LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-13-2002, 07:19 PM   #1
FallenHero
LQ Newbie
 
Registered: Jun 2002
Posts: 4

Rep: Reputation: 0
pardon the silly question: forwarding packets FROM certain ports?


Hi all!

I am running an IPCHAINS firewall which is MASQing outgoing packets for two machines on the internal network.

I need to forward packets from a known external machine and port to a specific internal machine. Specifically, I want all packets from 192.246.40.65:27950 to be routed to my internal machine at 192.168.1.3:27965.

I know I can use portfw to forward packets received at a specified port on the firewall to my internal machine. i.e. portfw -a -P udp -L $myextip 27965 -R 192.168.1.3 27965. However, this will only forward packets that are incoming to port 27965 on the firewall. Unfortunately, my outgoing packets are being MASQed by my firewall and responding packets coming back to "port 27965" are actually being sent back to the MASQ'ed port (ie. 61000 and up).

It seems to me that I need to forward activity FROM certain ports to one of the internal machines. That is, I need to specify a rule in which all packets FROM 192.246.40.65:27950 are automatically forwarded to 192.168.1.3:27965, rather than specify that any packets TO a certain port are forwarded.

Any help is appreciated.

-F.H.
 
Old 06-14-2002, 11:37 AM   #2
DavidPhillips
LQ Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,163

Rep: Reputation: 58
normally redirecting a port is not necessary. you just need to forward all the ports that are used.

I do not know of any program that requires you to redirect a port on the router, and can't imagine how it could work that way.

normally this would only be used to redirect ports for some type of proxy or web server that for some reason or other are on a different port from the one the user is accessing.
 
Old 06-15-2002, 01:36 PM   #3
Griffon26
Member
 
Registered: Sep 2001
Location: The Netherlands
Distribution: Gentoo, Debian, Mandrake, LFS
Posts: 182

Rep: Reputation: 30
Re: pardon the silly question: forwarding packets FROM certain ports?

Quote:
Originally posted by FallenHero
Unfortunately, my outgoing packets are being MASQed by my firewall and responding packets coming back to "port 27965" are actually being sent back to the MASQ'ed port (ie. 61000 and up).
You misunderstood what masquerading is all about. It's not simply rewriting source addresses and then forgetting all about it. The firewall keeps track of connections so it knows where to send returning packets.

Communication between one of the computers on your LAN and a server on the internet could go like this.

A machine on your LAN connects to the server and will send a packet containing:
Quote:
src addr = 192.168.1.3
src port = 27965
dest addr = 192.246.40.65
dest port = 27950
The firewall, after storing connection details, will change this into (for example):
Quote:
src addr = external IP of firewall
src port = 63000
dest addr = 192.246.40.65
dest port = 27950
When the server replies, it sends
Quote:
src addr = 192.246.40.65
src port = 27950
dest addr = external IP of firewall
dest port = 63000
The firewall, remembering the connection details, will rewrite it like this:
Quote:
src addr = 192.246.40.65
src port = 27950
dest addr = 192.168.0.3
dest port = 27965
If you have no forwarding rules at all and all you have is NAT, everything will work like a charm.

But of course if you are asking such a question, something is obviously not working.

It could be that your firewall is specifically blocking packets that are required for this connection to work. This all depends on what your firewall rules are.

I am not too familiar with ipchains, I use iptables myself. Maybe someone else can help you out if the IP Masquerading HOWTO isn't enough.

Last edited by Griffon26; 06-15-2002 at 01:37 PM.
 
Old 06-15-2002, 01:55 PM   #4
DavidPhillips
LQ Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,163

Rep: Reputation: 58
The port forwards I use are for games, there's also one for instant messengers and other programs that would make your computer some sort of server.

What you will see is that by allowing a connection on the correct port you can play online games or whatever it is. However you cannot host a game on an IPMASQED machine because the game or program has your ip as 192.168.0.2 or something that does not have a valid internet ip or dns name. Therefore it is required of the router to forward the port that the machine is connecting on for the connection to work.

In some cases, actually almost all cases there are several ports used. If this is the case then you must find out what ports are used and forward all of them.


here's one example of how to host a NASCAR 4 game behind a router where IPMASQ is used.


#nascar 4
#
$IPTABLES -t nat -A PREROUTING -d 0/0 -p udp --destination-port 32766:32809 -i INET_IFACE -j DNAT --to 192.168.0.4
#


the game server uses 32766 and 32767 and each racer that connects needs a port to connect on so you can have 42 people connected. or something like that.

Last edited by DavidPhillips; 06-15-2002 at 01:58 PM.
 
Old 06-15-2002, 03:42 PM   #5
Griffon26
Member
 
Registered: Sep 2001
Location: The Netherlands
Distribution: Gentoo, Debian, Mandrake, LFS
Posts: 182

Rep: Reputation: 30
Quote:
Originally posted by DavidPhillips
What you will see is that by allowing a connection on the correct port you can play online games or whatever it is.
Sound like you're saying you need to allow connections on a port to play games on servers on the internet. This is generally not the case. You only need to open up ports to be able to host games.
 
Old 06-15-2002, 03:57 PM   #6
DavidPhillips
LQ Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,163

Rep: Reputation: 58
This is true if you have no firewall

with a firewall you set rules for all allowed connections then you block everything else.

Or maybe use established related connection

Last edited by DavidPhillips; 06-15-2002 at 03:58 PM.
 
Old 06-15-2002, 05:21 PM   #7
Griffon26
Member
 
Registered: Sep 2001
Location: The Netherlands
Distribution: Gentoo, Debian, Mandrake, LFS
Posts: 182

Rep: Reputation: 30
Quote:
Originally posted by DavidPhillips
This is true if you have no firewall
You're right of course =]

Was there support for related/established in ipchains + kernel 2.2? I think it's only in iptables + 2.4.

If that is the case, I recommend upgrading to 2.4, since the whole firewall stuff has become much easier.

This site has lots of information about iptables (both firewall scripts and documentation). I took one of those scripts, debugged it, modified it and now I'm happily using it.

P.S.: If you're using IE and you want to follow the link to my script, you'll have to do some url editing + ftp site browsing, coz IE refuses to accept it's a file just as vehemently as I refuse to add an extension

Last edited by Griffon26; 06-15-2002 at 05:24 PM.
 
Old 06-18-2002, 07:46 AM   #8
FallenHero
LQ Newbie
 
Registered: Jun 2002
Posts: 4

Original Poster
Rep: Reputation: 0
Thanks for all the info! :-)

The issue, it turns out, is resolved by enabling the loose UDP patch on the firewall.

The app sends a "heartbeat" packet to the "mother ship" server which then broadcasts the IP of my server to potential users. The problem I was facing (I now know) was that it was publicizing the app on the MASQed port. Potential users were then trying to access my server through the MASQed port and being summarily ignored. Enabling the loose UDP allowed those packets through.

Of course, this is somewhat dangerous. ;-)

My original thought was that I might to try to enable incoming packets *from* certain ports. That is, examine the sending port of incoming packet and pass it on if it matches that of the desired app.

I appreciate the education.

-F.H.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Forwarding packets with Iptables DrunkenDisciple Linux - Software 2 07-24-2005 11:00 PM
Not forwarding packets meadensi Linux - Networking 0 02-08-2005 07:02 PM
forwarding packets to multiple computers for different ports laxy_m Linux - Networking 7 11-11-2004 08:15 AM
Problem about forwarding packets in kernel Lite Linux - Networking 0 07-20-2004 09:33 PM
Forwarding ACK Packets snufferz Linux - Newbie 0 05-12-2004 02:10 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:09 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration