Port forwarding issue
I am trying to forward all the port 80 requests from internet to my router to a web server on internal network. Internet ----> SUSE router ----> Webserver on intranet. I have followed this guide: http://www.novell.com/coolsolutions/feature/16709.html Relevant section in /etc/sysconfig/SuSEfirewall2 are : FW_DEV_EXT="any eth-id-00:15:f2:52:f8:8a" FW_DEV_INT="eth-id-00:08:a1:65:d7:c6" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0" FW_PROTECT_FROM_INT="no" FW_SERVICES_EXT_TCP="9000 http" FW_FORWARD="" FW_FORWARD_MASQ="0/0,192.168.0.249,tcp,80,80,0/0" FW_REDIRECT="" FW_SERVICES_ACCEPT_INT="" FW_SERVICES_ACCEPT_DMZ="" I have Masquerading enabled, and IP forwarding enabled too. I can access the server from router, and the web server can connect to the internet too. However the requests to port 80 are not being forwarded to the web server on internal network(192.168.0.249). Any suggestions what I need to do to fix this? Thanks in advance Jigish
On Wednesday 01 November 2006 02:03, Jigish Gohil wrote: Hi, not quite sure what you have cut and pasted into the email here, but I didnt have to do any of that. Its simply done from the config panel of your router. my linksys address is 192.168.1.1. you just need to configure port forwarding on the router. forward port 80 to whatever internal ip you want. should take 30 seconds .......... tops.
I am trying to forward all the port 80 requests from internet to my router to a web server on internal network.
Internet ----> SUSE router ----> Webserver on intranet.
I have followed this guide: http://www.novell.com/coolsolutions/feature/16709.html
Relevant section in /etc/sysconfig/SuSEfirewall2 are :
FW_DEV_EXT="any eth-id-00:15:f2:52:f8:8a" FW_DEV_INT="eth-id-00:08:a1:65:d7:c6" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0" FW_PROTECT_FROM_INT="no" FW_SERVICES_EXT_TCP="9000 http" FW_FORWARD="" FW_FORWARD_MASQ="0/0,192.168.0.249,tcp,80,80,0/0" FW_REDIRECT="" FW_SERVICES_ACCEPT_INT="" FW_SERVICES_ACCEPT_DMZ=""
I have Masquerading enabled, and IP forwarding enabled too.
I can access the server from router, and the web server can connect to the internet too.
However the requests to port 80 are not being forwarded to the web server on internal network(192.168.0.249).
Any suggestions what I need to do to fix this?
Thanks in advance
Jigish
-- SuSE Linux 10.1 ~ Kernel 2.6.16.21-0.25-smp #1 ~ Kmail 1.9 ~ Registered Linux user: 412217 http://reillyblog.com 6:39am up 9:45, 1 user, load average: 0.03, 0.09, 0.10
On 11/1/06, steve reilly
On Wednesday 01 November 2006 02:03, Jigish Gohil wrote:
Hi,
not quite sure what you have cut and pasted into the email here, but I didnt have to do any of that. Its simply done from the config panel of your router. my linksys address is 192.168.1.1. you just need to configure port forwarding on the router. forward port 80 to whatever internal ip you want. should take 30 seconds .......... tops.
Thanks Steve I am using SUSE box as router, so all that configuration goes there. -J
On Wednesday 01 November 2006 06:54, Jigish Gohil wrote: Ok, got it......... good luck...... i have no experience in that.
On 11/1/06, steve reilly
wrote: On Wednesday 01 November 2006 02:03, Jigish Gohil wrote:
Hi,
not quite sure what you have cut and pasted into the email here, but I didnt have to do any of that. Its simply done from the config panel of your router. my linksys address is 192.168.1.1. you just need to configure port forwarding on the router. forward port 80 to whatever internal ip you want. should take 30 seconds .......... tops.
Thanks Steve
I am using SUSE box as router, so all that configuration goes there.
-J
-- SuSE Linux 10.1 ~ Kernel 2.6.16.21-0.25-smp #1 ~ Kmail 1.9 ~ Registered Linux user: 412217 http://reillyblog.com 7:07am up 10:13, 1 user, load average: 0.25, 0.17, 0.16
Wed, 01 Nov 2006, by jigish.gohil@gmail.com:
I am trying to forward all the port 80 requests from internet to my router to a web server on internal network.
Internet ----> SUSE router ----> Webserver on intranet.
I have followed this guide: http://www.novell.com/coolsolutions/feature/16709.html
[..]
Any suggestions what I need to do to fix this?
I'v given up on trying to grok SuSEFirewall2. In Shorewall it's very simple: /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST DNAT net loc:192.168.0.249 tcp http /etc/shorewall/masq: ############################################################################### #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC eth0 eth1 That's it, portforwarding and IP masqueing in two simple, readable lines. I can fully recommend Shorewall to anyone who doesn't want to spend (much) time reading a big pdf just to get his firewall going.. Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 26N , 4 29 47E. + ICQ: 277217131 SUSE 9.2 + Jabber: muadib@jabber.xs4all.nl Kernel 2.6.8 + See headers for PGP/GPG info. Claimer: any email I receive will become my property. Disclaimers do not apply.
On 2006-11-01 01:03, Jigish Gohil wrote:
I am trying to forward all the port 80 requests from internet to my router to a web server on internal network.
Internet ----> SUSE router ----> Webserver on intranet.
I have followed this guide: http://www.novell.com/coolsolutions/feature/16709.html
Relevant section in /etc/sysconfig/SuSEfirewall2 are :
FW_DEV_EXT="any eth-id-00:15:f2:52:f8:8a"
Though not relevant to your current problem, I've always felt that "any" in this setting is potentially confusing; you have a fixed external link, so don't need to (shouldn't?) use it.
