Aw but Jeffrey you may indeed be partially correct! My own additional research has now found that apparently localhost does not use the PREROUTING chain in the iptables and this is where SuSEfirewall2 is putting these FW_FORWARD_MASQ rules.  I think what I have to do is coax SuSEFirewall2 to put the localhost port routing rules in the OUTPUT chain instead. So now the question is how do I do that? Back to Google and searching, hopefully someone here knows and/or will beat me to the answer and share it with this poor lost soul!?  ;-)    Marc... P.S. Jeffrey had replied privately to me so I have removed identifying information in order to respect that, but wanted to give him kudos and let him and the group see where he has lead me in my search for a solution to this problem. On 6/10/19 6:32 PM, Jeffrey ***** wrote:

My statement is incorrect.

Sorry,    Jeffrey

On Mon, Jun 10, 2019, 8:15 PM Jeffrey (email deleted since Jeffery replied to me privately) wrote:

I don't think connections to localhost go thru the firewall.

Jeffrey

On Mon, Jun 10, 2019, 7:49 PM Marc Chamberlin <marc@marcchamberlin.com <mailto:marc@marcchamberlin.com>> wrote:

Hi - I dunno if this is a good group to ask this question but I will give it a shot and  perhaps get pointed to a better group...

I am running the Apache James email server on an OpenSuSE 15.0 x64 system and because of some other requirements I have to run the James daemon under a system user name and not under root. To accomplish that I had to change all the standard email ports that it listens on, to higher ones (I added 10000 to the standard port numbers so for example instead of having the smtp server listen on port 25 I configured it to listen on port 10025. Then using SuSEfirewall2 I configured it to do forward masquerading to route connections from port 25 to port 10025. So for example, and in particular for localhost which is shown here, I did the following - (sorry about the formatting, Thunderbird seems to be making choices that I don't want and I haven't got the time to figure out how to tell Thunderbird to knock it off!.)

FW_FORWARD_MASQ=" ... \ (ext and int interface routing not shown but it is similar to what is shown below for localhost) 0/0,127.0.0.1,tcp,25,10025,127.0.0.1 \ 0/0,127.0.0.1,tcp,465,10465,127.0.0.1 \ 0/0,127.0.0.1,tcp,587,10587,127.0.0.1 \ 0/0,127.0.0.1,tcp,110,10110,127.0.0.1 \ 0/0,127.0.0.1,tcp,995,10995,127.0.0.1 \ 0/0,127.0.0.1,tcp,143,10143,127.0.0.1 \ 0/0,127.0.0.1,tcp,993,10993,127.0.0.1"

The server is not protected from the internal network (this is a SOHO net) and all the external ports are opened. From either the internal network, or from the external network I can use telnet to connect to either the low number ports or the high numbered ports successfully. But from the localhost I can only connect to the high numbered ports. Connecting to the low number ports, such as 25,  gets me a Connection Refused message when I try and do a 'telnet localhost 25'.  ('telnet localhost 10025' works!) 

Using netstat shows that indeed Apache James (a java application) is listening on for example port 10025 -

netstat -plnt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp        0      0 0.0.0.0:10025 <http://0.0.0.0:10025>           0.0.0.0:*               LISTEN      25012/java         

and from a snip of the iptables I see this -

iptables -t nat -vnL Chain PREROUTING (policy ACCEPT 226K packets, 15M bytes)  pkts bytes target     prot opt in     out     source               destination        

(lots of other stuff removed, in particular the external interface as I don't want to show the IP addresses, but here is a bit showing some of the internal interface)

     0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0 <http://0.0.0.0/0>            192.168.10.100       tcp dpt:25 to:192.168.10.100:10025 <http://192.168.10.100:10025>     0     0 DNAT       tcp  --  lo     *       0.0.0.0/0 <http://0.0.0.0/0>            192.168.10.100       tcp dpt:25 to:192.168.10.100:10025 <http://192.168.10.100:10025>    22  1320 DNAT       tcp  --  p3p1   *       0.0.0.0/0 <http://0.0.0.0/0>            192.168.10.100       tcp dpt:25 to:192.168.10.100:10025 <http://192.168.10.100:10025>     0     0 DNAT       tcp  --  p3p2   *       0.0.0.0/0 <http://0.0.0.0/0>            192.168.10.100       tcp dpt:25 to:192.168.10.100:10025 <http://192.168.10.100:10025>     0     0 DNAT       tcp  --  tun0   *       0.0.0.0/0 <http://0.0.0.0/0>            192.168.10.100       tcp dpt:25 to:192.168.10.100:10025 <http://192.168.10.100:10025>     0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0 <http://0.0.0.0/0>            192.168.10.100       tcp dpt:465 to:192.168.10.100:10465 <http://192.168.10.100:10465>     0     0 DNAT       tcp  --  lo     *       0.0.0.0/0 <http://0.0.0.0/0>            192.168.10.100       tcp dpt:465 to:192.168.10.100:10465 <http://192.168.10.100:10465>     9   468 DNAT       tcp  --  p3p1   *       0.0.0.0/0 <http://0.0.0.0/0>            192.168.10.100       tcp dpt:465 to:192.168.10.100:10465 <http://192.168.10.100:10465>     0     0 DNAT       tcp  --  p3p2   *       0.0.0.0/0 <http://0.0.0.0/0>            192.168.10.100       tcp dpt:465 to:192.168.10.100:10465 <http://192.168.10.100:10465>

