ipchains rule .. port forward

[smp]

okay ... I have ipchains running .. my firewall works and everything i just want to add a line that will redirect port 3450 (or something) to 81 (80? http) on a box internally .. 192.168.0.x

I have read the ipchains howto and other docs and I'm just confused .. I need examples

 

[LNXman]

Assuming you have port forwarding enabled (i.e. compiled the support and enabled it with echo 1 > /proc/sys/net/ipv4/ip_forward):

You first initialize forwarding (assuming your have flushed everything in the begining, i.e. /usr/sbin/ipchains -F):

#Make sure all port forwarding is denied, then allow incoming requests to be forwarded to your NAT via your external connection interface (i.e. eth0)
/usr/sbin/ipchains -P forward DENY
/usr/sbin/ipchains -A forward -i eth0 -j MASQ

Now, you write your forwarding rules (these are done with the ipmasqadm):

#since you are going to use ipmasqadm, you need to flush it first (like everything else you start in your firewall)
/usr/sbin/ipmasqadm portfw -f

#now you can forward incoming requests through your external IP via port 3450 to your desired internal IP port 81
/usr/sbin/ipmasqadm portfw -a -P tcp -L $EXT_IP 3450 -R $INT_IP 81

Hope this helps.

GL

 

[smp]

Thanks .. that all makes sense to me .. but something is messed up on my end. When I try to run my new firewall script .. it complains;

./rc.firewall: /usr/sbin/ipmasqadm: No such file or directory
./rc.firewall: /sbin/ipmasqadm: No such file or directory
./rc.firewall: /usr/sbin/ipmasqadm: No such file or directory

It doesn't complain about my ipchains rules, which have been running for a long time on this box (like over a year) .. what gives?

Nice sig BTW
Making linux be a desktop is driving me insane for sure

 

[LNXman]

OOOPS! I should have mentioned you had to install the forwarding utilitiy (ipmasqadm) in order to accomplish forwarding.

You should be able to find it for your particular distribution. It is pretty much a standard utility.


GL

 

[smp]

apt-get install ipmasqadm

 

[smp]

Hmm .. using your exact line I get this error;

portfw: illegal local address/port specified



ipmasqadm is installed and appears to be working okay though .. as that is the only error I get. Thanks for all your help by the way, this is really helpful.

 

[LNXman]

If you use the exact line, you will get an error.

Make sure you replace $EXT_IP, and $INT_IP with your target IPs.

GL

 

[LNXman]

Repost!

 

[smp]

doh

uh .. how do I connect to a different port? In address bar type..

www.mydomain.ca:3450

right?

 

[smp]

Okay ... I have fixed the script and it doesn't output any errors .. but it's not working, how do I troubleshoot?

and how do I specify eth0 rather than ip?

/usr/sbin/ipmasqadm portfw -a -P tcp -L eth0 3450 -R 192.168.0.30 81

this doesn't work .. of course, I have the wrong flag no? Instead of -L it should be something else right?

 

[LNXman]

uh .. how do I connect to a different port? In address bar type..

www.mydomain.ca:3450

right?

If you are using a normal browser, then yes.

 

[smp]

bump cause I edited my last post ...

 

[LNXman]

Originally posted by: smp
Okay ... I have fixed the script and it doesn't output any errors .. but it's not working, how do I troubleshoot?

and how do I specify eth0 rather than ip?

/usr/sbin/ipmasqadm portfw -a -P tcp -L eth0 3450 -R 192.168.0.30 81

this doesn't work .. of course, I have the wrong flag no? Instead of -L it should be something else right?

What did you write in the forwarding line?

I believe, that ipmasqadm does not manage network interfaces because ipchains already has the ability to manage them. ipmasqadm is a filter for paquets and can only handle IP addresses AFAIK. Someone may correct me if I am wrong.
Unfortunately, I do not currently use/have ipchains in my machine because I upgraded to iptables. However, I may go back to ipchains because iptables connection tracking does not have some of the features I used to have with ipchains (i.e. Quake connection tracking being one of them ) You may have to do a man to find out more about ipmasqadm. . .

GL

 

[smp]

this;

/usr/sbin/ipmasqadm portfw -a -P tcp -L $currentip 3450 -R 192.168.0.30 81

is my exact line .. I get a "portfw: illegal local address/port specified" error when I try to run it from CLI .. ? hmmm .. why would it be an illigal port? Could it be that my box doesn't recognize any ports other than the ones that are tied to deamons? Is that possible?