FW_DEV_INT="eth-id-00:08:a1:65:d7:c6" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0" FW_PROTECT_FROM_INT="no" FW_SERVICES_EXT_TCP="9000 http" FW_FORWARD="" FW_FORWARD_MASQ="0/0,192.168.0.249,tcp,80,80,0/0" The way I read this, the last field is not a net/mask, rather a single IP, despite what the CoolSolutions webpage says. AFAIK, the field isn't even necessary. Since you are not doing any port redirection, the second "80" is not needed. Thus:
FW_FORWARD_MASQ="0/0,192.168.0.249,tcp,80"
---------- Forwarded message ----------
From: Jigish Gohil
On 2006-11-01 01:03, Jigish Gohil wrote:
FW_FORWARD_MASQ="0/0,192.168.0.249,tcp,80,80,0/0" The way I read this, the last field is not a net/mask, rather a single IP, despite what the CoolSolutions webpage says. AFAIK, the field isn't even necessary. Since you are not doing any port redirection, the second "80" is not needed. Thus:
FW_FORWARD_MASQ="0/0,192.168.0.249,tcp,80"
That didn't work either. Is there anything else I need to activate for forwarding to work? Does anyone have working /etc/sysconfig/SuSEfirewall2 for SLE 10 or openSUSE 10.2 that can be shared? prime:~/scripts # cat /proc/sys/net/ipv4/ip_forward 1 I have tried shutting down apparmor, and also the script that works on fedora boxes. http://pastebin.ca/234209 Would it be possible for anyone to test port forwarding and if it doesn't then I'd file a bug. -J
On 2006-11-02 05:07, Jigish Gohil wrote:
-<snip>
FW_FORWARD_MASQ="0/0,192.168.0.249,tcp,80"
That didn't work either.
Is there anything else I need to activate for forwarding to work?
I cannot see why it isn't working. Are you logging dropped packets? If so, perhaps the firewall logfile will show what is happening. The results of "iptables-save" will show the exact state of your firewall. Could you post that output?
On 11/2/06, Darryl Gregorash
On 2006-11-02 05:07, Jigish Gohil wrote:
-<snip>
FW_FORWARD_MASQ="0/0,192.168.0.249,tcp,80"
That didn't work either.
Is there anything else I need to activate for forwarding to work?
I cannot see why it isn't working. Are you logging dropped packets? If so, perhaps the firewall logfile will show what is happening.
The results of "iptables-save" will show the exact state of your firewall. Could you post that output?
Here is the iptables-save output: http://rafb.net/paste/results/N0Nplw78.html All this while I was testing this from the router and intranet, access from outside works!! Now how do we get it to work from intranet too? Thanks a bunch. -J
<snip>
Here is the iptables-save output: http://rafb.net/paste/results/N0Nplw78.html
All this while I was testing this from the router and intranet, access from outside works!! It would have been nice to know this from the beginning. I assumed the
On 2006-11-02 06:14, Jigish Gohil wrote: problem was on the external device.
Now how do we get it to work from intranet too?
I cannot make any sense of the rules for the internal zone as the firewall stands now. Get rid of the word "any" from FW_DEV_EXT, restart the firewall, and repost the results. Maybe this will change things, maybe it won't, but at least there won't be any doubt in my mind.
On 11/3/06, Darryl Gregorash
On 2006-11-02 06:14, Jigish Gohil wrote:
<snip>
It would have been nice to know this from the beginning. I assumed the problem was on the external device.
I thought so too, as I had not tested from outside. Sorry about that. I am happy that it works.
Now how do we get it to work from intranet too?
I cannot make any sense of the rules for the internal zone as the firewall stands now. Get rid of the word "any" from FW_DEV_EXT, restart the firewall, and repost the results.
The setup below for port forwarding works from outside. FW_DEV_EXT="eth-id-00:15:f2:52:f8:8a" FW_DEV_INT="eth-id-00:08:a1:65:d7:c6" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.0.0/24" FW_FORWARD="" FW_FORWARD_MASQ="0/0,192.168.0.249,tcp,80" FW_REDIRECT="" iptables-save result: http://rafb.net/paste/results/Znuyph56.html
On 2006-11-02 23:00, Jigish Gohil wrote:
On 11/3/06, Darryl Gregorash
wrote: On 2006-11-02 06:14, Jigish Gohil wrote:
<snip>
It would have been nice to know this from the beginning. I assumed the problem was on the external device.
I thought so too, as I had not tested from outside. Sorry about that. I am happy that it works.
Now how do we get it to work from intranet too?
I cannot make any sense of the rules for the internal zone as the firewall stands now. Get rid of the word "any" from FW_DEV_EXT, restart the firewall, and repost the results.
The setup below for port forwarding works from outside.
FW_DEV_EXT="eth-id-00:15:f2:52:f8:8a" FW_DEV_INT="eth-id-00:08:a1:65:d7:c6" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.0.0/24" FW_FORWARD="" FW_FORWARD_MASQ="0/0,192.168.0.249,tcp,80" FW_REDIRECT=""
iptables-save result: http://rafb.net/paste/results/Znuyph56.html
It should be working. Are you certain you are trying to connect to the web server on IP 192.168.0.249, and not the router? There is no masquerading done within the internal zone, as it is not needed.
participants (4)
-
Darryl Gregorash
-
Jigish Gohil
-
steve reilly
-
Theo v. Werkhoven