[Firehol-support] Port forwarding

Fri Sep 16 19:14:37 BST 2005

Greetings, good sirs and madams (who knows?),

First of all, thank you Costa for Firehol, it has made me happy
(picture of shining sun, blue sky, goats prancing).

I'm having trouble with port forwarding (picture of dark stormy sky.
goats are immobile and wet). It worked at one time, then then it broke
(picture of lightning). But I'll be damned if I knew what changed.
(This is on Debian. There was no firehol version change, or kernel
change.)

the config file includes the necessary:
dnat to $ipPC1:21 inface ppp0 proto tcp dport 13337
dnat to $ipPC1:10100-10499 inface ppp0 proto tcp dport 10100:10499

However, all incoming connections are timed out. The dest PC didn't
see anything, and nothing unusual is logged in the firewall. I have no
idea where the packet is dropped.

My config file looks like this:

BEGIN CONFIG FILE

version 5

FIREHOLD_LOG_OPTIONS=""
FIREHOL_LOG_LEVEL="error"

ipPC1=192.168.1.3

dnat to $ipPC1:21 inface ppp0 proto tcp dport 13337
dnat to $ipPC1:10100-10499 inface ppp0 proto tcp dport 10100:10499
dnat to $ipPC1:22 inface ppp0 proto tcp dport 13338
dnat to $ipPC1:22 inface ppp0 proto udp dport 13338

server_torrentflux_ports="tcp/49160:49300"
client_torrentflux_ports="any"

server_dnsmasq_ports="udp/12345"
client_dnsmasq_ports="any"

interface eth0 network src "192.168.1.0/24" dst 192.168.1.4/32
	policy reject
	server ICMP accept
	server ident accept
	server ssh accept
	server sunrpc accept
	server http accept
	server dns accept
	server mysql accept
	client all accept

interface eth1 to_modem src "192.168.254.0/24" dst 192.168.254.1/32
	policy drop
	server ICMP accept
	server ident accept
	server ssh accept
	server sunrpc accept
	client all accept

interface ppp+ internet 
	policy drop
	protection strong
	server ICMP accept
	server ident accept
	server torrentflux accept 
	server dnsmasq accept
	client all accept

router Home2Internet inface eth0 outface ppp0 src "192.168.1.0/24" dst
not "${UNROUTABLE_IPS} "
	protection reverse strong
	masquerade
	route all accept

END CONFIG FILE

I've been running thorugh the generated tables, but I'm a bit swamped
by the info and haven't been able to see where the packet could be
lost.
I've also noticed (through firehol explain) that "route all accept"
generates this some FTP server stuff:

BEGIN FIREHOL EXPLAIN

# Preparing for service 'ftp' of type 'server' under interface 'Home2Internet'

# Creating chain 'in_Home2Internet_ftp_s3' under 'in_Home2Internet' in
table 'filter'
/sbin/iptables -t filter -N in_Home2Internet_ftp_s3
/sbin/iptables -t filter -A in_Home2Internet -j in_Home2Internet_ftp_s3

# Creating chain 'out_Home2Internet_ftp_s3' under 'out_Home2Internet'
in table 'filter'
/sbin/iptables -t filter -N out_Home2Internet_ftp_s3
/sbin/iptables -t filter -A out_Home2Internet -j out_Home2Internet_ftp_s3

# Running complex rules function rules_ftp() for server 'ftp'

# Setting up rules for initial FTP connection server
/sbin/iptables -t filter -A in_Home2Internet_ftp_s3 -p tcp --sport
1024:65535 --dport ftp -m state --state NEW\,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A out_Home2Internet_ftp_s3 -p tcp --sport
ftp --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

# Setting up rules for Active FTP server
/sbin/iptables -t filter -A out_Home2Internet_ftp_s3 -p tcp --sport
ftp-data --dport 1024:65535 -m state --state ESTABLISHED\,RELATED -j
ACCEPT
/sbin/iptables -t filter -A in_Home2Internet_ftp_s3 -p tcp --sport
1024:65535 --dport ftp-data -m state --state ESTABLISHED -j ACCEPT

# Setting up rules for Passive FTP server
/sbin/iptables -t filter -A in_Home2Internet_ftp_s3 -p tcp --sport
1024:65535 --dport 1024:65535 -m state --state ESTABLISHED\,RELATED -j
ACCEPT
/sbin/iptables -t filter -A out_Home2Internet_ftp_s3 -p tcp --sport
1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

END FIREHOL EXPLAIN

I'm wondering if this interferes with my ftp port redirection?
I'd be grateful for any help or pointers :)

John