Hello,

I am having trouble with port forwarding and have been fighting it for a week. I am about ready to throw the box out the window...

I have an old 486 running as my firewall with kernel 2.2.16 (RH 6.2) with all appropriate modules (ipmasqadm, etc). I use IPChains for the firewall script. My firewall has two network cards, one external and one internal, pretty standard stuff. I have re-compiled the kernel with everything needed for masquerading/firewalling support.

I am trying to simply telnet to my firewall and have it forward to an internal linux box with RH 7.3 on it. This is just a test as I am trying to set up a game server, which needs certain ports forwarded to it.

Here is my test firewall script:

# /etc/rc.d/rc.firewall
# Invoked from /etc/sysconfig/network-scripts/pump-done, or
# from /etc/dhcpc/dhcpcd-eth0.exe, or
# from /etc/sysconfig/network-scripts/ifdhcpc-done.

echo "Starting firewalling... "

# ----------------------------------------------------------------------------
# Some definitions for easy maintenance.
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.

EXTERNAL_INTERFACE="eth0"
LOOPBACK_INTERFACE="lo"
LOCAL_INTERFACE_1="eth1"

IPADDR="my.ip.address"
LOCALNET_1="192.168.2.0/24"

ANYWHERE="any/0"

DHCP_SERVER="any/0"
NAMESERVER_1="any/0"
NAMESERVER_2="any/0"

SMTP_SERVER="mail.example.com"
POP_SERVER="mail.example.com"
NEWS_SERVER="netnews.example.com"

LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:65535"

# ----------------------------------------------------------------------------

# The IP address, $IPADDR, is defined by dhcpc

if [ -f /etc/dhcpc/hostinfo-$EXTERNAL_INTERFACE ]; then
. /etc/dhcpc/hostinfo-$EXTERNAL_INTERFACE
elif [ -f /etc/dhcpc/dhcpcd-$EXTERNAL_INTERFACE.info ]; then
. /etc/dhcpc/dhcpcd-$EXTERNAL_INTERFACE.info
elif [ -f /etc/dhcpc/pump.info ]; then
. /etc/dhcpc/pump.info
else
echo "rc.firewall: dhcp is not configured."
ipchains -F
ipchains -P input DENY
ipchains -P output DENY
ipchains -P forward DENY
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A input -i $LOCAL_INTERFACE_1 -j ACCEPT
ipchains -A output -i $LOCAL_INTERFACE_1 -j ACCEPT
exit 1
fi

DHCP_SERVER=$DHCPSIADDR

# ----------------------------------------------------------------------------

NFS_PORT="2049"
NFS SOCKS_PORT="1080"
OPENWINDOWS_PORT="2000"
XWINDOW_PORTS="6000:6063"
SSH_LOCAL_PORTS="1022:65535"
SSH_REMOTE_PORTS="513:65535"
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"

# ----------------------------------------------------------------------------
# Default policy is DENY
# Explicitly accept desired INCOMING & OUTGOING connections

# Remove all existing rules belonging to this filter
ipchains -F

# Set the default policy of the filter to deny.
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward DENY

# set masquerade timeout to 10 hours for tcp connections
ipchains -M -S 36000 0 0


# ----------------------------------------------------------------------------

# Enable IP Forwarding, if it isn't already
echo 1 > /proc/sys/net/ipv4/ip_forward

# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Enable always defragging Protection
echo 1 > /proc/sys/net/ipv4/ip_always_defrag

# Enable Loose UDP
echo 1 > /proc/sys/net/ipv4/ip_masq_udp_dloose

# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Enable bad error message Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Enable IP spoofing protection
# turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done

# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done

for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done

# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done

# These modules are necessary to masquerade their respective services.
/sbin/depmod -a
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudioports=554,7070,7071,6970,6971
/sbin/modprobe ip_masq_irc

# ----------------------------------------------------------------------------
# LOOPBACK

# Unlimited traffic on the loopback interface.

ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT

# ----------------------------------------------------------------------------
# Unlimited traffic within the local network.

