Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: Anthony de Waal on February 05, 2003, 02:15:28 AM
-
Hi there.
I have downloaded the portforwarding rpm of Charly Brady, that looks easy to use.
Problem is, that I can now forward a port to a computer on my network, but without simultaneous opening of the port on ppp0 the packets don't get in.
This is for making Microsoft gamezone gameplaying possible.
Mind you, ports 2300 up to 2400 need to be forwarded. I hope this is possible in a single command.
I had this running on 5.5 with ipchains, takes only a few lines, but with the iptables I have no clue.
Can anyone give either an updated rpm for a graphical interface, or a clue to what templates to add?
If anyone has an idea for a module to do this zone gaming, that would even be better.
Thanks in advance,
Thony
-
Have you tried Darrell May's contrib, but I think it just does the same as charlie's, although I have not tried charlies as Darrell's works great. In Darrell's there is no easy way to add multiple ports though, you have to add them one at a time through the server-manager panel.
http://myezserver.com/downloads/mitel/contrib/portforwarding/
Cyrus Bharda
-
Hi,
that has exactly the same name as the one I downloaded.
I just checked, and I certainly use the packetfilter contributed by Charles Brady:
e-smith-packetfilter-1.13.0-07.noarch.rpm
But now I doubt where I got the portforward from.
Point is: will it open the ports as well? My testing seems to say it doesn't.
I use the e-smith with pptp for ADSL in the Netherlands.
Things may be a bit different in this situation.
Can someone at least point me to some documentation on the current packet filtering setup?
Kind greetings,
Thony
-
Found it:
Author: RequestedDeletion (RequestedDeletion.wang_AT_star-support.com)
Date: 01-31-03 14:34
ftp://ftp.e-smith.org/pub/e-smith/contrib/CharlieBrady/RPMS/noarch/
look for port forwarding
-
Anthony de Waal wrote:
> Point is: will it open the ports as well? My testing seems to
> say it doesn't.
It should. What makes you think it's not? Have you checked the rules to see whether or not it has in fact opened the ports?
Mike
-
Hi Michael,
I forwarded port 2300 to my internal network, 192.168.0.205.
It certainly did something, as it appears now in the IPTABLES -L output
(see below). Actually it looks opened but not forwarded rather than the other way around.
I use a program called Portdetective from www.tzolkin.com on the destination workstation. It worked fine when I had 5.5 with ipchains and the firewall from www.adsl4linux.nl. Now it says port is blocked.
Two possible complications.
1) my outer interface is not the ethernet card but ppp0.
I used 00Definitions to change that.
2) the packets do not come after a request from the inside. It is the difficulty with gamingzone that random ports between 2300 and 2400 are used to reply.
Thanks for looking at my problem.
Kind greetings,
Thony
[root@e-smith root]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
state_chk all -- anywhere anywhere
local_chk all -- anywhere anywhere
InboundICMP icmp -- anywhere anywhere
denylog icmp -- anywhere anywhere
InboundTCP tcp -- anywhere anywhere tcp flags:SYN,RST,A
CK/SYN
denylog tcp -- anywhere anywhere tcp flags:SYN,RST,AC
K/SYN
InboundUDP udp -- anywhere anywhere
denylog udp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spts:bootps:boot
pc
gre-in gre -- anywhere anywhere
denylog gre -- anywhere anywhere
denylog all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
state_chk all -- anywhere anywhere
local_chk all -- anywhere anywhere
denylog all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OutboundICMP icmp -- anywhere anywhere
denylog icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain InboundICMP (1 references)
target prot opt source destination
InboundICMP_579 all -- anywhere anywhere
denylog icmp -- anywhere anywhere
Chain InboundICMP_579 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unr
eachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-probl
em
denylog all -- anywhere anywhere
Chain InboundTCP (1 references)
target prot opt source destination
InboundTCP_579 all -- anywhere anywhere
denylog tcp -- anywhere anywhere tcp flags:SYN,RST,AC
K/SYN
Chain InboundTCP_579 (1 references)
target prot opt source destination
denylog all -- anywhere !cittern.xs4all.nl
ACCEPT tcp -- anywhere anywhere tcp dpt:auth
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:https
denylog tcp -- anywhere anywhere tcp dpt:imap2
denylog tcp -- anywhere anywhere tcp dpt:ldap
denylog tcp -- anywhere anywhere tcp dpt:pop3
denylog tcp -- anywhere anywhere tcp dpt:1723
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
denylog tcp -- anywhere anywhere tcp dpt:telnet
ACCEPT tcp -- anywhere anywhere tcp dpt:2300
Chain InboundUDP (1 references)
target prot opt source destination
InboundUDP_579 all -- anywhere anywhere
denylog udp -- anywhere anywhere
Chain InboundUDP_579 (1 references)
target prot opt source destination
denylog all -- anywhere !cittern.xs4all.nl
Chain OutboundICMP (1 references)
target prot opt source destination
OutboundICMP_579 all -- anywhere anywhere
denylog icmp -- anywhere anywhere
Chain OutboundICMP_579 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unr
eachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-probl
em
denylog all -- anywhere anywhere
Chain denylog (21 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain gre-in (1 references)
target prot opt source destination
denylog all -- anywhere !cittern.xs4all.nl
ACCEPT all -- anywhere anywhere
Chain local_chk (2 references)
target prot opt source destination
local_chk_1 all -- anywhere anywhere
Chain local_chk_1 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain state_chk (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED
[root@e-smith root]#
-
Anthony de Waal wrote:
>
> Hi Michael,
> I forwarded port 2300 to my internal network, 192.168.0.205.
> It certainly did something, as it appears now in the IPTABLES
> -L output
> (see below). Actually it looks opened but not forwarded
> rather than the other way around.
That's because you're looking at the filter table. I highly suggest you read the iptables manpage, which will explain the differences between the filter, nat and mangle tables. If you wish to see the portforwarding rules you must look in the nat table.
iptables -t nat -nvL
> I use a program called Portdetective from www.tzolkin.com on
> the destination workstation. It worked fine when I had 5.5
> with ipchains and the firewall from www.adsl4linux.nl. Now it
> says port is blocked.
I'd say it's wrong. The iptables output confirms that.
> Two possible complications.
> 1) my outer interface is not the ethernet card but ppp0.
> I used 00Definitions to change that.
You shouldn't have to touch a thing. The server will determine its external interface by itself.
Mike
-
OK, here it is:
Chain PortForwarding_579 (1 references)
pkts bytes target prot opt in out source destination
16 736 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:2300 to:192.168.0.205:2300
All the same: in /var/log/messages:
Feb 6 06:47:19 e-smith kernel: IN=ppp0 OUT=eth0 SRC=209.213.70.61 DST=192.168.0.205 LEN=44 TOS=0x00
PREC=0x00 TTL=112 ID=11326 DF PROTO=TCP SPT=4107 DPT=2300 WINDOW=8192 RES=0x00 SYN URGP=0
I checked telnet, smtp en 2300 at the same time. Telnet gets a same logging, smtp doesn't appear.
I have a mail server running, so that makes sense. Still port detective shows it as blocked, because the packets do not arrive back to the program.
I didn't read the man pages. I know I should but have not found the time. Basically that is why I looked for a program in the first place :-)
Kind greetings,
Thony