Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: pwinkler on November 11, 2004, 01:45:03 AM
-
i am trying to forward port 3389 (terminal services) to a server behind sme server and it is not working.
I have this working on two other servers on the same site but this one does not want to work.
As mentiond above this is a fresh install with updates applied.
What do I look for?
Pls help
-
Hi,
Which version, what updates?
RequestedDeletion
-
SME 6.0.1-01 and the updates from the update script
on this thread
http://forums.contribs.org/index.php?topic=24285.0
-
Hi Pwinkler,
Please keep in mind that the updatescript is not an 'official' contribs. Next to that I do not see anything within the mentioned script that could harm the default portfowarding functionality.
I personally portforward 3389 on some setups with SME Server 6.0.1-01 with no problems. Did you sniff already to see if the port is indeed forwarded?
RequestedDeletion
-
What updates are "contribs" or what should i install after a basic install?
I have tried to telnet to the ip on port 3389 and get
"could not open a connection to host.. connect failed"
-
Take a look at '/etc/init.d/masq' and look for 3389. If it's in there then SME Server is doing it's job ;-)
RequestedDeletion
-
there is no "3389" in /etc/rc.d/init.d/masq
-
Then what you describe is correct ;-)
How did you try to port forward? If it is via the server manager (default) then remove and add again just to see what happens.
Any chance you have a custom template/fragment regarding masq?
btw: joining IRC on freenode # sme-server would get you to 'live' people :-)
guest
-
I have already deleted & re-entered the portforwarding using the panel a couple of times and again just now, I also checked /etc/init.d/masq again to see if there was any change but no!
-
Ok, time to get it working first and then find out what's wrong ;-)
Create a custom template by copying /etc/e-smith/templates/etc/rc.d/init.d/91AdjustPortForward
to /etc/e-smith/custom-templates/etc/rc.d/init.d/91AdjustPortForward
/etc
then edit the custom template fragment by adding the below rule:
# Start portforwarding rule port 3389 MS-TS
--destination-port 3389 -j DNAT --to-destination 192.168.5.3:3389
adjust_tcp_in 3389 ACCEPT ForwardedTCP_$$ 192.168.5.3/32
# End portforwatding rule
so the section looks like:
# Create a new PortForwarding chain
PFC=$(/sbin/iptables --table nat --numeric --list PortForwarding |\
sed -n '3s/ .*//p')
/sbin/iptables --table nat --new-chain PortForwarding_$$
/sbin/iptables --table nat --append PortForwarding_$$ --protocol tcp \
--destination-port 3389 -j DNAT --to-destination 192.168.5.3:3389
adjust_tcp_in 3389 ACCEPT ForwardedTCP_$$ 192.168.5.3/32
/sbin/iptables --table nat --replace PortForwarding 1 --destination $OUTERNET --jump PortForwarding_$$
/sbin/iptables --table nat --flush $PFC
/sbin/iptables --table nat --delete-chain $PFC
where 192.168.5.3 is the IP address of the accepting machine.
Expand the new template fragment and restart masq
Portforwarding 3389 should now work.
RequestedDeletion
-
Thanks for your help thus far RequestedDeletion.
I tried copying
/etc/e-smith/templates/etc/rc.d/init.d/masq/91AdjustPortForward
to
/etc/e-smith/custom-templates/etc/rc.d/init.d/91AdjustPortForward
/etc
Mybe I'm a bit thick but I can't find the second path path or anything like it!
Do you want me to create it?
Anyway, I have copied & edited the template as per your instructions.
Thanks again!
-
Yep, you need to create the path: /etc/e-smith/custom-templates/etc/rc.d/init.d/
RequestedDeletion
-
you sure youre forwarding to the right internal IP address? And that the hardware is right? I've never seen port forwarding fail in any release of SME - even when you had to install your own server panel.
-
Same problem here.
Fresh install of 6-01-01. I did not use the install-script, but I did use a lot of the same contribs.
Trying to change the template did not help (or work) up till now.
I have to change a lot more ports (not just 3389).
Is there somewhere else we can look.
-
Hi,
Well I guess it's time to check te contribs used. A fresh install of SME Server 6.0.1-01 works perfectly. Maybe you guys can team up and find out what contributions you have in common?
RequestedDeletion
-
I installed:
scripted:
Antivirus (latest by Knuddi)
Spamassasin (latest by Knuddi)
Dshield
php4.3.8-upgrade
webshare
dhcpconfig V0.3.3beta(suspect ?)
RPM:
awstats
backup2ws
crontab manager
lazyadmin tools
navmanager
netPBM
Samba 3.0
Sarg
Sysmon
Userpanel
Winupd
updates (al in directory from Knuddi)
Rob
(not trained enough to figure it out by himself)
-
I used the update script (http://forums.contribs.org/index.php?topic=24285.0) so all the contribs in that script and the only other contribs were the services panel & isoqlog
-
Not having any patiance, I started a new installation to see if the problem lies with one of the installed contribs.
