Port forwarding never works

Email lists > Endian Firewall developers

Thread: Port forwarding never works

Search this list only Search all lists
Port forwarding never works
	2006-12-16 01:00:45
Bugs item #1616801, was opened at 2006-12-15 18:00 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting: https://sourcefo rge.net/tracker/?func=detail&atid=725139&aid=1616801 &group_id=132104 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Firewall Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Remy Services (remyservices) Assigned to: Nobody/Anonymous (nobody) Summary: Port forwarding never works Initial Comment: When installing Endian 2 respin we can never get port forwarding to work. Using "Shields Up" from grc.com we always get stealthed ports even when forwarding them to servers in the green network. We have found that adding a port to the External Access rules shows a closed port in "shields up" but we can never get port forwarding to work properly. We have tried this with both static and dynamic ethernet as well as PPPoE. If we use a Windows based firewall we are able to use the same DSL router with PPPoE and get forwarding to work so we know that this is not an ISP issue. Nat always works for outbound traffic and we can't find any other issues, but we can never get traffic from red into our network. The following is our setup with a static ethernet setup that does not allow port 4044 to be forwarded to an internal server at 192.168.40.15. Interfaces: br0 Link encap:Ethernet HWaddr 00:50:BA4:09:01 inet addr:192.168.40.31 Bcast:192.168.40.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:25527 errors:0 dropped:0 overruns:0 frame:0 TX packets:40206 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2613580 (2.4 MiB) TX bytes:40201295 (38.3 MiB) eth0 Link encap:Ethernet HWaddr 00:50:BA4:09:01 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:30877 errors:0 dropped:0 overruns:0 frame:0 TX packets:47264 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3887065 (3.7 MiB) TX bytes:42705348 (40.7 MiB) Interrupt:12 Base address:0xec00 eth1 Link encap:Ethernet HWaddr 00:04:E2:18:AB:73 inet addr:172.16.0.1 Bcast:172.16.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:40391 errors:0 dropped:0 overruns:0 frame:0 TX packets:34565 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:49926780 (47.6 MiB) TX bytes:3958555 (3.7 MiB) Interrupt:5 Base address:0xe800 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:150623 errors:0 dropped:0 overruns:0 frame:0 TX packets:150623 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:125626360 (119.8 MiB) TX bytes:125626360 (119.8 MiB) IPTable Filters: Chain ACCEPT_ALL (1 references) pkts bytes target prot opt in out source destination 0 0 GREEN_GREEN all -- br0 br0 0.0.0.0/0 0.0.0.0/0 state NEW 0 0 GREEN_VPN all -- ipsec+ br0 0.0.0.0/0 0.0.0.0/0 state NEW 0 0 GREEN_VPN all -- br0 ipsec+ 0.0.0.0/0 0.0.0.0/0 state NEW 0 0 ACCEPT icmp -- * eth1 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 icmp type 8 Chain BADTCP (2 references) pkts bytes target prot opt in out source destination 0 0 DROPBADTCP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29 0 0 DROPBADTCP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 0 0 DROPBADTCP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x01 0 0 DROPBADTCP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06 0 0 DROPBADTCP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 0 0 NEWNOTSYN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW Chain BLUEINPUT (1 references) pkts bytes target prot opt in out source destination Chain BLUE_BLUE (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain BLUE_VPN (0 references) pkts bytes target prot opt in out source destination 0 0 VPNFW all -- * * 0.0.0.0/0 0.0.0.0/0 Chain CUSTOMFORWARD (1 references) pkts bytes target prot opt in out source destination Chain CUSTOMINPUT (1 references) pkts bytes target prot opt in out source destination Chain CUSTOMOUTPUT (1 references) pkts bytes target prot opt in out source destination Chain DHCPBLUEINPUT (1 references) pkts bytes target prot opt in out source destination Chain DMZHOLES (1 references) pkts bytes target prot opt in out source destination Chain DROPBADTCP (5 references) pkts bytes target prot opt in out source destination 0 0 LOG_BADTCP all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain GREEN_GREEN (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain GREEN_VPN (2 references) pkts bytes target prot opt in out source destination 0 0 VPNFW all -- * * 0.0.0.0/0 0.0.0.0/0 Chain INPUT (policy DROP 229 packets, 70914 bytes) pkts bytes target prot opt in out source destination 198K 163M ipac~o all -- * * 0.0.0.0/0 0.0.0.0/0 220K 178M PORTSCAN all -- * * 0.0.0.0/0 0.0.0.0/0 220K 178M BADTCP all -- * * 0.0.0.0/0 0.0.0.0/0 3883 185K tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 10/sec burst 5 220K 178M CUSTOMINPUT all -- * * 0.0.0.0/0 0.0.0.0/0 210K 178M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 7 196 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 icmp type 8 6876 306K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW 0 0 DROP all -- * * 127.0.0.0/8 0.0.0.0/0 state NEW 0 0 DROP all -- * * 0.0.0.0/0 127.0.0.0/8 state NEW 2922 193K ACCEPT !icmp -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW 221 70578 BLUEINPUT !