Author Topic: firewall/port forwarding issue (??)  (Read 14993 times)

simon_b

  • Veteran
  • ***
  • Posts: 69
    • View Profile
firewall/port forwarding issue (??)
« on: March 18, 2008, 07:48:16 am »
Hi!

I have some 3 Dreamboxes (satelite receivers) in my house, since Linuxmce installation behind the core... They need to be accessible from the internet (don't ask me why, it's a "funny" reason)

Before that, to get to these boxes, i just set port forwarding on my dsl modem/router like following:
port 5901 in -- port 5900 and ip 192.168.0.5 out
port 5902 in -- port 5900 and ip 192.168.0.6 out
port 5903 in -- port 5900 and ip 192.168.0.7 out
That worked without any problems, like said, till LMCE install.

First, i tried to access only the core. So i setup just like: port 5900 in - port 5900 and 192.168.0.31 out (that is my static core ip). No problem!**  ;D

BUT, if i try to set the port forwarding up on the dsl modem/reouter and the core, like follows, it does not work...

DSL MODEM/ROUTER;
port 5901 in -- port 5901 and core ip (192.168.0.31) out
port 5902 in -- port 5902 and core ip out
port 5903 in -- port 5903 and core ip out
...
CORE:
port 5901 in -- port 5900 and 192.168.80.5 out (first box)
port 5902 in -- port 5900 and 192.168.80.6 out (second box)
port 5903 in -- port 5900 and 192.168.80.7 out (third box)

 :-\ :-\ :-\

the boxes can connect to the internet, so there is no problem with their network setup...

So i'm pretty desperate already, 'couse i need these "ports and stuff"....

Oh, and something: i disabled firewal. With firewall on i couldn't manage not even the (**) thing above...

Is it a firewall/port forwarding issue or my issue??
 >:(
ex Mythtv fan, the LinuxMCE newbie
----------
hoping for the best

diesel12

  • Newbie
  • *
  • Posts: 11
    • View Profile
Re: firewall/port forwarding issue (??)
« Reply #1 on: March 18, 2008, 08:23:06 am »
This looks like it would work. Are you on beta 4?

So you have:

ExtIP:5901 -> 192.168.0.31:5901 -> 192.168.80.5:5900
ExtIP:5902 -> 192.168.0.31:5902 -> 192.168.80.6:5900
ExtIP:5903 -> 192.168.0.31:5903 -> 192.168.80.7:5900

I'd expect it to work fine.

simon_b

  • Veteran
  • ***
  • Posts: 69
    • View Profile
Re: firewall/port forwarding issue (??)
« Reply #2 on: March 18, 2008, 08:50:11 am »
Hi!

Yes, i'm on beta 4... but it doesn't work....

No matter what i try - ext.IP:1 or ext.ip:5901 etc...

does not work...
ex Mythtv fan, the LinuxMCE newbie
----------
hoping for the best

Zaerc

  • Alumni
  • LinuxMCE God
  • *
  • Posts: 2256
  • Department of Redundancy Department.
    • View Profile
Re: firewall/port forwarding issue (??)
« Reply #3 on: March 18, 2008, 11:57:14 am »
can you show us the output of the following command?:
Code: [Select]
iptables -L -v -n
"Change is inevitable. Progress is optional."
-- Anonymous


simon_b

  • Veteran
  • ***
  • Posts: 69
    • View Profile
Re: firewall/port forwarding issue (??)
« Reply #4 on: March 18, 2008, 09:52:06 pm »
can you show us the output of the following command?:
Code: [Select]
iptables -L -v -n

Hi zaerc...

here is the result:
Quote
linuxmce@dcerouter:~$ sudo iptables -L -v -n
Chain INPUT (policy DROP 49235 packets, 16M bytes)
 pkts bytes target     prot opt in     out     source               destination
 476K   62M ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0
  39M 7567M ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           MARK match 0x1
   17  6069 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:67
 120K 7992K ACCEPT     0    --  *      *       192.168.80.0/24      0.0.0.0/0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:4569
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:5060
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:2000
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:2000

