Title: Portforwarding with incoming IP - EFW Community 3.0 Post by: gbarchi on Friday 12 September 2014, 02:24:11 am Hello,
I have been trying to get portforwarding working with an incoming IP and it is not working. If I don´t set an incoming portforwarding works well. I think this might be a bug: iptables -L shows Chain PORTFWACCESS (1 references) target prot opt source destination NFLOG tcp -- anywhere 192.168.0.131 tcp dpt:http nflog-prefix "PORTFWACCESS:ALLOW:1" ALLOW tcp -- anywhere 192.168.0.131 tcp dpt:http NFLOG tcp -- anywhere 192.168.0.131 tcp dpt:ms-sql-s nflog-prefix "PORTFWACCESS:ACCEPT:2" ACCEPT tcp -- anywhere 192.168.0.131 tcp dpt:ms-sql-s NFLOG tcp -- anywhere 192.168.0.131 tcp dpt:https nflog-prefix "PORTFWACCESS:ALLOW:3" ALLOW tcp -- anywhere 192.168.0.131 tcp dpt:https The HTTPS rule is the one that is not working. Iptables shows source being "anywhere", however, Endian has been configured to restrict incoming connections only to IP 200.120.10.3. This can be seen here, which is a file where Endian saves the portforwarding rules, and it´s under: /etc/firewall/dnat/iptablesdnat iptables -t nat -F PORTFW iptables -F PORTFWACCESS iptables -t nat -F POSTPORTFW iptables -t nat -A PORTFW -s 0/0 -d 157.100.157.80 -j DNAT -p tcp --dport 80 --to-destination 192.168.0.131:80 iptables -t filter -A PORTFWACCESS -s 0/0 -d 192.168.0.131 -p tcp --dport 80 -j NFLOG --nflog-prefix 'PORTFWACCESS:ALLOW:1' iptables -t filter -A PORTFWACCESS -s 0/0 -d 192.168.0.131 -p tcp --dport 80 -j ALLOW iptables -t nat -A PORTFW -s 0/0 -d 157.100.157.80 -j DNAT -p tcp --dport 1433 --to-destination 192.168.0.131:1433 iptables -t filter -A PORTFWACCESS -s 0/0 -d 192.168.0.131 -p tcp --dport 1433 -j NFLOG --nflog-prefix 'PORTFWACCESS:ACCEPT:2' iptables -t filter -A PORTFWACCESS -s 0/0 -d 192.168.0.131 -p tcp --dport 1433 -j ACCEPT iptables -t nat -A PORTFW -s 0/0 -d 200.120.10.3 -j DNAT -p tcp --dport 443 --to-destination 192.168.0.131:443 iptables -t filter -A PORTFWACCESS -s 0/0 -d 192.168.0.131 -p tcp --dport 443 -j NFLOG --nflog-prefix 'PORTFWACCESS:ALLOW:3' iptables -t filter -A PORTFWACCESS -s 0/0 -d 192.168.0.131 -p tcp --dport 443 -j ALLOW Notice how in this file, the source IP (200.120.10.3) does show. It seems Endian is not passing on to Iptables the complete rule. Any ideas? Thanks! Title: Re: Portforwarding with incoming IP - EFW Community 3.0 Post by: mmiat on Monday 15 September 2014, 08:18:24 pm try
iptables -t nat -L too Title: Re: Portforwarding with incoming IP - EFW Community 3.0 Post by: gbarchi on Monday 17 November 2014, 01:01:55 pm Hello mmiat, thanks for your reply, with iptables -t nat -L it shows that the rule is there, but the connection keeps getting dropped. Chain PORTFW (2 references) target prot opt source destination DNAT tcp -- anywhere 43.CMCD-186-55-100.gye.satnet.net tcp dpt:ms-sql-s to:192.168.0.131:1433 Firewall 2014-11-16 20:55:02 INPUT:DROP TCP (eth1) 186.55.100.43:6187 -> 190.12.54.42:1433 Again, if I take out the IP the rule works, it only stops working when I set an IP. This is driving me crazy. I need this too work. Any ideas? Thank you. Title: Re: Portforwarding with incoming IP - EFW Community 3.0 Post by: mmiat on Saturday 22 November 2014, 01:52:45 am I think that MSSQL need UDP 1434 too to properly work
Title: Re: Portforwarding with incoming IP - EFW Community 3.0 Post by: FSP_0918 on Saturday 21 February 2015, 04:55:11 am Ditto. Same problem here. May need to downgrade, this is a critical feature.
|