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 221 70578 ORANGEINPUT !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 221 70578 OPENVPN all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 221 70578 OUTGOINGFW all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 231 70994 DHCPBLUEINPUT all -- * * 0.0.0.0/0 0.0.0.0/0 221 70578 SIPROXD all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 221 70578 SMTPD all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 221 70578 VPNINPUT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 231 70994 IPSECRED all -- * * 0.0.0.0/0 0.0.0.0/0 231 70994 IPSECBLUE all -- * * 0.0.0.0/0 0.0.0.0/0 231 70994 REDINPUT all -- * * 0.0.0.0/0 0.0.0.0/0 221 70578 XTACCESS all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 229 70914 LOG_INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 11 440 ipac~fi all -- * * 0.0.0.0/0 0.0.0.0/0 11 440 ipac~fo all -- * * 0.0.0.0/0 0.0.0.0/0 51 2040 OPENVPNCLIENTDHCP all -- * * 0.0.0.0/0 0.0.0.0/0 51 2040 OPENVPNDHCP all -- * * 0.0.0.0/0 0.0.0.0/0 51 2040 PORTSCAN all -- * * 0.0.0.0/0 0.0.0.0/0 51 2040 BADTCP all -- * * 0.0.0.0/0 0.0.0.0/0 51 2040 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU 51 2244 CUSTOMFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW 0 0 DROP all -- * * 127.0.0.0/8 0.0.0.0/0 state NEW 0 0 DROP all -- * * 0.0.0.0/0 127.0.0.0/8 state NEW 51 2244 OPENVPN all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 51 2244 OPENVPNCLIENT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 51 2244 OUTGOINGFW all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 51 2244 ACCEPT_ALL all -- * * 0.0.0.0/0 0.0.0.0/0 51 2244 DMZHOLES all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 51 2244 PORTFWACCESS all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 0 0 LOG_FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 Chain IPSECBLUE (1 references) pkts bytes target prot opt in out source destination Chain IPSECRED (1 references) pkts bytes target prot opt in out source destination Chain LOG_BADTCP (1 references) pkts bytes target prot opt in out source destination Chain LOG_FORWARD (1 references) pkts bytes target prot opt in out source destination Chain LOG_INPUT (1 references) pkts bytes target prot opt in out source destination Chain LOG_NEWNOTSYN (1 references) pkts bytes target prot opt in out source destination Chain NEWNOTSYN (1 references) pkts bytes target prot opt in out source destination 0 0 LOG_NEWNOTSYN all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OPENVPN (2 references) pkts bytes target prot opt in out source destination Chain OPENVPNCLIENT (1 references) pkts bytes target prot opt in out source destination Chain OPENVPNCLIENTDHCP (1 references) pkts bytes target prot opt in out source destination Chain OPENVPNDHCP (1 references) pkts bytes target prot opt in out source destination Chain ORANGEINPUT (1 references) pkts bytes target prot opt in out source destination Chain ORANGE_ORANGE (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ORANGE_VPN (0 references) pkts bytes target prot opt in out source destination 0 0 VPNFW all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTGOINGFW (2 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- br0 eth1 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br1 eth1 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br2 eth1 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 233K packets, 171M bytes) pkts bytes target prot opt in out source destination 211K 164M ipac~i all -- * * 0.0.0.0/0 0.0.0.0/0 233K 171M CUSTOMOUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain PORTFWACCESS (1 references) pkts bytes target prot opt in out source destination 11 484 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.40.15 tcp dpt:4044 Chain PORTSCAN (2 references) pkts bytes target prot opt in out source destination Chain REDINPUT (1 references) pkts bytes target prot opt in out source destination Chain SIPROXD (1 references) pkts bytes target prot opt in out source destination Chain SMTPD (1 references) pkts bytes target prot opt in out source destination Chain VPNFW (3 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain VPNINPUT (1 references) pkts bytes target prot opt in out source destination 0 0 VPN_IN all -- ipsec+ * 0.0.0.0/0 0.0.0.0/0 Chain VPN_IN (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 Chain XTACCESS (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 