EFW Support

Support => General Support => Topic started by: gbarchi on Friday 12 September 2014, 02:24:11 am



Title: Portforwarding with incoming IP - EFW Community 3.0
Post by: gbarchi on Friday 12 September 2014, 02:24:11 am
Hello,

I have been trying to get portforwarding working with an incoming IP and it is not working. If I don´t set an incoming portforwarding works well.

I think this might be a bug:

iptables -L shows

Chain PORTFWACCESS (1 references)
target     prot opt source               destination
NFLOG      tcp  --  anywhere             192.168.0.131     tcp dpt:http nflog-prefix "PORTFWACCESS:ALLOW:1"
ALLOW      tcp  --  anywhere             192.168.0.131     tcp dpt:http
NFLOG      tcp  --  anywhere             192.168.0.131     tcp dpt:ms-sql-s nflog-prefix "PORTFWACCESS:ACCEPT:2"
ACCEPT     tcp  --  anywhere             192.168.0.131     tcp dpt:ms-sql-s
NFLOG      tcp  --  anywhere             192.168.0.131     tcp dpt:https nflog-prefix "PORTFWACCESS:ALLOW:3"
ALLOW      tcp  --  anywhere             192.168.0.131     tcp dpt:https

The HTTPS rule is the one that is not working. Iptables shows source being "anywhere", however, Endian has been configured to restrict incoming connections only to IP 200.120.10.3.

This can be seen here, which is a file where Endian saves the portforwarding rules, and it´s under:

/etc/firewall/dnat/iptablesdnat

iptables -t nat -F PORTFW
iptables -F PORTFWACCESS
iptables -t nat -F POSTPORTFW
iptables -t nat -A PORTFW -s 0/0 -d 157.100.157.80 -j DNAT -p tcp --dport 80 --to-destination 192.168.0.131:80
iptables -t filter -A PORTFWACCESS -s 0/0 -d 192.168.0.131 -p tcp --dport 80 -j NFLOG --nflog-prefix 'PORTFWACCESS:ALLOW:1'
iptables -t filter -A PORTFWACCESS -s 0/0 -d 192.168.0.131 -p tcp --dport 80 -j ALLOW
iptables -t nat -A PORTFW -s 0/0 -d 157.100.157.80 -j DNAT -p tcp --dport 1433 --to-destination 192.168.0.131:1433
iptables -t filter -A PORTFWACCESS -s 0/0 -d 192.168.0.131 -p tcp --dport 1433 -j NFLOG --nflog-prefix 'PORTFWACCESS:ACCEPT:2'
iptables -t filter -A PORTFWACCESS -s 0/0 -d 192.168.0.131 -p tcp --dport 1433 -j ACCEPT
iptables -t nat -A PORTFW -s 0/0 -d 200.120.10.3 -j DNAT -p tcp --dport 443 --to-destination 192.168.0.131:443
iptables -t filter -A PORTFWACCESS -s 0/0 -d 192.168.0.131 -p tcp --dport 443 -j NFLOG --nflog-prefix 'PORTFWACCESS:ALLOW:3'
iptables -t filter -A PORTFWACCESS -s 0/0 -d 192.168.0.131 -p tcp --dport 443 -j ALLOW

Notice how in this file, the source IP (200.120.10.3) does show.

It seems Endian is not passing on to Iptables the complete rule.

Any ideas?

Thanks!






Title: Re: Portforwarding with incoming IP - EFW Community 3.0
Post by: mmiat on Monday 15 September 2014, 08:18:24 pm
try

iptables -t nat -L

too


Title: Re: Portforwarding with incoming IP - EFW Community 3.0
Post by: gbarchi on Monday 17 November 2014, 01:01:55 pm

Hello mmiat, thanks for your reply, with  iptables -t nat -L it shows that the rule is there, but the connection keeps getting dropped.

Chain PORTFW (2 references)
target     prot opt source               destination
DNAT       tcp  --  anywhere             43.CMCD-186-55-100.gye.satnet.net tcp dpt:ms-sql-s to:192.168.0.131:1433


Firewall   2014-11-16 20:55:02   INPUT:DROP TCP (eth1) 186.55.100.43:6187 -> 190.12.54.42:1433

Again, if I take out the IP the rule works, it only stops working when I set an IP.

This is driving me crazy. I need this too work.

Any ideas?

Thank you.


Title: Re: Portforwarding with incoming IP - EFW Community 3.0
Post by: mmiat on Saturday 22 November 2014, 01:52:45 am
I think that MSSQL need UDP 1434 too to properly work


Title: Re: Portforwarding with incoming IP - EFW Community 3.0
Post by: FSP_0918 on Saturday 21 February 2015, 04:55:11 am
Ditto.   Same problem here.   May need to downgrade, this is a critical feature.