LinuxMCE Forums
General => Users => Topic started by: simon_b on March 18, 2008, 07:48:16 am
-
Hi!
I have some 3 Dreamboxes (satelite receivers) in my house, since Linuxmce installation behind the core... They need to be accessible from the internet (don't ask me why, it's a "funny" reason)
Before that, to get to these boxes, i just set port forwarding on my dsl modem/router like following:
port 5901 in -- port 5900 and ip 192.168.0.5 out
port 5902 in -- port 5900 and ip 192.168.0.6 out
port 5903 in -- port 5900 and ip 192.168.0.7 out
That worked without any problems, like said, till LMCE install.
First, i tried to access only the core. So i setup just like: port 5900 in - port 5900 and 192.168.0.31 out (that is my static core ip). No problem!** ;D
BUT, if i try to set the port forwarding up on the dsl modem/reouter and the core, like follows, it does not work...
DSL MODEM/ROUTER;
port 5901 in -- port 5901 and core ip (192.168.0.31) out
port 5902 in -- port 5902 and core ip out
port 5903 in -- port 5903 and core ip out
...
CORE:
port 5901 in -- port 5900 and 192.168.80.5 out (first box)
port 5902 in -- port 5900 and 192.168.80.6 out (second box)
port 5903 in -- port 5900 and 192.168.80.7 out (third box)
:-\ :-\ :-\
the boxes can connect to the internet, so there is no problem with their network setup...
So i'm pretty desperate already, 'couse i need these "ports and stuff"....
Oh, and something: i disabled firewal. With firewall on i couldn't manage not even the (**) thing above...
Is it a firewall/port forwarding issue or my issue??
>:(
-
This looks like it would work. Are you on beta 4?
So you have:
ExtIP:5901 -> 192.168.0.31:5901 -> 192.168.80.5:5900
ExtIP:5902 -> 192.168.0.31:5902 -> 192.168.80.6:5900
ExtIP:5903 -> 192.168.0.31:5903 -> 192.168.80.7:5900
I'd expect it to work fine.
-
Hi!
Yes, i'm on beta 4... but it doesn't work....
No matter what i try - ext.IP:1 or ext.ip:5901 etc...
does not work...
-
can you show us the output of the following command?:
iptables -L -v -n
-
can you show us the output of the following command?:
iptables -L -v -n
Hi zaerc...
here is the result:
linuxmce@dcerouter:~$ sudo iptables -L -v -n
Chain INPUT (policy DROP 49235 packets, 16M bytes)
pkts bytes target prot opt in out source destination
476K 62M ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0
39M 7567M ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x1
17 6069 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
120K 7992K ACCEPT 0 -- * * 192.168.80.0/24 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4569
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:2000
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2000
Chain FORWARD (policy ACCEPT 25723 packets, 23M bytes)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- * ppp+ 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
Chain OUTPUT (policy ACCEPT 39M packets, 14G bytes)
pkts bytes target prot opt in out source destination
and the copy of my "firewall settings" page:
protocol Source Port Destination Port Destination IP Rule Type Limit to IP
udp 4569 to 0 0 core_input Delete
udp 5060 to 0 0 core_input Delete
udp 2000 to 0 0 core_input Delete
tcp 2000 to 0 0 core_input Delete
udp 3500 to 4500 4000 192.168.80.15 port_forward Delete
tcp 3500 to 4500 4000 192.168.80.15 port_forward Delete
udp 5901 to 5901 5900 192.168.80.1 port_forward Delete
udp 5902 to 5902 5900 192.168.80.2 port_forward Delete
udp 5903 to 5903 5900 192.168.80.3 port_forward Delete
udp 5904 to 5904 5900 192.168.80.4 port_forward Delete
-
There are 2 different rules involved, one tells the core to accept traffic on that port... the other tells it to forward those ports to said IP.
You can just do a range of 5901-5903 and use "core_input" rule instead of the "port_forward", need both.
-
There are 2 different rules involved, one tells the core to accept traffic on that port... the other tells it to forward those ports to said IP.
You can just do a range of 5901-5903 and use "core_input" rule instead of the "port_forward", need both.
Hmmm orionsune... these upper rules i think were added thru remote assistance, that i enabled... I can remove them...
This range 5901-5903 that you are talking about and core_input... How to send the data forward to the boxes if there is only core_input and a range???
-
Your "port_forward" rules will send the data to the right box...
the "core_input" rules simply instruct your linuxmce box to ACCEPT traffic on those ports. By default those ports are closed. Unless you have your firewall disabled already, in that case I don't have any suggestions other than researching how to use iptables on the command line to implement your forwarding rules.