After a fresh install and restore (originaly made on a SME 6beta3) port forwarding is not already not working.
Same with remote access settings.
No contribs are installed.
-
Yes!
My problem lay in the backup / restore action. After removing all custom templates and practacly all files in the /home/e-smith directory (config files) from the backup gz/tar it works fine, even with all contribs.
I just have to setup all settings again :cry: but at least I can.
-
Replace /etc/e-smith/templates/etc/rc.d/init.d/masq/91ajustPortForward with this:
# ------------------------ cut here ----------------------------------------
#
# Corrected UDP PortForwarding Bug! (by Néstor D. Díaz - nestorddiaz@matelogic.com.ar)
#
{
my $pf_chain = "PortForwarding_\$\$";
$OUT .= "# Create a new PortForwarding chain\n";
$OUT .= "PFC=\$(/sbin/iptables --table nat ";
$OUT .= "--numeric --list PortForwarding |\\\n";
$OUT .= " sed -n '3s/ .*//p')\n";
$OUT .= " /sbin/iptables --table nat --new-chain $pf_chain\n";
foreach my $protocol (qw(tcp udp))
{
my $uproto = uc $protocol;
my $propname = $uproto . "Forwards";
my %forwards = split(/,/, $masq{$propname} || '');
foreach my $port (keys %forwards)
{
my ($ip, $dport) = split(/:/, $forwards{$port});
$port =~ s/-/:/;
$OUT .= " /sbin/iptables --table nat --append $pf_chain " .
"--protocol $protocol \\\n".
# Set up local port to forward
" --destination-port ${port} -j DNAT " .
# Set up the remote port to forward to
"--to-destination $ip";
# Append the dport if any.
$OUT .= ":$dport" if $dport;
$OUT .= "\n";
# And accept the incoming packets. Use the dport if there is one.
($port = $dport) =~ s/-/:/ if $dport;
# If this rule is forwarding to localhost, ExternalIP or LocalIP,
# then we must allow it on the INPUT chain instead of the FORWARD
# chain.
if (($ip eq '127.0.0.1') ||
($ip eq $InternalInterface{IPAddress}))
{
# Bad doggie! Bad!
die "Port-forwarding to localhost or internal interface not permitted.\n";
}
elsif ($ip eq $ExternalInterface{IPAddress})
{
if ($uproto eq 'tcp')
{
$OUT .= " adjust_tcp_in $port ACCEPT Inbound${uproto}_\$\$\n";
}
else
{
$OUT .= " adjust_udp_in $port ACCEPT Inbound${uproto}_\$\$\n";
}
}
else
{
if ($uproto eq 'tcp')
{
$OUT .= " adjust_tcp_in $port ACCEPT Forwarded${uproto}_\$\$ $ip/32\n";
}
else
{
$OUT .= " adjust_udp_in $port ACCEPT Forwarded${uproto}_\$\$ $ip/32\n";
}
}
}
}
# having created a new PortForwarding chain, activate it and destroy
# the old.
$OUT .= " /sbin/iptables --table nat --replace PortForwarding 1 " .
"--destination \$OUTERNET --jump $pf_chain\n";
$OUT .= " /sbin/iptables --table nat --flush \$PFC\n";
$OUT .= " /sbin/iptables --table nat --delete-chain \$PFC\n";
}
# ------------------------ cut here ----------------------------------------
Or Download this file from:
http://www.matelogic.com.ar/91adjustPortForward
Cheers!
-
Sorry!!!
Where "if ($uproto eq 'tcp')" must say "if ($protocol eq 'tcp')".
Download from here:
http://www.matelogic.com.ar/91adjustPortForward
-
Example of the Bug:
-----------------------
Some IPTables Rules:
Chain ForwardedTCP (1 references)
target prot opt source destination
ForwardedTCP_24182 all -- anywhere anywhere
denylog tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
Chain ForwardedTCP_24182 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere pc-00007.matelogic.com.artcp dpt:4890
ACCEPT tcp -- anywhere pc-00069.matelogic.com.artcp dpt:4357
ACCEPT tcp -- anywhere pc-00007.matelogic.com.artcp dpt:4500
ACCEPT tcp -- anywhere pc-00069.matelogic.com.artcp dpt:4889
Chain ForwardedUDP (1 references)
target prot opt source destination
ForwardedUDP_24182 all -- anywhere anywhere
denylog udp -- anywhere anywhere
Chain ForwardedUDP_24182 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere pc-00007.matelogic.com.arudp dpt:6430
ACCEPT tcp -- anywhere pc-00009.matelogic.com.arudp dpt:27015
ACCEPT tcp -- anywhere pc-00069.matelogic.com.arudp dpt:6474
Comment: The last 3 lines must be "udp" protocol.
-
Ok, time to get it working first and then find out what's wrong ;-)
Quite the wrong thing to do. Find out what's wrong, then fix it.
Here's the ultimate recipe:
Step 1 - apply all updates
Step 2 - if there's still a malfunction, report via the Bug Tracker