LinuxMCE Forums

General => Users => Topic started by: simon_b on March 18, 2008, 07:48:16 am

Title: firewall/port forwarding issue (??)
Post by: simon_b on March 18, 2008, 07:48:16 am
Hi!

I have some 3 Dreamboxes (satelite receivers) in my house, since Linuxmce installation behind the core... They need to be accessible from the internet (don't ask me why, it's a "funny" reason)

Before that, to get to these boxes, i just set port forwarding on my dsl modem/router like following:
port 5901 in -- port 5900 and ip 192.168.0.5 out
port 5902 in -- port 5900 and ip 192.168.0.6 out
port 5903 in -- port 5900 and ip 192.168.0.7 out
That worked without any problems, like said, till LMCE install.

First, i tried to access only the core. So i setup just like: port 5900 in - port 5900 and 192.168.0.31 out (that is my static core ip). No problem!**  ;D

BUT, if i try to set the port forwarding up on the dsl modem/reouter and the core, like follows, it does not work...

DSL MODEM/ROUTER;
port 5901 in -- port 5901 and core ip (192.168.0.31) out
port 5902 in -- port 5902 and core ip out
port 5903 in -- port 5903 and core ip out
...
CORE:
port 5901 in -- port 5900 and 192.168.80.5 out (first box)
port 5902 in -- port 5900 and 192.168.80.6 out (second box)
port 5903 in -- port 5900 and 192.168.80.7 out (third box)

 :-\ :-\ :-\

the boxes can connect to the internet, so there is no problem with their network setup...

So i'm pretty desperate already, 'couse i need these "ports and stuff"....

Oh, and something: i disabled firewal. With firewall on i couldn't manage not even the (**) thing above...

Is it a firewall/port forwarding issue or my issue??
 >:(
Title: Re: firewall/port forwarding issue (??)
Post by: diesel12 on March 18, 2008, 08:23:06 am
This looks like it would work. Are you on beta 4?

So you have:

ExtIP:5901 -> 192.168.0.31:5901 -> 192.168.80.5:5900
ExtIP:5902 -> 192.168.0.31:5902 -> 192.168.80.6:5900
ExtIP:5903 -> 192.168.0.31:5903 -> 192.168.80.7:5900

I'd expect it to work fine.
Title: Re: firewall/port forwarding issue (??)
Post by: simon_b on March 18, 2008, 08:50:11 am
Hi!

Yes, i'm on beta 4... but it doesn't work....

No matter what i try - ext.IP:1 or ext.ip:5901 etc...

does not work...
Title: Re: firewall/port forwarding issue (??)
Post by: Zaerc on March 18, 2008, 11:57:14 am
can you show us the output of the following command?:
Code: [Select]
iptables -L -v -n
Title: Re: firewall/port forwarding issue (??)
Post by: simon_b on March 18, 2008, 09:52:06 pm
can you show us the output of the following command?:
Code: [Select]
iptables -L -v -n

Hi zaerc...

here is the result:
Quote
linuxmce@dcerouter:~$ sudo iptables -L -v -n
Chain INPUT (policy DROP 49235 packets, 16M bytes)
 pkts bytes target     prot opt in     out     source               destination
 476K   62M ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0
  39M 7567M ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           MARK match 0x1
   17  6069 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:67
 120K 7992K ACCEPT     0    --  *      *       192.168.80.0/24      0.0.0.0/0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:4569
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:5060
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:2000
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:2000

Chain FORWARD (policy ACCEPT 25723 packets, 23M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 TCPMSS     tcp  --  *      ppp+    0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT 39M packets, 14G bytes)
 pkts bytes target     prot opt in     out     source               destination

and the copy of my "firewall settings" page:
Quote
protocol     Source Port     Destination Port     Destination IP     Rule Type     Limit to IP     
udp    4569 to 0    0       core_input       Delete
udp    5060 to 0    0       core_input       Delete
udp    2000 to 0    0       core_input       Delete
tcp    2000 to 0    0       core_input       Delete
udp    3500 to 4500    4000    192.168.80.15    port_forward       Delete
tcp    3500 to 4500    4000    192.168.80.15    port_forward       Delete
udp    5901 to 5901    5900    192.168.80.1    port_forward       Delete
udp    5902 to 5902    5900    192.168.80.2    port_forward       Delete
udp    5903 to 5903    5900    192.168.80.3    port_forward       Delete
udp    5904 to 5904    5900    192.168.80.4    port_forward       Delete
Title: Re: firewall/port forwarding issue (??)
Post by: orionsune on March 18, 2008, 10:17:02 pm
There are 2 different rules involved, one tells the core to accept traffic on that port... the other tells it to forward those ports to said IP.

