Koozali.org: home of the SME Server

Obsolete Releases => SME Server 8.x => Topic started by: Gaetan on October 12, 2016, 05:33:41 PM

Title: Port Forwarding - not all are working
Post by: Gaetan on October 12, 2016, 05:33:41 PM: Hi,
I have set up a few port forwarding.
Some of them do work but other don't despite the fact destination device is set up correctly.
All the Avaya one do not work.
Please check attached screen shots.

How can I check settings via the command line ?

Thanks
Regards
Title: Re: Port Forwarding - not all are working
Post by: Daniel B. on October 12, 2016, 06:01:54 PM: You can check with

Code: [Select]
iptables -t nat -L -vn | less
Look for a PortForwarding_XXXX section (XXXX being a random number). You should see your NAT rules here. When you say "do not work", what do you get ? a timeout ? Are you sure the destination device is correctly configure ? One thing that could explain the dest device works from your LAN, but NATed ports does not respond would be that the device has no gateway defined (or not the correct one)
Title: Re: Port Forwarding - not all are working
Post by: guest22 on October 13, 2016, 01:34:28 AM: Quote from: Daniel B. on October 12, 2016, 06:01:54 PM
One thing that could explain the dest device works from your LAN, but NATed ports does not respond would be that the device has no gateway defined (or not the correct one)

That would be my best guess too.
Title: Re: Port Forwarding - not all are working
Post by: Gaetan on October 13, 2016, 10:26:53 AM: The device is a gateway defined (sme server 192.168.1.2)

Here are the results:
iptables -t nat -L -vn | less

Chain OUTPUT (policy ACCEPT 3788K packets, 271M bytes)
pkts bytes target prot opt in out source destination

Chain PortForwarding (1 references)
pkts bytes target prot opt in out source destination
17294 1172K PortForwarding_24452 all -- * * 0.0.0.0/0 xx.xxx.xxx.xxx(our public IP)

Chain PortForwarding_24452 (1 references)
pkts bytes target prot opt in out source destination
111 6548 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4660 to:192.168.1.245:81
1 60 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4661 to:192.168.1.246:554
315 16428 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4662 to:192.168.1.5:443
1 60 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4664 to:192.168.1.36:21
17 1000 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5060 to:192.168.1.239:5060
2 108 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5061 to:192.168.1.239:5061
55 3316 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5222 to:192.168.1.234:5222
1 60 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5269 to:192.168.1.234:5269
21 1052 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:192.168.1.234:8080
15 848 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443 to:192.168.1.234:8443
105 6324 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8444 to:192.168.1.234:8444
3 425 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:39152:43246 to:192.168.1.239:39152-43246
62 27303 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 to:192.168.1.239:5060

Chain PostroutingOutbound (1 references)
pkts bytes target prot opt in out source destination
427K 31M ACCEPT all -- * * xx.xxx.xxx.xxx(our public IP) 0.0.0.0/0
401K 29M MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0

Chain SMTPProxy (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 127.0.0.1
5709 293K ACCEPT all -- * * 0.0.0.0/0 192.168.1.2
7252 424K ACCEPT all -- * * 0.0.0.0/0 xx.xxx.xxx.xxx(our public IP)
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0

Chain TransProxy (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 127.0.0.1
22 1228 ACCEPT all -- * * 0.0.0.0/0 192.168.1.2
67 3504 ACCEPT all -- * * 0.0.0.0/0 xx.xxx.xxx.xxx(our public IP)
54953 2908K DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 to:192.168.1.2:3128

Funny thing in the results:
Working Port forwarded are not shown (4660, 4661, 4662, 4663, 4664) ...

Any suggestions ?

Thanks and regards
Title: Re: Port Forwarding - not all are working
Post by: Daniel B. on October 13, 2016, 10:37:03 AM: We can see the 13 NAT rules are all there. And all of them have a counter, which means packets matching the rules have been passed. Everything seems OK on the SME side.
Title: Re: Port Forwarding - not all are working
Post by: mmccarn on October 13, 2016, 12:24:34 PM: What is it that you're trying to do from outside the network?

When I do some googling for avaya firewall rules, FTP traffic is included in the results (TFTP for phone firmware loading, I presume). FTP is a special case that is probably being intercepted by the SME server itself, and (as I understand it) requires special considerations in iptables.
Title: Re: Port Forwarding - not all are working
Post by: CharlieBrady on October 14, 2016, 02:26:55 PM: Quote from: Gaetan on October 13, 2016, 10:26:53 AM
Chain PortForwarding_24452 (1 references)
pkts bytes target prot opt in out source destination
111 6548 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4660 to:192.168.1.245:81
1 60 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4661 to:192.168.1.246:554
315 16428 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4662 to:192.168.1.5:443
1 60 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4664 to:192.168.1.36:21
....
Quote
Funny thing in the results:
Working Port forwarded are not shown (4660, 4661, 4662, 4663, 4664) ...

I don't understand what you are saying. I can see 4660, 4661, 4662, 4664. Cannot you?