Solved

Firestarter porting forwarding

Posted on 2006-06-13
7
470 Views
Last Modified: 2012-05-05
Hi experts,

I'm using firestarter (on Debian Sarge) to do internet sharing in my network. Now I have a web application running on a Windows machine (in LAN) and I want to allow user to access it via internet.

So I configure port forwarding using firestarter. I created a forward service under "inbound traffic policy" according to firestarter manual but it doesn't seem to be forwarding. When I try to connect from another machine (outside my LAN) using my Debian machine's live IP, it fails. However, I'm able to access the app if I run from a LAN PC using the LAN IP.

This is what I get with "iptables -t nat -L", I'm trying to forward port 9909 to my internal IP.

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere            tcp dpt:9909 to:192.168.0.140:80
DNAT       udp  --  anywhere             anywhere            udp dpt:9909 to:192.168.0.140:80

With "iptables -L", I also see this...

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             192.168.0.140       tcp dpt:www
ACCEPT     udp  --  anywhere             192.168.0.140       udp dpt:www

Is there anything I missed out or anything I should check?

Thanks!
0
Comment
Question by:yeewee64
  • 4
  • 2
7 Comments
 
LVL 14

Expert Comment

by:pablouruguay
ID: 16902800
iptables -A FORWARD -j ACCEPT -p tcp --dport 9909
iptables -t nat -A PREROUTING  -p tcp -d ServerIP --dport 9909 -j DNAT  --to 192.168.0.140:80

only replace the SERVERIP with your swerver ip and its work in my box
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 16902811
orf oyu can use anyware
iptables -t nat -A PREROUTING  -p tcp --dport 9909 -j DNAT  --to 192.168.0.140:80
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 16902821
remeber in your firewall need to accept connections to 9909

iptables -A FORWARD -j ACCEPT -p tcp --dport 9909
0
Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

 

Author Comment

by:yeewee64
ID: 16908924
hi pablouruguay, thanks for your response. I've followed what you've suggested but I'm still getting the same error.

From my observation, traffic to the port is still not being forward because there's nothing in my webserver accesslog and errorlog when I try to connect from my browser.

Is there something else I need to check?
0
 
LVL 16

Accepted Solution

by:
Blaz earned 250 total points
ID: 16909458
> remeber in your firewall need to accept connections to 9909
> iptables -A FORWARD -j ACCEPT -p tcp --dport 9909

Actually this is not true - you only need to accept connections to port 80 - DNAT is done before forward filtering is done.

Are the listed forward rules the only forward rules you have. Are you sure that reverse traffic passes the firewall? If not add:
iptables -A FORWARD -s 192.168.0.140 -p tcp --sport 80 -j ACCEPT

On the windows server what is the setting for gateway? If it is not the firestarter box you should add:
iptables -t nat -A POSTROUTING  -p tcp -d 192.168.0.140 --dport 80 -j SNAT  --to Firewall_internal_IP

If all this does not work, you should add some logging rules:
iptables -A FORWARD -j LOG

Then the messages log file will give you some idea what packets are beeing denied to pass through the FORWARD chain.
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 16910899
ouch sorry Blaz have reason need to accept port 80
0
 

Author Comment

by:yeewee64
ID: 16910991
Thanks Blaz! Finally it's running :D

"On the windows server what is the setting for gateway? If it is not the firestarter box you should add:
iptables -t nat -A POSTROUTING  -p tcp -d 192.168.0.140 --dport 80 -j SNAT  --to Firewall_internal_IP"

I guess this is the key. It works beautifully right after I added that. Again, many thanks!
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Convert Routes to Linux (CENTOS 7.0) 3 107
Samba Security Improvement for Writable Directories 8 75
Linux DNS problems 23 466
iptables limit connection per ip correct way ? 2 199
I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question