# All internal machines have access to the fireall machine.

ipchains -A input -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -j ACCEPT
ipchains -A output -i $LOCAL_INTERFACE_1 -d $LOCALNET_1 -j ACCEPT

# ----------------------------------------------------------------------------
# Masquerade internal traffic.

# All internal traffic is masqueraded externally.
ipchains -A forward -i $EXTERNAL_INTERFACE -s $LOCALNET_1 -j MASQ

# ----------------------------------------------------------------------------

# TELNET server (23)
# ------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR 23 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 23 \
--destination-port $UNPRIVPORTS -j ACCEPT


# TELNET client (23)
# ------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 23 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 23 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------------

ipmasqadm portfw -f
ipmasqadm portfw -a -P TCP -L $IPADDR 23 -R 192.168.2.2 23

echo "done"

exit 0

----------------------------------------------------------------------------------

It looks kind of funny because I just pasted it from notepad, but that is the jist of it. It is also simply a test script I am using to try and figure this out.

When I run the firewall script, I get the correct output from "ipmasqadm portfw -l", and everything looks great. But, when I try to telnet to my external machine, it just times out.

Can anybody tell me what the heck I am doing wrong (besides needing to switch to iptables)? I would very much appreciate any help you can offer....

Thanks,

Jim

well.. I am not a firewall expert... but one suggestion I might make... create a new firewall script that contains only the lines you need for IPMASQ and Port Forwarding telnet.

Once you get that working... add the port forwarding lines to you regular script. Keep It Simple, Stupid.

Here is what I do to forward port 5121:

#!/bin/sh

insmod ip_tables
echo " Enabling SNAT (MASQUERADE) on eth0 ... "
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

echo " Enabling IPFORWARDING ... "
echo "1" > /proc/sys/net/ipv4/ip_forward

echo " Enabling ports for NWN server ... "
iptables -t nat -A PREROUTING -p udp --dport 5121 -i eth0 -j DNAT --to 192.168.0.26

iptables -I FORWARD -i eth0 -o eth1 -p udp --dport 5121 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


This is not my full firewall script, just a test one that I used to get my NWN server online. After I got it working, I put those lines in my full script.

Good Luck,

K.

Thanks for the reply. I pretty much have done that with the script shown above... My regular firewall is about 10 times that length

I think I have figured out that it is a problem with my ip_masq_portfw.o module. Even though I re-compiled my kernel, it doesn't seem to want to work. If I do an '/sbin/lsmod', it is not shown as installed. If I go to /lib/modules, the module is there, but when I try and install it 'insmod ip_masq_portfw.o', I get an error "couldn't find the kernel version the module was compiled for"....

I am about ready to re-build this box with a newer version. The problem is that I only have 1300 megs of hard-drive space on this old clunker...

Jim

It may be a typo ... but it should be "insmod ip_masq_portfw" without the ".o"

if the modules directory for the kernel version you are booted to has the module present, then its certainly compiled for that version. Have you checked the config file from your kernel compile to see if you included modular support for this?

Do you still have the default kernel on your system that you can boot to as a test?

-K.

Well, I have re-compiled my kernel about six times now to no avail. I also realized that if I compile the kernel with "portfw" included in the kernel (not modular), it won't show up as a module. So, I don't think that is the problem either. I am completely stumped. My kernel is now updated to version 2.2.23 (newest for RH 6.2") and I completely re-built my firewall box from scratch.

I guess I am hoping a firewall expert will be able to tell me if my script is even right....

Thanks again,

Jim

Try:
insmod -f ip_masq_portfw.o (with the .o, insmod requires the actual
filename, whereas modprobe gets that from depmod). This will attempt to
force loading of the module without checking the kernel version, but if there
are unresolved symbols, it won't work anyway.
man insmod
Check out your kernel setup, do you have CONFIG_MODVERSIONS set
to "Y"? You should.

Just a silly question, but have you checked to be sure your telnet service
isn't turned off?
I mean via (x)inetd.conf

This looks to me like you're only allowing telnets from outside your
local net, is this what you intend?

Actually that script lets me in from the outside, and another section of the scripts allows unlimited traffic within my local network.

I actually got it working. I think I may have been okay all along......

I telnetted from work to home yesterday, and I ended up landing at the computer I forwarded to (not expecting that at all)..... I think that when I was testing from home, it wouldn't work because it was forwarding outside traffic only. So, I think I might have had it right the very first time I tried it... In my defense, I even vpn'd into work from home and tried a telnet while logged in at work, but that didn't seem to make a difference.

But, my kernel is now completely up to date, I can compile kernels like nobody's business, all the rust is shaken off, I know my firewall like the back of my hand and am now having fun with port forwarding. Now, to get my CounterStrike server up and running (it is running, just need to test and populate)....

Linux can be a very trying experience at times, but I love it when it all comes together...

Thanks for your replies,

Jim