172.16.0.1 tcp dpt:113 Chain ipac~fi (1 references) pkts bytes target prot opt in out source destination 0 0 all -- br0 * 0.0.0.0/0 0.0.0.0/0 0 0 all -- eth1 * 0.0.0.0/0 0.0.0.0/0 Chain ipac~fo (1 references) pkts bytes target prot opt in out source destination 0 0 all -- * br0 0.0.0.0/0 0.0.0.0/0 0 0 all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain ipac~i (1 references) pkts bytes target prot opt in out source destination 622 123K all -- * br0 0.0.0.0/0 0.0.0.0/0 0 0 all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain ipac~o (1 references) pkts bytes target prot opt in out source destination 291 18076 all -- br0 * 0.0.0.0/0 0.0.0.0/0 8 3333 all -- eth1 * 0.0.0.0/0 0.0.0.0/0 IPTable NAT: Chain PREROUTING (policy ACCEPT 3089 packets, 238K bytes) pkts bytes target prot opt in out source destination 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3095 238K CUSTOMPREROUTING all -- * * 0.0.0.0/0 0.0.0.0/0 3095 238K OPENVPNCLIENT all -- * * 0.0.0.0/0 0.0.0.0/0 3095 238K SIPROXDPORTFW all -- * * 0.0.0.0/0 0.0.0.0/0 3095 238K CONTENTFILTER all -- * * 0.0.0.0/0 0.0.0.0/0 3095 238K SQUID all -- * * 0.0.0.0/0 0.0.0.0/0 3095 238K PORTFW all -- * * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 6748 packets, 297K bytes) pkts bytes target prot opt in out source destination 7677 339K CUSTOMPOSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0 7677 339K REVERSENAT all -- * * 0.0.0.0/0 0.0.0.0/0 7677 339K REDNAT all -- * * 0.0.0.0/0 0.0.0.0/0 6748 297K POSTPORTFW all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 7671 packets, 339K bytes) pkts bytes target prot opt in out source destination Chain CONTENTFILTER (1 references) pkts bytes target prot opt in out source destination Chain CUSTOMPOSTROUTING (1 references) pkts bytes target prot opt in out source destination Chain CUSTOMPREROUTING (1 references) pkts bytes target prot opt in out source destination 0 0 SMTPSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 Chain OPENVPNCLIENT (1 references) pkts bytes target prot opt in out source destination Chain PORTFW (1 references) pkts bytes target prot opt in out source destination 2 80 DNAT tcp -- * * 0.0.0.0/0 172.16.0.1 tcp dpt:4044 to:192.168.40.15:4044 Chain POSTPORTFW (1 references) pkts bytes target prot opt in out source destination 0 0 SNAT tcp -- * * 192.168.40.0/24 192.168.40.15 tcp dpt:4044 to:192.168.40.31 Chain REDNAT (1 references) pkts bytes target prot opt in out source destination 774 34617 SNAT all -- * eth1 0.0.0.0/0 0.0.0.0/0 to:172.16.0.1 Chain REVERSENAT (1 references) pkts bytes target prot opt in out source destination 0 0 SNAT tcp -- * eth1 192.168.40.15 0.0.0.0/0 tcp dpt:4044 to:172.16.0.1 Chain SIPROXDPORTFW (1 references) pkts bytes target prot opt in out source destination Chain SMTPSCAN (1 references) pkts bytes target prot opt in out source destination Chain SQUID (1 references) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp -- br0 * 0.0.0.0/0 !192.168.40.0/24 tcp dpt:80 redir ports 8080 IPTable Mangle: Chain PREROUTING (policy ACCEPT 181K packets, 129M bytes) pkts bytes target prot opt in out source destination 221K 178M CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore 40005 49M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match !0x0 10123 576K OUTGOINGCUSTOMMARK all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 10123 576K INCOMINGMARK all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW Chain INPUT (policy ACCEPT 220K packets, 178M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 51 packets, 2040 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 233K packets, 171M bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 233K packets, 171M bytes) pkts bytes target prot opt in out source destination 7933 356K OUTGOINGMARK all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 1057 49188 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW MARK match !0x0 CONNMARK save Chain INCOMINGMARK (1 references) pkts bytes target prot opt in out source destination 166 56867 MARK all -- eth1 * 0.0.0.0/0 0.0.0.0/0 MARK set 0xc8 Chain OUTGOINGCUSTOMMARK (1 references) pkts bytes target prot opt in out source destination Chain OUTGOINGMARK (1 references) pkts bytes target prot opt in out source destination 851 39675 MARK all -- * eth1 0.0.0.0/0 0.0.0.0/0 MARK set 0xc8 ------------------------------------------------------------ ---------- You can respond by visiting: https://sourcefo rge.net/tracker/?func=detail&atid=725139&aid=1616801 &group_id=132104 ------------------------------------------------------------ ------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default. php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Efw-devel mailing list Efw-devellists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/efw-devel

[1]

about | contact Other archives ( Real Estate discussion Medical topics )

Mailing lists