You can just do a range of 5901-5903 and use "core_input" rule instead of the "port_forward", need both.
Title: Re: firewall/port forwarding issue (??)
Post by: simon_b on March 18, 2008, 10:33:39 pm
There are 2 different rules involved, one tells the core to accept traffic on that port... the other tells it to forward those ports to said IP.

You can just do a range of 5901-5903 and use "core_input" rule instead of the "port_forward", need both.

Hmmm orionsune... these upper rules i think were added thru remote assistance, that i enabled... I can remove them...

This range 5901-5903 that you are talking about and core_input... How to send the data forward to the boxes if there is only core_input and a range???
Title: Re: firewall/port forwarding issue (??)
Post by: orionsune on March 18, 2008, 10:53:39 pm
Your "port_forward" rules will send the data to the right box...


the "core_input" rules simply instruct your linuxmce box to ACCEPT traffic on those ports.  By default those ports are closed. Unless you have your firewall disabled already, in that case I don't have any suggestions other than researching how to use iptables on the command line to implement your forwarding rules.

When your defining a "core_input" rule the only field your going to use is the first one for choosing "protocol" and the two boxes for "source port"... the "source port" fields are your range, so in the first box you'd put 5901 and the second box you'd put 5903, and from your rules you need udp, so you choose udp until "protocol" then click "Add"... thats it.


Title: Re: firewall/port forwarding issue (??)
Post by: simon_b on March 18, 2008, 11:00:53 pm
oh... i think that would be too much for me right now....

well... hope not...  8)
Title: Re: firewall/port forwarding issue (??)
Post by: orionsune on March 18, 2008, 11:13:41 pm
Ok, here is an example, this is a copy paste of what a rule what look like, if I wanted to accept AND forward port 25 to an internal smtp server.

Code: [Select]
tcp  25 to 25  core_input  Delete
tcp 25 to 25 25 192.168.75.11 port_forward Delete

See, how port 25 is specified TWICE, once in "core_input" and once using "port_forward"...

for each port you want to forward, would need to look like my example...

another easy but less secure solution would be to totally disable your firewall, then it would accept traffic on ALL ports.  I would highly advise AGAINST that action.  I only mention it to help you understand the nature of all this.
Title: Re: firewall/port forwarding issue (??)
Post by: simon_b on March 19, 2008, 08:06:31 am
Unless you have your firewall disabled already, in that case I don't have any suggestions other than researching how to use iptables on the command line to implement your forwarding rules.

Thank's orionsune... the problem is, my firewall is allready disabled....

Oh, another Q: can i set these fowarding and aother rules with another app on my server?? like Firestarter - http://en.wikipedia.org/wiki/Firestarter_%28firewall%29 (http://en.wikipedia.org/wiki/Firestarter_%28firewall%29) or etc???

Title: Re: firewall/port forwarding issue (??)
Post by: Zaerc on March 19, 2008, 01:13:01 pm
The first thing I notice is some discrepancy:

...
DSL MODEM/ROUTER;
port 5901 in -- port 5901 and core ip (192.168.0.31) out
port 5902 in -- port 5902 and core ip out
port 5903 in -- port 5903 and core ip out
...
CORE:
port 5901 in -- port 5900 and 192.168.80.5 out (first box)
port 5902 in -- port 5900 and 192.168.80.6 out (second box)
port 5903 in -- port 5900 and 192.168.80.7 out (third box)
...

...
and the copy of my "firewall settings" page:
Quote
protocol     Source Port     Destination Port     Destination IP     Rule Type     Limit to IP     
udp    4569 to 0    0       core_input       Delete
udp    5060 to 0    0       core_input       Delete
udp    2000 to 0    0       core_input       Delete
tcp    2000 to 0    0       core_input       Delete
udp    3500 to 4500    4000    192.168.80.15    port_forward       Delete
tcp    3500 to 4500    4000    192.168.80.15    port_forward       Delete
udp    5901 to 5901    5900    192.168.80.1    port_forward       Delete
udp    5902 to 5902    5900    192.168.80.2    port_forward       Delete
udp    5903 to 5903    5900    192.168.80.3    port_forward       Delete
udp    5904 to 5904    5900    192.168.80.4    port_forward       Delete

I'm not sure if this is intended or not, but the line in bold is definately incorrect.  If you want to "forward" packages to your core itself (192.168.80.1) you should use a "core_input" rule instead.

