Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am having trouble with port forwarding and have been fighting it for a week. I am about ready to throw the box out the window...
I have an old 486 running as my firewall with kernel 2.2.16 (RH 6.2) with all appropriate modules (ipmasqadm, etc). I use IPChains for the firewall script. My firewall has two network cards, one external and one internal, pretty standard stuff. I have re-compiled the kernel with everything needed for masquerading/firewalling support.
I am trying to simply telnet to my firewall and have it forward to an internal linux box with RH 7.3 on it. This is just a test as I am trying to set up a game server, which needs certain ports forwarded to it.
Here is my test firewall script:
# /etc/rc.d/rc.firewall
# Invoked from /etc/sysconfig/network-scripts/pump-done, or
# from /etc/dhcpc/dhcpcd-eth0.exe, or
# from /etc/sysconfig/network-scripts/ifdhcpc-done.
echo "Starting firewalling... "
# ----------------------------------------------------------------------------
# Some definitions for easy maintenance.
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
# Enable bad error message Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Enable IP spoofing protection
# turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
# These modules are necessary to masquerade their respective services.
/sbin/depmod -a
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudioports=554,7070,7071,6970,6971
/sbin/modprobe ip_masq_irc
It looks kind of funny because I just pasted it from notepad, but that is the jist of it. It is also simply a test script I am using to try and figure this out.
When I run the firewall script, I get the correct output from "ipmasqadm portfw -l", and everything looks great. But, when I try to telnet to my external machine, it just times out.
Can anybody tell me what the heck I am doing wrong (besides needing to switch to iptables)? I would very much appreciate any help you can offer....
Distribution: Redhat v8.0 (soon to be Fedora? or maybe I will just go back to Slackware)
Posts: 857
Rep:
well.. I am not a firewall expert... but one suggestion I might make... create a new firewall script that contains only the lines you need for IPMASQ and Port Forwarding telnet.
Once you get that working... add the port forwarding lines to you regular script. Keep It Simple, Stupid.
Here is what I do to forward port 5121:
#!/bin/sh
insmod ip_tables
echo " Enabling SNAT (MASQUERADE) on eth0 ... "
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
This is not my full firewall script, just a test one that I used to get my NWN server online. After I got it working, I put those lines in my full script.
Originally posted by KevinJ well.. I am not a firewall expert... but one suggestion I might make... create a new firewall script that contains only the lines you need for IPMASQ and Port Forwarding telnet.
Once you get that working... add the port forwarding lines to you regular script. Keep It Simple, Stupid.
Thanks for the reply. I pretty much have done that with the script shown above... My regular firewall is about 10 times that length
I think I have figured out that it is a problem with my ip_masq_portfw.o module. Even though I re-compiled my kernel, it doesn't seem to want to work. If I do an '/sbin/lsmod', it is not shown as installed. If I go to /lib/modules, the module is there, but when I try and install it 'insmod ip_masq_portfw.o', I get an error "couldn't find the kernel version the module was compiled for"....
I am about ready to re-build this box with a newer version. The problem is that I only have 1300 megs of hard-drive space on this old clunker...
Distribution: Redhat v8.0 (soon to be Fedora? or maybe I will just go back to Slackware)
Posts: 857
Rep:
It may be a typo ... but it should be "insmod ip_masq_portfw" without the ".o"
if the modules directory for the kernel version you are booted to has the module present, then its certainly compiled for that version. Have you checked the config file from your kernel compile to see if you included modular support for this?
Do you still have the default kernel on your system that you can boot to as a test?
Originally posted by KevinJ It may be a typo ... but it should be "insmod ip_masq_portfw" without the ".o"
if the modules directory for the kernel version you are booted to has the module present, then its certainly compiled for that version. Have you checked the config file from your kernel compile to see if you included modular support for this?
Do you still have the default kernel on your system that you can boot to as a test?
-K.
Well, I have re-compiled my kernel about six times now to no avail. I also realized that if I compile the kernel with "portfw" included in the kernel (not modular), it won't show up as a module. So, I don't think that is the problem either. I am completely stumped. My kernel is now updated to version 2.2.23 (newest for RH 6.2") and I completely re-built my firewall box from scratch.
I guess I am hoping a firewall expert will be able to tell me if my script is even right....
Distribution: Slackware, (Non-Linux: Solaris 7,8,9; OSX; BeOS)
Posts: 1,152
Rep:
Try:
insmod -f ip_masq_portfw.o (with the .o, insmod requires the actual
filename, whereas modprobe gets that from depmod). This will attempt to
force loading of the module without checking the kernel version, but if there
are unresolved symbols, it won't work anyway.
man insmod
Check out your kernel setup, do you have CONFIG_MODVERSIONS set
to "Y"? You should.
Originally posted by moses This looks to me like you're only allowing telnets from outside your
local net, is this what you intend?
Actually that script lets me in from the outside, and another section of the scripts allows unlimited traffic within my local network.
I actually got it working. I think I may have been okay all along......
I telnetted from work to home yesterday, and I ended up landing at the computer I forwarded to (not expecting that at all)..... I think that when I was testing from home, it wouldn't work because it was forwarding outside traffic only. So, I think I might have had it right the very first time I tried it... In my defense, I even vpn'd into work from home and tried a telnet while logged in at work, but that didn't seem to make a difference.
But, my kernel is now completely up to date, I can compile kernels like nobody's business, all the rust is shaken off, I know my firewall like the back of my hand and am now having fun with port forwarding. Now, to get my CounterStrike server up and running (it is running, just need to test and populate)....
Linux can be a very trying experience at times, but I love it when it all comes together...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.