Koozali.org: home of the SME Server
Legacy Forums => General Discussion (Legacy) => Topic started by: Drifting on February 18, 2003, 12:05:19 AM
-
Little bit dazed and confused.
I downloaded a number of rpm's from myez.... one was port forwarding, the other port opening.
Problem now is which file should I install? Port forward has a version ending in 04, and the port open has the file below: -
e-smith-packetfilter-1.13.0-07.noarch.rpm
Reason I ask is that I have as yet not been able to get anything to forward! The whole idea was to put the SME box infront of an Exchange server and port forward port 25. Basically this is only a temporary measure so that we can share an ADSL line for email between two companies. One uses the SME box the other uses all MS.
Have I lost the plot with the forwarding? the menu item appears ok in server manager, I perhpas wrongly chose to install the latest versions of the above file?
Any help with this would be good, as I am rather out of my depth on knowing where to look.
Paul.
-
Port forwarding and port opening are two totally separate (though similar) packages. Opening just opens incoming ports, useful if you want to run another server program on your SME. Forwarding passes incoming data to a separate LAN server. I have no personal experience with the new version, but the old version works great on 5.0 and 5.5. FYI, the packetfilter RPM is just an updated version of some files, which are needed for the forwarding/opening stuff. It's not actually a part of it.
If you're forwarding port 25, you may just be able to specify the other server as the delegate mail server. I'm not exactly sure what all that does, but it may be the easiest way if that's all you're trying to do...
-
Yes I sussed that part out. The bit that was bothering me was that I cannot seem to forward any ports. I even went so far as to load the portopen rpm so as to allow me then to do a port forward from 1000 (SME) to 25 Exchange box. Still no joy.
Woinder if anyone has ever got this to work on 5.6 ? I have foloowed a couple of other threads, but they don't match my setup.
(adsl router fixed ip) - (SME box fixed IP) - (Exchange box now on 198.162.1.101)
I can telnet to port 25 on the SME box. When I try to do a port forward for external 25 request they just vanish into a void..
I can see me buying a router to do this :-) more expense!!
Regards Paul.
-
Paul,
I have discovered there is a problem with e-smith-packetfilter-1.13.0-07 which was installed with the port opening rpm. It does not allow ports to be forwarded.
You will need to revert back to e-smith-packetfilter-1.13.0-04. You can download it at
http://www.khunjarnet.com/downloads/portopening-SME5.6-only/
then
# rpm -Uvh --force e-smith-packetfilter-1.13.0-04.noarch.rpm --nodeps
# /sbin/e-smith/signal-event post-upgrade
# service masq restart
This will allow both port forwarding and port opening to work
Jon
-
> I have discovered there is a problem with
> e-smith-packetfilter-1.13.0-07 which was installed with the
> port opening rpm. It does not allow ports to be forwarded.
Now THAT is the kind of answer I was hoping to hear for the last two weeks!
This is exactly my setup to forward some ports for letting my son play DirectPlay games on a single computer in the network.
Everybody keeps pointing to the contributed rpm's, without believing when I say I tested it thoroughly but it keeps failing....
I do hope someone with better knowledge of this matter will be able to make a better version, since as I recall it, the previous packetfilter does not allow UDP forwarding.
Thanks,
Thony
-
I just did what was needed to replace the packet filter with the old version.
I was surprised to see that after erasing and then reinstalling the portforwarding rpm the ports I had enter came back again.
Trying to delete them made my server-manager freeze, and I couldn't get ssh access, too.
After a reboot everything was fine.
Now the forwarding could be confirmed with Portdetective.
Alas, that program only checks tcp, not udp.
I need udp forwarding for DirectPlay.
Can anybody confirm that in this setup udp forwarding is not allowed?
Thanks,
Thony
-
Hi,
UDP protocol sends a package and do not check for if the packet arrives or not, hence you can not "forward" a UDP packet - only listen for it. So forwarding a UDP packet in fact only just opens the port for the client to listen for it. This is pure "network topoligies" and have nothing specific to do with SME server or linux so you cant really blame anyone...
Im using the portforward rpm from that works with no problem. I run a SOF2 gameserver which uses UDP port 20102.
The files you need is: e-smith-portforwarding-0.1.0-20.noarch.rpm
and: e-smith-packetfilter-1.13.0-04.noarch.rpm
In fact the rpm's just enables newbies like us to configure it from a easy interface.
The command: iptables --help for the "hard" way or iptables --list for seeing the chains currently in use.
/Henrik
-
Henrik wrote:
> UDP protocol sends a package and do not check for if the
> packet arrives or not, hence you can not "forward" a UDP
> packet - only listen for it. So forwarding a UDP packet in
> fact only just opens the port for the client to listen for
> it. This is pure "network topoligies" and have nothing
> specific to do with SME server or linux so you cant really
> blame anyone...
Not quite.
In fact, the portforwarding rpm now inserts the portforwarding chain in /etc/rc.d/init.d/masq :
/sbin/iptables --table nat --append PortForwarding_$$ --protocol udp \
--destination-port 2301 -j DNAT --to-destination 192.168.0.205:2301
adjust_udp_in 2301 ACCEPT InboundUDP_$$
In a previous message (http://forums.contribs.org/index.php?topic=16495.msg63815#msg63815) you can read:
Author: Charlie Brady (charlieb_AT_e-smith.com)
Date: 02-11-03 17:40
>Jon Blakely wrote:
>> Sorry, I put you on the wrong track in your previous post. I
>> made an assumption that if there was an 'Allow_tcp_in' sub
>> routine there was a, 'Allow_udp_in' subroutine. Unfortunately
>> that is not the case.
>There is, but only in the updated e-smith-packetfilter RPM in my contrib >directory.
>You'll also need to call the function correctly. You'll need to write a loop and call >the function once for each port you wish to open.
>Charlie
In other words: you can't use the latest packetfilter because of a mistake in the portforwarding, but I can't use the old version as well, because the UDP forwarding is not yet implemented (I tested it, and it indeed did not work).
So now I am back to my original question again: what can I do to make it work?
Charlie, are you planning to work on the packetfilter?
Or, can I just disable the packetfilter of e-smith entirely, and implement one of the numerous ones around on the Internet? In that case: how do I disable it (rather than just flush the rules)?
That would of course break the automatic coupling of ports opened with activation of services, so this is only a last resort when all else fails.
Good luck to those who want to improve the program,
and thanks to all for looking into other peoples' problems on this forum.
Kind greetings,
Thony
-
Henrik wrote:
> UDP protocol sends a package and do not check for if the
> packet arrives or not, hence you can not "forward" a UDP
> packet - only listen for it. So forwarding a UDP packet in
> fact only just opens the port for the client to listen for
> it. This is pure "network topoligies" and have nothing
> specific to do with SME server or linux so you cant really
> blame anyone...
Not quite. While it is true that udp protocol is connectionless, and there is nothing built into the protocol itself to ensure that the packet arrives, it's still an IP packet nonetheless. Port-forwarding simply involves changing the destination IP address of the packet, and the destination port, before the routing decision is made for the packet. TCP vs. UDP is irrelevant, both can be forwarded.
Mike
-
Anthony de Waal wrote:
>
> >There is, but only in the updated e-smith-packetfilter RPM
> in my contrib >directory.
> In other words: you can't use the latest packetfilter because
> of a mistake in the portforwarding, but I can't use the old
> version as well, because the UDP forwarding is not yet
> implemented (I tested it, and it indeed did not work).
That's not how I read Charlie's response at all. I believe he's suggesting that you take the updated e-smith-packetfilter rpm from his contrib directory. I don't see any mention of a problem with the latest version. Where did you get that impression?
Mike
-
Michael Soulier wrote:
>
> That's not how I read Charlie's response at all. I believe
> he's suggesting that you take the updated
> e-smith-packetfilter rpm from his contrib directory. I don't
> see any mention of a problem with the latest version. Where
> did you get that impression?
>
> Mike
Hi Mike,
it is in this thread: John Blakely mentioned he found a problem.
Unfortunately he didn't mention what he exactly found.
That there is a problem I can confirm from my own observations.
I can forward a port with the old packetfilter, and not with the new one.
The old version does not let me have DirectPlay gaming work, I guess because of the UDP.
Previous questions I asked about this:
http://forums.contribs.org/index.php?topic=6750.msg24264#msg24264
Especially I like to know more about the structure of the templating system, and where the variables are stored. If I knew that I had probably contributed solutions as well as questions.
Kind greetings,
Thony
-
I followed you instructions, but I still cannot get this to work? I can only assume that I have made a mistake somewhere?
What I have done is set a portforward for port 1000 to port 25 on another server (MS Exchange) I have also opened port 1000 with portopen.
Any ideas on how I can check what is happening? Tried to telnet to the Esmith server on port 1000 and get nothing? apart from a timeout.
Any suggestions welcome
Regards Paul.
-
Hi Paul,
Jon's instructions above fixed my problem with TCP forwarding.
You need the 04 version of Charly's Packetfilter
I only wait for UDP forwarding, that should not affect your goals.
I think you should remove the opening by the portopening panel. That is supposed to open the ports for processes running on localhost, i.e. your sme box.
To test: telnet your.ip.address.here 1000
This should probably be performed from the outside.
You should see the banner text of your Exchange server.
Send me your IP to my personal mail and I will test it for you.
Kind greetings,
Thony
Drifting wrote:
>
> I followed you instructions, but I still cannot get this to
> work? I can only assume that I have made a mistake somewhere?
>
> What I have done is set a portforward for port 1000 to port
> 25 on another server (MS Exchange) I have also opened port
> 1000 with portopen.
>
> Any ideas on how I can check what is happening? Tried to
> telnet to the Esmith server on port 1000 and get nothing?
> apart from a timeout.
>
> Any suggestions welcome
>
> Regards Paul.
-
I have now remove the port open as suggested, still no forwarding. The SME box is sitting in our offices connected to the net, so it's not local to me anyway.
Really wished I knew why, this is the main reason for wanting the SME box.
Regards Paul.
-
Is the Exchange box having a route to the SME server?
Perhaps the forwarding works, but the Exchange can't connect back?
-
Well I have now setup a test win2k server running terminal services, the has the default gatway set to the SME box. I am running all the right rpms (according to the above).
I have setup portforwarding for 3389 both TCP & UDP.
Not a sausage !!!
Ideas? because I am running out of patience, does this port forwarding work for anyone on 5.6 ? (Lack of patience is due to lack of knowledge on Linux & SME).
Any ideas? as I have run out of hair to pull out?
Paul.
-
So from the top then, for e-smith 5.6:
This is how I read all this. To OPEN ports, you need to install install
dmc-mitel-portopening-0.0.1-3.noarch.rpm
This includes packet filter
e-smith-packetfilter-1.13.0-07.noarch.rpm
which doesn't work.
So then you need to get
e-smith-packetfilter-1.13.0-04.noarch.rpm
and type
# rpm -Uvh --force e-smith-packetfilter-1.13.0-04.noarch.rpm --nodeps
# /sbin/e-smith/signal-event post-upgrade
# service masq restart
That makes port OPENING work. For port FORWARDING it seems that you need
e-smith-portforwarding-0.1.0-20.noarch.rpm
which also includes
e-smith-packetfilter-1.13.0-07.noarch.rpm
which doesn't work.
So then you need to get
e-smith-packetfilter-1.13.0-04.noarch.rpm
and type
# rpm -Uvh --force e-smith-packetfilter-1.13.0-04.noarch.rpm --nodeps
# /sbin/e-smith/signal-event post-upgrade
# service masq restart
Is anyone still with me?
So is all this correct? Last time I grabbed a port forwarding RPM on forum advice it was an older version still and it broke masq completely.
Can we hear from someone who got it working?
Anthony is especially stuck with the UDP vs TCP problem, but for everyone else all we're after is standard TCP forwarding -- not exactly cutting edge. Personally, I need for VNC control of windows desktops to provide effective helpdesk support.
If there's no reply I will sit down and document every step until I get it, then post a howto. If there is a reply, I'll sum all this up in a brand new thread.
Last of all, wouldn't it be nice if TCP and UDP port forwarding was a standard feature?
-
By George he's got it !!
Well I am glad I am not the only one, I thought perhaps I had not sacrificed enough virgins, check to see if the wind blew from the east, or muttered other special Linux chants!
Seriously though, I have come to the same conclusion, whichever way go it breaks. I would love to know the answer to this one, as we were hoping to become a reseller and use this product for quite a number of customers. Port forwarding for us is an essential, as we require it for mail servers & support (Terminal services).
If you do manage to get it going I will turn myself toward the Great Land of Oz and click my heels three times
Regards Paul.
-
how about just installing dmc-mitel-portopening-0.0.1-4.noarch.rpm it uses e-smith-packetfilter-1.10.0-08 and seems to work ok.
-
Opening is not a problem, well not tried it yet. Infact I have not even installed in on this current test machine.
All I want is port forwarding to work, this will be the 5 th rebuild and not one of them will port forward. I have followed every instruction from multiple posts, all to no avail. Does any have a difinitive installation instruction that they honestly can say works?
Paul
-
I tried everything I could and it almost worked. I keep getting refused permission errors. I gave up and went back to 5.5 which works fine. As soon as I get some more time I'll have another crack at it though.
Good luck
-
I shall assume then, seeing as very few have responded to my request on who actually got it to work, that it is broke. Wished I knew a bit more about Linux, as I was really keen on this product as had an immediate need.
Thanks Paul.Lee Fakes wrote:
-
Drifting, e-smith is not the only linux choice, many others are easy(ish) also.
E-smith is an unusual distro in many ways, partly because it is intended primarily for use in a rack mount server sold by Mitel.
This means they write it to be what they want it to be. It's not intended as a general sale distribution, so features that Mitel don't want or need are neglected.