Can you also show us the output of the following command?:
Code: [Select]
iptables -L -v -n -t natI forgot that these rules are added to the "nat" table.
Title: Re: firewall/port forwarding issue (??)
Post by: simon_b on March 20, 2008, 04:18:35 pm
Hi!

So. my last setup is as follows:
on the dsl modem/router i set a ip of the core as the only ip exposed (DMZ) to the internet...

On the core i enabled firewall and set as follows:
Quote
udp     5902 to 5902     5900     192.168.80.2     port_forward         Delete
udp    5903 to 5903    5900    192.168.80.3    port_forward       Delete
udp    5904 to 5904    5900    192.168.80.4    port_forward       Delete
tcp    0 to 9000    0    0    core_input       Delete
udp    0 to 9000    0    0    core_input       Delete
udp    4000 to 4000    4000    192.168.80.15    port_forward       Delete
tcp    4001 to 4001    4001    192.168.80.15    port_forward       Delete

Now, i can get to the core, but no way to access another computer on lan...

The result of: iptables -L -v -n -t nat
Quote
linuxmce@dcerouter:~$ sudo iptables -L -v -n -t nat
Chain PREROUTING (policy ACCEPT 1039 packets, 69033 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp dpt:5902 to:192.168.80.2:5900
    0     0 DNAT       udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp dpt:5903 to:192.168.80.3:5900
    0     0 DNAT       udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp dpt:5904 to:192.168.80.4:5900
    0     0 DNAT       udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp dpt:4000 to:192.168.80.15:4000
    0     0 DNAT       tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:4001 to:192.168.80.15:4001

Chain POSTROUTING (policy ACCEPT 5160 packets, 378K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  0    --  *      eth1    192.168.80.0/24     !192.168.80.0/24

Chain OUTPUT (policy ACCEPT 5160 packets, 378K bytes)
 pkts bytes target     prot opt in     out     source               destination



Title: Re: firewall/port forwarding issue (??)
Post by: Zaerc on March 20, 2008, 06:15:12 pm
From what I can see the firewall rules seem to be correct.  The only thing "unusual" I see is eth1, so I'm guessing you have the interfaces "swapped", that shouldn't make any difference though.  Unless they aren't supposed to be, which happened to me once when I mistook the "swap interfaces" button for the "update" button on the network settings screen.
Title: Re: firewall/port forwarding issue (??)
Post by: simon_b on March 20, 2008, 11:57:33 pm
Hmmm, eth1 is "the outside NIC"... is it right???
Title: Re: firewall/port forwarding issue (??)
Post by: Zaerc on March 21, 2008, 12:04:07 am
Not by default, but in your setup it is (from the looks of it).  Can you show me the output of "ifconfig -a" and "route -n" as well?
Title: Re: firewall/port forwarding issue (??)
Post by: simon_b on March 21, 2008, 12:33:52 am
Not by default, but in your setup it is (from the looks of it).  Can you show me the output of "ifconfig -a" and "route -n" as well?
ifconfig -a
Quote
eth0      Link encap:Ethernet  HWaddr 00:17:3F:08:F1:C2
          inet addr:192.168.80.1  Bcast:192.168.80.255  Mask:255.255.255.0
          inet6 addr: fe80::217:3fff:fe08:f1c2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:137706684 errors:0 dropped:0 overruns:0 frame:0
          TX packets:137702986 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:28789092929 (26.8 GB)  TX bytes:49099482456 (45.7 GB)
          Interrupt:16

eth1      Link encap:Ethernet  HWaddr 00:1D:7D:24:63:1E
          inet addr:192.168.0.31  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::21d:7dff:fe24:631e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1183078 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1017106 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:504100098 (480.7 MB)  TX bytes:99105386 (94.5 MB)
          Interrupt:23 Base address:0x2000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1662923 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1662923 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:198434028 (189.2 MB)  TX bytes:198434028 (189.2 MB)

and route -n
Quote
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.80.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0
0.0.0.0         192.168.0.1     0.0.0.0         UG    100    0        0 eth1
Title: Re: firewall/port forwarding issue (??)
Post by: Zaerc on March 21, 2008, 12:53:02 am
Looks all fine to me, the only thing I can think of when reading back is that you said in your original post that the ip-numbers of the Dreamboxes were .5-.7 and now you have forwarded to .2-.4, have thier IP#s been changed in the mean time?
Title: Re: firewall/port forwarding issue (??)
Post by: simon_b on March 21, 2008, 09:34:24 am
Looks all fine to me, the only thing I can think of when reading back is that you said in your original post that the ip-numbers of the Dreamboxes were .5-.7 and now you have forwarded to .2-.4, have thier IP#s been changed in the mean time?

Hi!

No, these 5-7 were only given as samples... The real IP's are from 192.168.80.2-4, like in these last replies... Could i try with some other firewall?? Like Firestarter???
Title: Re: firewall/port forwarding issue (??)
Post by: Zaerc on March 21, 2008, 12:38:22 pm
I have no idea whether installing another firewall package would be a good idea, you can try but don't be to surprised if it breaks a few things.  On the other hand it might give you some clues as to what is wrong.

As far as I can tell firewalling (and networking) have been setup correctly.  So I would expect the problem to lie elsewhere.
Title: Re: firewall/port forwarding issue (??)
Post by: simon_b on March 29, 2008, 01:30:52 am
OK, i reinstalled the CORE, switched the network interfaces, the port frwarding still doesn't work...

here is my configuration:
Quote
udp     4569 to 0     0         core_input         Delete
udp    5060 to 0    0       core_input       Delete
udp    2000 to 0    0       core_input       Delete
tcp    2000 to 0    0       core_input       Delete
udp    0 to 8000    0    0    core_input       Delete
tcp    0 to 8000    0    0    core_input       Delete
udp    4000 to 4000    4000    192.168.80.15    port_forward       Delete
tcp    4001 to 4001    4001    192.168.80.15    port_forward       Delete
udp    5901 to 5901    5900    192.168.80.2    port_forward       Delete

Clues maybe?
Title: Re: firewall/port forwarding issue (??)
Post by: simon_b on March 30, 2008, 09:02:54 pm
also, here is my iptables -L -v -n -t nat:

Quote
linuxmce@dcerouter:~$ sudo iptables -L -v -n -t nat
Chain PREROUTING (policy ACCEPT 304K packets, 19M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp dpt:4000 to:192.168.80.15:4000
   21  1092 DNAT       tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:4001 to:192.168.80.15:4001
    0     0 DNAT       udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp dpt:5901 to:192.168.80.2:5900

Chain POSTROUTING (policy ACCEPT 2144K packets, 157M bytes)
 pkts bytes target     prot opt in     out     source               destination
 2834  172K MASQUERADE  0    --  *      eth1    192.168.80.0/24     !192.168.80.0/24

Chain OUTPUT (policy ACCEPT 2144K packets, 157M bytes)
 pkts bytes target     prot opt in     out     source               destination
Title: Re: firewall/port forwarding issue (??)
Post by: simon_b on March 31, 2008, 07:45:56 pm
i ain't letting it go...  ;)

Can i set this port forwarding issues with a tool like guidedog or some???

Title: Re: firewall/port forwarding issue (??)
Post by: simon_b on April 02, 2008, 09:10:24 am
is there anyone, that has a working port forwarding??? anyone???
Title: Re: firewall/port forwarding issue (??)
Post by: royw on April 05, 2008, 09:06:02 am
Following this thread, I've been able to get forwarding thru the LMCE working.  Basically my network is like this:

IPS -> linksys router --+--> LMCE --> home LAN
                                   +--> wireless router --> guest LAN

So I could confirm the port forwarding from the guest LAN to the home LAN.  I still have a problem with either my linksys router port forwarding or my ISP.

BTW,   I'm still using 0710beta3 x86.

HTH,
Roy
Title: Re: firewall/port forwarding issue (??)
Post by: nswint on April 12, 2008, 10:48:47 pm
I was unable to get it to work after much tweaking.  I would suggest to the developers to check out the webmin linux firewall module page and consider rewriting the firewall portion adding remote assistance in the mix, denying everything that is not explicitly  added.


http://doxfer.com/Webmin/LinuxFirewall
Title: Re: firewall/port forwarding issue (??)
Post by: simon_b on April 14, 2008, 08:45:21 am
I was unable to get it to work after much tweaking.  I would suggest to the developers to check out the webmin linux firewall module page and consider rewriting the firewall portion adding remote assistance in the mix, denying everything that is not explicitly  added.


http://doxfer.com/Webmin/LinuxFirewall


So, @nswint, your port forwarding works with this "Doxfer-Webmin" upgrade...or whatever it is...??