Chain FORWARD (policy ACCEPT 25723 packets, 23M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 TCPMSS     tcp  --  *      ppp+    0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT 39M packets, 14G bytes)
 pkts bytes target     prot opt in     out     source               destination

and the copy of my "firewall settings" page:
Quote
protocol     Source Port     Destination Port     Destination IP     Rule Type     Limit to IP     
udp    4569 to 0    0       core_input       Delete
udp    5060 to 0    0       core_input       Delete
udp    2000 to 0    0       core_input       Delete
tcp    2000 to 0    0       core_input       Delete
udp    3500 to 4500    4000    192.168.80.15    port_forward       Delete
tcp    3500 to 4500    4000    192.168.80.15    port_forward       Delete
udp    5901 to 5901    5900    192.168.80.1    port_forward       Delete
udp    5902 to 5902    5900    192.168.80.2    port_forward       Delete
udp    5903 to 5903    5900    192.168.80.3    port_forward       Delete
udp    5904 to 5904    5900    192.168.80.4    port_forward       Delete
ex Mythtv fan, the LinuxMCE newbie
----------
hoping for the best

orionsune

  • Veteran
  • ***
  • Posts: 133
    • View Profile
Re: firewall/port forwarding issue (??)
« Reply #5 on: March 18, 2008, 10:17:02 pm »
There are 2 different rules involved, one tells the core to accept traffic on that port... the other tells it to forward those ports to said IP.

You can just do a range of 5901-5903 and use "core_input" rule instead of the "port_forward", need both.
entia non sunt multiplicanda praeter necessitatem

simon_b

  • Veteran
  • ***
  • Posts: 69
    • View Profile
Re: firewall/port forwarding issue (??)
« Reply #6 on: March 18, 2008, 10:33:39 pm »
There are 2 different rules involved, one tells the core to accept traffic on that port... the other tells it to forward those ports to said IP.

You can just do a range of 5901-5903 and use "core_input" rule instead of the "port_forward", need both.

Hmmm orionsune... these upper rules i think were added thru remote assistance, that i enabled... I can remove them...

This range 5901-5903 that you are talking about and core_input... How to send the data forward to the boxes if there is only core_input and a range???
ex Mythtv fan, the LinuxMCE newbie
----------
hoping for the best

orionsune

  • Veteran
  • ***
  • Posts: 133
    • View Profile
Re: firewall/port forwarding issue (??)
« Reply #7 on: March 18, 2008, 10:53:39 pm »
Your "port_forward" rules will send the data to the right box...


the "core_input" rules simply instruct your linuxmce box to ACCEPT traffic on those ports.  By default those ports are closed. Unless you have your firewall disabled already, in that case I don't have any suggestions other than researching how to use iptables on the command line to implement your forwarding rules.

When your defining a "core_input" rule the only field your going to use is the first one for choosing "protocol" and the two boxes for "source port"... the "source port" fields are your range, so in the first box you'd put 5901 and the second box you'd put 5903, and from your rules you need udp, so you choose udp until "protocol" then click "Add"... thats it.


entia non sunt multiplicanda praeter necessitatem

simon_b

  • Veteran
  • ***
  • Posts: 69
    • View Profile
Re: firewall/port forwarding issue (??)
« Reply #8 on: March 18, 2008, 11:00:53 pm »
oh... i think that would be too much for me right now....

well... hope not...  8)
ex Mythtv fan, the LinuxMCE newbie
----------
hoping for the best

orionsune

  • Veteran
  • ***
  • Posts: 133
    • View Profile
Re: firewall/port forwarding issue (??)
« Reply #9 on: March 18, 2008, 11:13:41 pm »
Ok, here is an example, this is a copy paste of what a rule what look like, if I wanted to accept AND forward port 25 to an internal smtp server.

Code: [Select]
tcp  25 to 25  core_input  Delete
tcp 25 to 25 25 192.168.75.11 port_forward Delete

See, how port 25 is specified TWICE, once in "core_input" and once using "port_forward"...

for each port you want to forward, would need to look like my example...

another easy but less secure solution would be to totally disable your firewall, then it would accept traffic on ALL ports.  I would highly advise AGAINST that action.  I only mention it to help you understand the nature of all this.
entia non sunt multiplicanda praeter necessitatem

simon_b

  • Veteran
  • ***
  • Posts: 69
    • View Profile
Re: firewall/port forwarding issue (??)
« Reply #10 on: March 19, 2008, 08:06:31 am »
Unless you have your firewall disabled already, in that case I don't have any suggestions other than researching how to use iptables on the command line to implement your forwarding rules.

Thank's orionsune... the problem is, my firewall is allready disabled....

Oh, another Q: can i set these fowarding and aother rules with another app on my server?? like Firestarter - http://en.wikipedia.org/wiki/Firestarter_%28firewall%29 or etc???