The way things should work is one of the people on the forum should write a working port fwding rpm, it's probably more time than difficulty that stops most people here from doing that.
Linux overall is not as scary as it seems. A large proportion if the executables are scripts (like .bat files) and it's usually not TOO hard to figure them out.
Someone mentioned that you can do the port forwarding from the shell, I'll investigate and let everyone know.
If that doesn't work, the other way around it is to grab a 486 or pentium and use freesco 0.27 or freesco 0.27 pppoe edition (for adsl /cable) from a floppy disk to handle the firewall / internet connection.
Freesco is far, far better than e-smith if you just need the router/firewall/gateway services. It even has a http daemon.
-
Daniel wrote:
> This means they write it to be what they want it to be. It's
> not intended as a general sale distribution, so features that
> Mitel don't want or need are neglected.
This is _very_ incorrect. First, e-smith long pre-dates Mitel involvement in the product. Second, Mitel continues to sell e-smith (now SME) for general usage, so they apparently intend it as a general sale distro.
The issue (and most of the limitations) come in with the purpose of the system. It's intended to be very simple to install, configure, and administer. As a result of that, it isn't as flexible as, say, a full Redhat installation, but it's also more secure. Also, some of the individual server functions (like Samba) impose limits on the rest of the server--this accounts for the oft-mentioned issue of a single user namespace (i.e., even with virtual domains, each user exists on all domains).
Now, I think it'd be nice to have a good port forwarding panel included in the server manager. I don't have any real need for it myself (everything I need can be handled through SSH tunnelling, and more securely too), but it's obviously something that a lot of people want.
-
Thank you both for your input. Perhaps with any luck Mitel will take a look at the port forward issue. I expect we are not the only ones who have to support win2k boxes? the mitel seemed to fit in rather nicely for the average sme who requires email etc without the cost or hardware requirements of Exchange, ISA, etc. Many have win2k servers running SQL, so a terminal session into them would be handy.
I did recently download a copy of clark connect, which is very similar to SME server, have not confirmed yet if portforward version works on clark, but it is a hell of a lot cheaper than the commercial version of Mitel.
Will take a look at freesco, thanks for the hint.
Paul.
-
Okay....
Now I make NO representations that this is safe, or that it's a good idea.
So here's a code snippet, both lines are required for one port opening.
# Copied from http://board.protecus.de/showtopic.php?threadid=3361
# With minor modifications by Daniel Rose 12/4/03
/sbin/iptables -A FORWARD -i $OUTERIF -o $INTERNALIF -p tcp --dport 5900 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 4661:4662 -j DNAT --to-destination 192.168.0.10:5900
It's double-spaced so you can see where the line breaks are.
You might want to change "tcp" to "upd" and you'll probably want to change 192.168.0.10 to the address of your choice.
You need that code in a file at
/etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
My filenames for this start with 82, eg
82-VNC-Forward-to-192-168-0-10
of course once it's there you'll need a
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
then a
/etc/rc.d/init.d/masq restart
All this brings me on to another point; On the client, I've given it a fixed IP address, because using DHCP if it changes the forwarding will go to the wrong PC.
Suppose you have a windows dhcp client called fred. I want to put "fred" instead of the IP address in the forwarding commands above. From e-smith server, fred doesn't resolve -- "ping fred" gives "unknown host."
This annoys me. Does anyone know how to make e-smith "see" the hostnames of the PCs it gives IP addresses to or do the clients need to be configured to tell e-smith?
-
Okay....
Now I make NO representations that this is safe, or that it's a good idea.
So here's a code snippet, both lines are required for one port opening.
# Copied from http://board.protecus.de/showtopic.php?threadid=3361
# With minor modifications by Daniel Rose 12/4/03
/sbin/iptables -A FORWARD -i $OUTERIF -o $INTERNALIF -p tcp --dport 5900 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 4661:4662 -j DNAT --to-destination 192.168.0.10:5900
It's double-spaced so you can see where the line breaks are.
You might want to change "tcp" to "upd" and you'll probably want to change 192.168.0.10 to the address of your choice.
You need that code in a file at
/etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
My filenames for this start with 82, eg
82-VNC-Forward-to-192-168-0-10
of course once it's there you'll need a
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
then a
/etc/rc.d/init.d/masq restart
All this brings me on to another point; On the client, I've given it a fixed IP address, because using DHCP if it changes the forwarding will go to the wrong PC.
Suppose you have a windows dhcp client called fred. I want to put "fred" instead of the IP address in the forwarding commands above. From e-smith server, fred doesn't resolve -- "ping fred" gives "unknown host."
This annoys me. Does anyone know how to make e-smith "see" the hostnames of the PCs it gives IP addresses to or do the clients need to be configured to tell e-smith?