When your defining a "core_input" rule the only field your going to use is the first one for choosing "protocol" and the two boxes for "source port"... the "source port" fields are your range, so in the first box you'd put 5901 and the second box you'd put 5903, and from your rules you need udp, so you choose udp until "protocol" then click "Add"... thats it.
-
oh... i think that would be too much for me right now....
well... hope not... 8)
-
Ok, here is an example, this is a copy paste of what a rule what look like, if I wanted to accept AND forward port 25 to an internal smtp server.
tcp 25 to 25 0 0 core_input Delete
tcp 25 to 25 25 192.168.75.11 port_forward Delete
See, how port 25 is specified TWICE, once in "core_input" and once using "port_forward"...
for each port you want to forward, would need to look like my example...
another easy but less secure solution would be to totally disable your firewall, then it would accept traffic on ALL ports. I would highly advise AGAINST that action. I only mention it to help you understand the nature of all this.
-
Unless you have your firewall disabled already, in that case I don't have any suggestions other than researching how to use iptables on the command line to implement your forwarding rules.
Thank's orionsune... the problem is, my firewall is allready disabled....
Oh, another Q: can i set these fowarding and aother rules with another app on my server?? like Firestarter - http://en.wikipedia.org/wiki/Firestarter_%28firewall%29 (http://en.wikipedia.org/wiki/Firestarter_%28firewall%29) or etc???
-
The first thing I notice is some discrepancy:
...
DSL MODEM/ROUTER;
port 5901 in -- port 5901 and core ip (192.168.0.31) out
port 5902 in -- port 5902 and core ip out
port 5903 in -- port 5903 and core ip out
...
CORE:
port 5901 in -- port 5900 and 192.168.80.5 out (first box)
port 5902 in -- port 5900 and 192.168.80.6 out (second box)
port 5903 in -- port 5900 and 192.168.80.7 out (third box)
...
...
and the copy of my "firewall settings" page:
protocol Source Port Destination Port Destination IP Rule Type Limit to IP
udp 4569 to 0 0 core_input Delete
udp 5060 to 0 0 core_input Delete
udp 2000 to 0 0 core_input Delete
tcp 2000 to 0 0 core_input Delete
udp 3500 to 4500 4000 192.168.80.15 port_forward Delete
tcp 3500 to 4500 4000 192.168.80.15 port_forward Delete
udp 5901 to 5901 5900 192.168.80.1 port_forward Delete
udp 5902 to 5902 5900 192.168.80.2 port_forward Delete
udp 5903 to 5903 5900 192.168.80.3 port_forward Delete
udp 5904 to 5904 5900 192.168.80.4 port_forward Delete
I'm not sure if this is intended or not, but the line in bold is definately incorrect. If you want to "forward" packages to your core itself (192.168.80.1) you should use a "core_input" rule instead.
Can you also show us the output of the following command?:
iptables -L -v -n -t nat
I forgot that these rules are added to the "nat" table.
-
Hi!
So. my last setup is as follows:
on the dsl modem/router i set a ip of the core as the only ip exposed (DMZ) to the internet...
On the core i enabled firewall and set as follows:
udp 5902 to 5902 5900 192.168.80.2 port_forward Delete
udp 5903 to 5903 5900 192.168.80.3 port_forward Delete
udp 5904 to 5904 5900 192.168.80.4 port_forward Delete
tcp 0 to 9000 0 0 core_input Delete
udp 0 to 9000 0 0 core_input Delete
udp 4000 to 4000 4000 192.168.80.15 port_forward Delete
tcp 4001 to 4001 4001 192.168.80.15 port_forward Delete
Now, i can get to the core, but no way to access another computer on lan...
The result of: iptables -L -v -n -t nat
linuxmce@dcerouter:~$ sudo iptables -L -v -n -t nat
Chain PREROUTING (policy ACCEPT 1039 packets, 69033 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5902 to:192.168.80.2:5900
0 0 DNAT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5903 to:192.168.80.3:5900
0 0 DNAT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5904 to:192.168.80.4:5900
0 0 DNAT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:4000 to:192.168.80.15:4000
0 0 DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4001 to:192.168.80.15:4001
Chain POSTROUTING (policy ACCEPT 5160 packets, 378K bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE 0 -- * eth1 192.168.80.0/24 !192.168.80.0/24
Chain OUTPUT (policy ACCEPT 5160 packets, 378K bytes)
pkts bytes target prot opt in out source destination
-
From what I can see the firewall rules seem to be correct. The only thing "unusual" I see is eth1, so I'm guessing you have the interfaces "swapped", that shouldn't make any difference though. Unless they aren't supposed to be, which happened to me once when I mistook the "swap interfaces" button for the "update" button on the network settings screen.
-
Hmmm, eth1 is "the outside NIC"... is it right???
-
Not by default, but in your setup it is (from the looks of it). Can you show me the output of "ifconfig -a" and "route -n" as well?
-
Not by default, but in your setup it is (from the looks of it). Can you show me the output of "ifconfig -a" and "route -n" as well?
ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:17:3F:08:F1:C2
inet addr:192.168.80.1 Bcast:192.168.80.255 Mask:255.255.255.0
inet6 addr: fe80::217:3fff:fe08:f1c2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:137706684 errors:0 dropped:0 overruns:0 frame:0
TX packets:137702986 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:28789092929 (26.8 GB) TX bytes:49099482456 (45.7 GB)
Interrupt:16
eth1 Link encap:Ethernet HWaddr 00:1D:7D:24:63:1E
inet addr:192.168.0.31 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::21d:7dff:fe24:631e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1183078 errors:0 dropped:0 overruns:0 frame:0
TX packets:1017106 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:504100098 (480.7 MB) TX bytes:99105386 (94.5 MB)
Interrupt:23 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1662923 errors:0 dropped:0 overruns:0 frame:0
TX packets:1662923 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:198434028 (189.2 MB) TX bytes:198434028 (189.2 MB)
and route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.80.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0
0.0.0.0 192.168.0.1 0.0.0.0 UG 100 0 0 eth1
-
Looks all fine to me, the only thing I can think of when reading back is that you said in your original post that the ip-numbers of the Dreamboxes were .5-.7 and now you have forwarded to .2-.4, have thier IP#s been changed in the mean time?
-
Looks all fine to me, the only thing I can think of when reading back is that you said in your original post that the ip-numbers of the Dreamboxes were .5-.7 and now you have forwarded to .2-.4, have thier IP#s been changed in the mean time?
Hi!
No, these 5-7 were only given as samples... The real IP's are from 192.168.80.2-4, like in these last replies... Could i try with some other firewall?? Like Firestarter???
-
I have no idea whether installing another firewall package would be a good idea, you can try but don't be to surprised if it breaks a few things. On the other hand it might give you some clues as to what is wrong.
As far as I can tell firewalling (and networking) have been setup correctly. So I would expect the problem to lie elsewhere.
-
OK, i reinstalled the CORE, switched the network interfaces, the port frwarding still doesn't work...
here is my configuration:
udp 4569 to 0 0 core_input Delete
udp 5060 to 0 0 core_input Delete
udp 2000 to 0 0 core_input Delete
tcp 2000 to 0 0 core_input Delete
udp 0 to 8000 0 0 core_input Delete
tcp 0 to 8000 0 0 core_input Delete
udp 4000 to 4000 4000 192.168.80.15 port_forward Delete
tcp 4001 to 4001 4001 192.168.80.15 port_forward Delete
udp 5901 to 5901 5900 192.168.80.2 port_forward Delete
Clues maybe?
-
also, here is my iptables -L -v -n -t nat:
linuxmce@dcerouter:~$ sudo iptables -L -v -n -t nat
Chain PREROUTING (policy ACCEPT 304K packets, 19M bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:4000 to:192.168.80.15:4000
21 1092 DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4001 to:192.168.80.15:4001
0 0 DNAT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5901 to:192.168.80.2:5900
Chain POSTROUTING (policy ACCEPT 2144K packets, 157M bytes)
pkts bytes target prot opt in out source destination
2834 172K MASQUERADE 0 -- * eth1 192.168.80.0/24 !192.168.80.0/24
Chain OUTPUT (policy ACCEPT 2144K packets, 157M bytes)
pkts bytes target prot opt in out source destination
-
i ain't letting it go... ;)
Can i set this port forwarding issues with a tool like guidedog or some???
-
is there anyone, that has a working port forwarding??? anyone???
-
Following this thread, I've been able to get forwarding thru the LMCE working. Basically my network is like this:
IPS -> linksys router --+--> LMCE --> home LAN
+--> wireless router --> guest LAN
So I could confirm the port forwarding from the guest LAN to the home LAN. I still have a problem with either my linksys router port forwarding or my ISP.
BTW, I'm still using 0710beta3 x86.
HTH,
Roy
-
I was unable to get it to work after much tweaking. I would suggest to the developers to check out the webmin linux firewall module page and consider rewriting the firewall portion adding remote assistance in the mix, denying everything that is not explicitly added.
http://doxfer.com/Webmin/LinuxFirewall
-
I was unable to get it to work after much tweaking. I would suggest to the developers to check out the webmin linux firewall module page and consider rewriting the firewall portion adding remote assistance in the mix, denying everything that is not explicitly added.
http://doxfer.com/Webmin/LinuxFirewall
So, @nswint, your port forwarding works with this "Doxfer-Webmin" upgrade...or whatever it is...??