[Firehol-support] Another day in port forward nightmare...

Costa Tsaousis costa at tsaousis.gr
Thu Sep 25 01:08:45 BST 2003


Hi,

> The Xitami logs dont show any access from the gateway
> machine (either public or private address). So I assume
> the packets are simply not getting to the machine, thus
> are not forwarded...

This statement is wrong. Your http server should not show the IPs of the
gateway but the IPs of the sender. You are DNATing not SNATing. DNAT
changes the destination, SNAT changes the source. So, FireHOL changes the
destination of the request packet in order to reach your server, but it
leaves the source as-is so that your http server knows where to send the
reply. For the replies, FireHOL (or better: iptables) changes the source
back to the value the original sender is expecting it, so that everyone is
happy.

Please verify your setup by sending requests from the outside.
(Your http server should have the linux box as its default gateway -
otherwise you would need a DNAT and a SNAT too).
-- 
Costa Tsaousis

> Hi, I have tried a zillion things since the last
> two days to do something as simple as port forwarding,
> in theory, I guess :) , without success...
>
> This is the picture. I have a RedHat 9 firewall/gateway.
>
> It's primary purpose is to provide internet access
> to Windows computers on the lan. The computers on
> the lan are allowed to do whatever they want on the net.
>
> There is a machine on the lan (SERVORACLE7) which runs
> an Xitami http server. The server runs fine, I can
> access it from any computer on the lan.
>
> So the secondary purpose of the gateway is to
> redirect HTTP requests received on the gateway, from
> the net, to this SERVORACLE7 machine...
>
> The following script seems to be working fine for
> every purpose intended, except forwarding HTTP
> requests to SERVORACLE7.
>
> The Xitami logs dont show any access from the gateway
> machine (either public or private address). So I assume
> the packets are simply not getting to the machine, thus
> are not forwarded...
>
> I am really in the dark here, and have no more ideas... I
> have tried to put "server all accept" and
> "client all accept" in every interface
> and router statements with no result. It simply won't
> DNAT... Any one have an idea? :)
>
> Thanks...
>
>
> ------ my script ----------------------------------
>
> version 5
>
> PUB_IP="204.19.34.81"
> LAN_IP="192.168.1.212"
>
> SERVORACLE7="192.168.1.109"
>
> dnat to "$SERVORACLE7" inface eth0 proto tcp dport 80
>
> interface eth0 Internet
>
> 	protection strong
> 	policy drop
> 	server ssh accept
> 	client all accept
>
>
> interface eth1 Lan
>
> 	policy reject
> 	server ssh accept
> 	server samba accept
> 	server icmp accept
> 	client all accept
>
>
> router Lan2Internet inface eth1 outface eth0
>
> 	masquerade
> 	server all accept
>
>
> router Internet2Lan inface eth0 outface eth1
>
> 	# ALSO TRIED WITH: masquerade reverse
> 	server http accept
>
> ---- end of script -------
>
>
>
> =====
> _______________________________________________________
> Alain Bacon - Application Architect
> Mobilair IntĪ¹gration Inc. 1-800-341-4124
> PGP public key: http://pages.infinit.net/syntek
> Live as if you would die today & dream as if you would never die!





More information about the Firehol-support mailing list