Koozali.org: home of the SME Server

Legacy Forums => General Discussion (Legacy) => Topic started by: John Goodwin on July 21, 2001, 10:20:53 PM

Title: port forwarding
Post by: John Goodwin on July 21, 2001, 10:20:53 PM
I installed the port forwarding rpm (ipportfw-0.1.1-1.noarch.rpm)and I've had some problems.  The rpm installed fine, and my e-smith server continued to work fine.  I executed the following comands before setting up any ports to follow:

/sbin/ipchains -n -L input
/usr/sbin/ipmasqadm portfw -n -l

neither or these commands returned a result, which I was sort of expecting since I had not setup any portfowarding. I then created a file to apply forwarding for 10 ports following the layout specified in the ipportfw howto and executed the file.  I then ran the commands previously stated again.  The first command returned a list of parts that included many ports that I had not previously specified.  The second command listing the forwards showed that only part of the forwards I had specified exists.

Next came the big problem.  The external ethernet now seems to be unable to obtain my external gateway via DHCP.  Because of this, I can no longer access the internet.  I executed the remove forwarding commands (via a file) but this was not successful.  Any help here would be greatly appreciated.  I'm new to Linux and to working with firewalls and really need some help.

Thanks,
John Goodwin
Title: Re: port forwarding
Post by: Bill Ebben on July 24, 2001, 01:36:07 AM
Dear John,

I've just gone through the same situation but not with 10 ports. All I wanted to do was forward internet traffic to a web server on the inside of my firewall. You need to restore the original ipchains rules. If you haven't done a great deal of other customization to your e-smith system, the easiest way would be to re-install e-smith. (A great time to make sure you have the latest release.)

Then leave port forwarding behind and use mfw (marked forward). This is the newest way to accomplish the same thing.

See man ipchains. I used the following rule to have ipchains mark the lead packet (and all the following packets in the chain) for forwarding.

ipchains -I input -p tcp -y -d yourcompany.com/32 80 -m 1

The use the following rule to have the ip masquerading redirect the marked packets to my internal web server (192.168.1.65):

ipmasqadm mfw -I -m 1 -r 192.168.1.65 80 -p 10

Instead of yourcompany.com in the first rule I had better luck by substituting the IP address instead of the domain name.

There is one gotcha that I have to resolve this evening after all my users go home. The rules will be forgotten the next time the linux firewall is rebooted. I need to find the place where e-smith keeps the rules template or add the rules to a start-up script to be executed after each reboot.

Hope this helps.

Bill
Title: Re: port forwarding
Post by: John Goodwin on July 24, 2001, 04:28:57 AM
Hi Bill,

Thanks for the help.  I did a reinstall and luckily I had a recent backup so I didn't lose much.  I'll try your suggestion and see how it turns out (of course, backing up right before I attempt anything like this again)!

Thanks,
John Goodwin
Title: Re: port forwarding
Post by: vanadium2 on August 05, 2001, 04:08:08 AM
Hi all,

The file used by essg to store the ipchain rules is  :
/etc/rc.d/init.d/masq

Bye