192.168.1.189 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:18 errors:0 dropped:0 overruns:0 frame:0
TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
This is not the link to the ISP, but the PPTP link to
the other subnet (VPN). We are not using an IPSEC
vpn but instead are using a PPTP vpn to another
(e-smith) machine in another town).
So, this all works fine. The only thing that
is not working is that the port forwarding
is being blocked or otherwise not getting through ..
could this be a firewall issue?
Here are some ipchains listings:
[root@linux /root]# ipchains -L | grep "110"
[root@linux /root]# ipchains -L | grep "192.168.0."
ACCEPT all ------ 192.168.0.0/24 anywhere n/a
ACCEPT all ------ 192.168.0.0/24 192.168.0.0/24 n/a
MASQ all ------ 192.168.0.0/24 anywhere n/a
ACCEPT icmp ------ 192.168.0.0/24 anywhere any -> any
ACCEPT all ------ anywhere 192.168.0.0/24 n/a
[root@linux /root]# ipchains -L | grep "pop"
ACCEPT tcp ------ anywhere 64.65.164.122 any -> pop3
ACCEPT tcp ------ anywhere 64.65.164.122 any -> pop3
- tcp ------ anywhere anywhere any -> pop3
ACCEPT tcp !y---- 64.65.164.122 anywhere pop3 -> any
Thanks for your help!
--Brian
-
Sorry, this really isn't my strongest area :)
The only thing I am wondering:
192.168.0.0 192.168.1.189 255.255.255.0 UG 0 0 0 eth0
Isn't .189 at the far end of ppp0?
That's all I can think of...sorry I can't be more help.
Dan
-
Dan,
Well, yes it is at the other end of the PPTP (ppp) link.
Here is a traceroute to the POP3 server I am trying to
port-forward to ... from the machine that
is doing the port-forwarding (192.168.1.1):
[root@linux log]# traceroute 192.168.0.214
traceroute to 192.168.0.214 (192.168.0.214), 30 hops max, 38 byte packets
1 pc-00189 (192.168.1.189) 177.676 ms 178.122 ms 158.861 ms
2 192.168.0.214 (192.168.0.214) 163.115 ms 144.701 ms 166.030 ms
So, the first hop is to the other end of the PPTP link
(192.168.1.189) which also has an IP on the other
subnet (192.168.0.235). The next hop is to the
internal POP3 server.
So, the VPN is working fine and routing is working fine, so
I am totally stumped ... and it looks like only internal users will
be able to get their mail via POP3. Oh well.
Thanks for helping me with this, Dan! I really appreciated it.
Sorry we could not solve it.
--Brian
-
Brian,
Another method that you may want to look at is using putty to do the port forwading. Here's some more info:
http://www.acl.lanl.gov/users/technotes/ssh_portforwarding.html#pop
http://www.tartarus.org/~simon/putty-snapshots/x86/putty.exe
-
Lloyd,
Yes, thanks for that advice. I had looked into using stunnel
for this ... I don't know much about putty, but I
assume it is the same thing. I used stunnel to create
an encrypted port for POP3 access. It allowed Oulook
Express users to get POP3 through port 995.
I will see if this (stunnel) or putty could be
used to port forward to another machine, not
just qmail on the same machine, as I had
previously done.
Thanks!
--Brian
Lloyd Keen wrote:
>
> Brian,
> Another method that you may want to look at is using putty to
> do the port forwading. Here's some more info:
> http://www.acl.lanl.gov/users/technotes/ssh_portforwarding.html#pop
> http://www.tartarus.org/~simon/putty-snapshots/x86/putty.exe