(and here is some of the things showing the localhost interface)

  0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0 <http://0.0.0.0/0>            127.0.0.1            tcp dpt:25 to:127.0.0.1:10025 <http://127.0.0.1:10025>     0     0 DNAT       tcp  --  lo     *       0.0.0.0/0 <http://0.0.0.0/0>            127.0.0.1            tcp dpt:25 to:127.0.0.1:10025 <http://127.0.0.1:10025>     0     0 DNAT       tcp  --  p3p1   *       0.0.0.0/0 <http://0.0.0.0/0>            127.0.0.1            tcp dpt:25 to:127.0.0.1:10025 <http://127.0.0.1:10025>     0     0 DNAT       tcp  --  p3p2   *       0.0.0.0/0 <http://0.0.0.0/0>            127.0.0.1            tcp dpt:25 to:127.0.0.1:10025 <http://127.0.0.1:10025>     0     0 DNAT       tcp  --  tun0   *       0.0.0.0/0 <http://0.0.0.0/0>            127.0.0.1            tcp dpt:25 to:127.0.0.1:10025 <http://127.0.0.1:10025>     0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0 <http://0.0.0.0/0>            127.0.0.1            tcp dpt:465 to:127.0.0.1:10465 <http://127.0.0.1:10465>     0     0 DNAT       tcp  --  lo     *       0.0.0.0/0 <http://0.0.0.0/0>            127.0.0.1            tcp dpt:465 to:127.0.0.1:10465 <http://127.0.0.1:10465>     0     0 DNAT       tcp  --  p3p1   *       0.0.0.0/0 <http://0.0.0.0/0>            127.0.0.1            tcp dpt:465 to:127.0.0.1:10465 <http://127.0.0.1:10465>     0     0 DNAT       tcp  --  p3p2   *       0.0.0.0/0 <http://0.0.0.0/0>            127.0.0.1            tcp dpt:465 to:127.0.0.1:10465 <http://127.0.0.1:10465>     0     0 DNAT       tcp  --  tun0   *       0.0.0.0/0 <http://0.0.0.0/0>            127.0.0.1            tcp dpt:465 to:127.0.0.1:10465 <http://127.0.0.1:10465>     0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0 <http://0.0.0.0/0>            127.0.0.1            tcp dpt:587 to:127.0.0.1:10587 <http://127.0.0.1:10587>     0     0 DNAT       tcp  --  lo     *       0.0.0.0/0 <http://0.0.0.0/0>            127.0.0.1            tcp dpt:587 to:127.0.0.1:10587 <http://127.0.0.1:10587>     0     0 DNAT       tcp  --  p3p1   *       0.0.0.0/0 <http://0.0.0.0/0>            127.0.0.1            tcp dpt:587 to:127.0.0.1:10587 <http://127.0.0.1:10587>     0     0 DNAT       tcp  --  p3p2   *       0.0.0.0/0 <http://0.0.0.0/0>            127.0.0.1            tcp dpt:587 to:127.0.0.1:10587 <http://127.0.0.1:10587>     0     0 DNAT       tcp  --  tun0   *       0.0.0.0/0 <http://0.0.0.0/0>            127.0.0.1            tcp dpt:587 to:127.0.0.1:10587 <http://127.0.0.1:10587>     0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0 <http://0.0.0.0/0>            127.0.0.1            tcp dpt:110 to:127.0.0.1:10110 <http://127.0.0.1:10110>     0     0 DNAT       tcp  --  lo     *       0.0.0.0/0 <http://0.0.0.0/0>            127.0.0.1            tcp dpt:110 to:127.0.0.1:10110 <http://127.0.0.1:10110>     0     0 DNAT       tcp  --  p3p1   *       0.0.0.0/0 <http://0.0.0.0/0>            127.0.0.1            tcp dpt:110 to:127.0.0.1:10110 <http://127.0.0.1:10110> yada yada yada...

So what am I missing? It is important that I get localhost to accept connections on the low ports since I am using other tools, such as sendmail (in non-daemon mode) and I want it to use Apache James as it's MTA. Yet I cannot get connections to the low ports on localhost to work, but I am doing exactly the same sort of setup for the internal and external interfaces and there everything does work!

Thanks in advance for any thoughts and ideas. I will be happy to provide more information, just ask!     Marc..

--

  --...  ...-- .----. ...    -..  .    .--  .-  --...  .--.  -..-  .--     --  .-  .-.  -.-. <b>Computers: the final frontier. These are the voyages of the user Marc.<br> His mission: to explore strange new hardware. To seek out new software and new applications.<br> To boldly go where no Marc has gone before!<br></b>

-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org <mailto:opensuse%2Bunsubscribe@opensuse.org> To contact the owner, e-mail: opensuse+owner@opensuse.org <mailto:opensuse%2Bowner@opensuse.org>

-- --... ...-- .----. ... -.. . .-- .- --... .--. -..- .-- -- .- .-. -.-. <b>Computers: the final frontier. These are the voyages of the user Marc.<br> His mission: to explore strange new hardware. To seek out new software and new applications.<br> To boldly go where no Marc has gone before!<br></b> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org