Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: Tony De Keizer on July 19, 2002, 04:09:35 AM
-
I was wondering if anyone had tried to setup port forwarding but only for packets originating from a specific IP address. The Port Forwarding panel does not support a source address and I noticed that the ipchains command generated in /etc/rc.d/init.d has a -s 0/0 option which will forward all external ip address's to the specified internal network address on the specified port.
I have tried to directly modifying the ipchains command by adding a specific host ip in the source option and then restart masq as a test and it doesn't seem to work. The ipchains -L command lists the correct forwarding and chain entry but the port is still forwarded no matter what IP you connect from.
Any ideas ?
Regards
Tony De Keizer
-
From my understanding, Ipchains doesn't handle the actual port fowarding. You probably will want to look at:
ipmasqadm autofw
ipmasqadm portfw
ipmasqadm mfw
I believe the Port Forwarding panel is a front end to these programs.
Hope this helped,
Nathan
-
Nathan,
Thanks for the reply.
I am happy to say that I have worked the problem out.
I had a look at the /etc/rc.d/init.d/masq entries generated by the portforwarding panel and it creates two entries.
One 'ipmasqadm portfw .... ' for the actual port forwarding.
A 'ipchains -append input .... ' to allow access on the specified port on the outer network ip address.
The ipchains command uses a -s 0/0 thus allowing any source address to be forwarded. I was trying to limit the source address to a single host I.P.
I tried modifying the -s 0/0 to -s w.x.y.z/32 and it didn't work. Hence the forum message.
Further investigation found that the I needed to add a second ipchains entry to stop access on this port for all other ip's.. i.e
ipchains -Append input -p tcp -s 0/0 -d $OUTERNET -j denylog (I wanted to log attempts)
I found this interesting as I would have thought the input policy would have been DENY not ACCEPT.
Obviously I will create some custom templates to add the necessary commands to masq but I believe it would be a good addition to the port forwarding panel to allow specification of a source address and mask. What do you think ?
Thanks again for the reply.
Regards
Tony De Keizer
-
The other thing the Port Forwarding Panel needs is the ability to specify a block of ports ( eg: 2300-2400) to be forwarded to a given internal network address. I have yet to find a way to handle this. If anyone can help me please let me know.