« Last Edit: March 19, 2008, 08:21:56 am by simon_b »
ex Mythtv fan, the LinuxMCE newbie
----------
hoping for the best

Zaerc

  • Alumni
  • LinuxMCE God
  • *
  • Posts: 2256
  • Department of Redundancy Department.
    • View Profile
Re: firewall/port forwarding issue (??)
« Reply #11 on: March 19, 2008, 01:13:01 pm »
The first thing I notice is some discrepancy:

...
DSL MODEM/ROUTER;
port 5901 in -- port 5901 and core ip (192.168.0.31) out
port 5902 in -- port 5902 and core ip out
port 5903 in -- port 5903 and core ip out
...
CORE:
port 5901 in -- port 5900 and 192.168.80.5 out (first box)
port 5902 in -- port 5900 and 192.168.80.6 out (second box)
port 5903 in -- port 5900 and 192.168.80.7 out (third box)
...

...
and the copy of my "firewall settings" page:
Quote
protocol     Source Port     Destination Port     Destination IP     Rule Type     Limit to IP     
udp    4569 to 0    0       core_input       Delete
udp    5060 to 0    0       core_input       Delete
udp    2000 to 0    0       core_input       Delete
tcp    2000 to 0    0       core_input       Delete
udp    3500 to 4500    4000    192.168.80.15    port_forward       Delete
tcp    3500 to 4500    4000    192.168.80.15    port_forward       Delete
udp    5901 to 5901    5900    192.168.80.1    port_forward       Delete
udp    5902 to 5902    5900    192.168.80.2    port_forward       Delete
udp    5903 to 5903    5900    192.168.80.3    port_forward       Delete
udp    5904 to 5904    5900    192.168.80.4    port_forward       Delete

I'm not sure if this is intended or not, but the line in bold is definately incorrect.  If you want to "forward" packages to your core itself (192.168.80.1) you should use a "core_input" rule instead.

Can you also show us the output of the following command?:
Code: [Select]
iptables -L -v -n -t natI forgot that these rules are added to the "nat" table.
"Change is inevitable. Progress is optional."
-- Anonymous


simon_b

  • Veteran
  • ***
  • Posts: 69
    • View Profile
Re: firewall/port forwarding issue (??)
« Reply #12 on: March 20, 2008, 04:18:35 pm »
Hi!

So. my last setup is as follows:
on the dsl modem/router i set a ip of the core as the only ip exposed (DMZ) to the internet...

On the core i enabled firewall and set as follows:
Quote
udp     5902 to 5902     5900     192.168.80.2     port_forward         Delete
udp    5903 to 5903    5900    192.168.80.3    port_forward       Delete
udp    5904 to 5904    5900    192.168.80.4    port_forward       Delete
tcp    0 to 9000    0    0    core_input       Delete
udp    0 to 9000    0    0    core_input       Delete
udp    4000 to 4000    4000    192.168.80.15    port_forward       Delete
tcp    4001 to 4001    4001    192.168.80.15    port_forward       Delete

Now, i can get to the core, but no way to access another computer on lan...

The result of: iptables -L -v -n -t nat
Quote
linuxmce@dcerouter:~$ sudo iptables -L -v -n -t nat
Chain PREROUTING (policy ACCEPT 1039 packets, 69033 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp dpt:5902 to:192.168.80.2:5900
    0     0 DNAT       udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp dpt:5903 to:192.168.80.3:5900
    0     0 DNAT       udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp dpt:5904 to:192.168.80.4:5900
    0     0 DNAT       udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp dpt:4000 to:192.168.80.15:4000
    0     0 DNAT       tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:4001 to:192.168.80.15:4001

Chain POSTROUTING (policy ACCEPT 5160 packets, 378K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  0    --  *      eth1    192.168.80.0/24     !192.168.80.0/24

Chain OUTPUT (policy ACCEPT 5160 packets, 378K bytes)
 pkts bytes target     prot opt in     out     source               destination



ex Mythtv fan, the LinuxMCE newbie
----------
hoping for the best

Zaerc

  • Alumni
  • LinuxMCE God
  • *
  • Posts: 2256
  • Department of Redundancy Department.
    • View Profile
Re: firewall/port forwarding issue (??)
« Reply #13 on: March 20, 2008, 06:15:12 pm »
From what I can see the firewall rules seem to be correct.  The only thing "unusual" I see is eth1, so I'm guessing you have the interfaces "swapped", that shouldn't make any difference though.  Unless they aren't supposed to be, which happened to me once when I mistook the "swap interfaces" button for the "update" button on the network settings screen.
"Change is inevitable. Progress is optional."
-- Anonymous


simon_b

  • Veteran
  • ***
  • Posts: 69
    • View Profile
Re: firewall/port forwarding issue (??)
« Reply #14 on: March 20, 2008, 11:57:33 pm »
Hmmm, eth1 is "the outside NIC"... is it right???
ex Mythtv fan, the LinuxMCE newbie
----------
hoping for the best