 

[LNXman]

what is $currentip?

for me I would assume $currentip would be:

currentip=`ifconfig $ext_int | grep inet | cut -d : -f 2 | cut -d \ -f 1`

where $ext_int would be:

ext_int="eth0" (if I have a static ip), or

ext_int="ppp0" (if I have a dynamic ip using pppoe, or some sort of ppp connection)


BTW, you since the formatting for posting suX here, I just noticed that for the second cut command, you need to have two (2) spaces after the \ and NOT one (1) as it is shown above.

GL

/edit: added BTW

 

[smp]

oh yeah .. no $currentip is specified at the beginning of my rc.firewall script .. like so;

currentip=xxx.xx.xxx.xx

this box is a router .. so eth0 is the above addy .. and eth1 is 192.168.0.1
currentip is the wan address.

 

[LNXman]

Originally posted by: smp
oh yeah .. no $currentip is specified at the beginning of my rc.firewall script .. like so;

currentip=xxx.xx.xxx.xx

this box is a router .. so eth0 is the above addy .. and eth1 is 192.168.0.1
currentip is the wan address.

So, your line would translate to:

/usr/sbin/ipmasqadm portfw -a -P tcp -L xxx.xxx.xxx.xxx 3450 -R 192.168.0.30 81

when you run your script.

That should run with no errors.

BTW, if you just run the exact line /usr/sbin/ipmasqadm portfw -a -P tcp -L $currentip 3450 -R 192.168.0.30 81 in CLI, How is ipmasqadm going to know what $currentip is supposed to be? You should run it as it would be translated by your firewall script like the above. . .

Also, are you letting traffic through port 3450 with ipchains? You will need to write rules for it.

GL

/edit: clarified

 

[manly]

FWIW Linux 2.4 iptables has port forwarding built-in without any separate tools. SuSE's SuSEfirewall2 scripts a fairly capable firewall that's easily customized for various purposes. Since SuSEfirewall2 is really just a fancy shell script, you could likely use it on other Linux systems without much effort.

 

[smp]

Also, are you letting traffic through port 3450 with ipchains? You will need to write rules for it.

ah .. that's what's wrong .. how do I go about opening up that port?

 

[smp]

Originally posted by: manly
FWIW Linux 2.4 iptables has port forwarding built-in without any separate tools. SuSE's SuSEfirewall2 scripts a fairly capable firewall that's easily customized for various purposes. Since SuSEfirewall2 is really just a fancy shell script, you could likely use it on other Linux systems without much effort.

Thanks .. but I'm using a kernel that doesn't have iptables and i'm too lame to screw with my firewall setup right nwo .. cause I'm too lame and too much of a noob .. soon though I hope to rebuild the whole thing from scratch

 

[LNXman]

Originally posted by: smp
ah .. that's what's wrong .. how do I go about opening up that port?

Here is a little snippet for your case that you may need to set up

---------------->8---------------------

EXTERNAL_INTERFACE="eth0"
EXT_IP="your.ip.address"
WEB_SERVER=$EXT_IP #because you are going to forward the request later with ipmasqadm
ANYWHERE="any/0"
UNPRIVPORTS="1024:65535"

#Acessing remote websites
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $EXT_IP $UNPRIVPORTS -d $ANYWHERE 80 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -s $ANYWHERE 80 -d $EXT_IP $UNPRIVPORTS -j ACCEPT

#Allowing incoming requests to your LAN (for port 3450 in your case)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $WEB_SERVER $UNPRIVPORTS -d $ANYWHERE 3450 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE ! -y -p tcp -s $ANYWHERE 3450 -d $WEB_SERVER $UNPRIVPORTS -j ACCEPT
ipchains -A forward -i $EXTERNAL_INTERFACE -p tcp -s $WEB_SERVER $UNPRIVPORTS -d $ANYWHERE 3450 -j MASQ #we are allowing NAT forwarding of this request with ipchains

---------------->8---------------------

And I believe that should be all you should need for this particular feat. If you need to debug, add a "-l" at the end of each ipchain rule line. The messages it outputs should be posted on /var/log/debug, or /var/log/messages. I am not 100% sure. Thanks for the practice of this stuff, now that I am about to go back to using ipchains. . .

Hope this helps,

GL

/edit: Fixed typo