[Firehol-support] Port forwarding failing, probably configuration error.

Mark rider at ridersoft.net
Sun Feb 7 19:27:32 CET 2016 

I've gotten some advice left and right, thank you, but still not working 
as desired.

I've manually managed it now, via this, working from outside ip;

iptables -A PREROUTING -t nat -i eth4 -p tcp --dport 88 -j DNAT --to 
192.168.40.55:88
iptables -A FORWARD -p tcp -d 192.168.40.55 --dport 88 -j ACCEPT

But cannot find the equivalent configuration options in firehol

The connections are such

Internet/Browser
  |
eth4, internet facing device on public IP on port 88
  |
br0 - Bridged eth0 and tap0 device
  |
192.168.40.55, the camera

Testing is done via Telnet.

So, if I want port 88 to be forwarded all the way to the 192.168.40.55 
on the LAN, I need the appropiate server entry on the router. I tried 
doing that, my router entries are these;

# Allow routing for the lan
router lan2internet inface eth0 outface eth4
         masquerade
         client all      accept
         server all      accept

# Allow routing for the Bridge
router br2internet inface br0 outface eth4
         masquerade
         client all      accept
         server all      accept

# Allow routing for Bridge To Bridge
router br2br inface br0 outface br0
         policy accept
         server all      accept
         client all      accept

I still get the connection refused, from inside the LAN as well as from 
outside.

Mark schreef op 2016-02-03 18:12:
> I am trying to get a simple bit of portforwarding to work, but this is
> a new kind of frustrating, also because this it's the goram baby
> monitor and that fact does kinda put a little stress on me :)
> 
> I want all traffic coming in on port 88 on the firewall to go to an IP
> on the LAN at 192.168.40..55
> I've tried a whole list of things, but currently I keep getting this.
> 
> -------------------------
> root at ruby:/home/rider# telnet 83.84.x.x 88
> Trying 83.84.x.x...
> telnet: Unable to connect to remote host: Connection refused
> root at ruby:/home/rider# telnet 192.168.40.55 88
> Trying 192.168.40.55...
> Connected to 192.168.40.55.
> Escape character is '^]'.
> ^]
> 
> telnet> quit
> Connection closed.
> root at ruby:/home/rider#
> -------------------------
> 
> The forwarding doens't work, telnet directly does. This is the latest
> version of the configuration line I've used;
> 
> nat4 to-destination 192.168.40.55 proto tcp dport 88 dst 83.84.x.x
> 
> As far as I understand, this should work. But, I get connection
> refused. Can anyone tell me what the flaw in my logic is? After a few
> hours of this, I am beat.
> 
> Many thanks. The Firehol config is below this
> 
> -------------------------
> 
> # FireHOL configuration file
> #
> # See firehol.conf(5) manual page and FireHOL Manual for details.
> #
> # This configuration file will allow all requests originating from the
> # local machine to be send through all network interfaces.
> #
> # No requests are allowed to come from the network. The host will be
> # completely stealthed! It will not respond to anything, and it will
> # not be pingable, although it will be able to originate anything
> # (even pings to other hosts).
> #
> 
> version 6
> 
> FIREHOL_LOG_MODE="NFLOG"
> FIREHOL_LOG_LEVEL=6
> 
> FIREHOL_DROP_ORPHAN_TCP_ACK_FIN=1
> FIREHOL_LOG_DROP_INVALID=0
> 
> # My cool SSH thing
> server_SSHSafe_ports="tcp/6036"
> client_SSHSafe_ports="default"
> 
> # My cool SSH thing
> server_SSH_ports="tcp/22"
> client_SSH_ports="default"
> 
> server_SSH443_ports="tcp/443"
> client_SSH443_ports="default"
> 
> server_vent_ports="tcp/3784 udp/3784"
> client_vent_ports="default"
> 
> # VPN Server
> server_openvpn_ports="tcp/1194"
> client_openvpn_ports="default"
> 
> # IMAP SSL
> server_imapssl_ports="tcp/993"
> client_imapssl_ports="default"
> 
> # MySQL
> server_mysql_ports="tcp/3306"
> client_mysql_ports="default"
> 
> # Teampspeak
> server_teamspeak_ports="udp/8767"
> client_teamspeak_ports="default"
> 
> # rdp
> server_rdp_ports="tcp/3300"
> client_rdp_ports="default"
> 
> # IPCam
> server_ipcam_ports="tcp/88"
> client_ipcam_ports="default"
> 
> # voip
> server_voip_ports="udp/5060 tcp/5060"
> client_voip_ports="default"
> server_ts_ports="udp/9987"
> client_ts_ports="default"
> 
> # block
> server_blocker_ports="  tcp/23          udp/23
>                         tcp/57          udp/67
>                         tcp/68          udp/68
>                         tcp/111         udp/111
>                         tcp/135         udp/135
>                         tcp/137         udp/137
>                         tcp/138         udp/138
>                         tcp/139         udp/139
>                         tcp/445         udp/445
>                         tcp/1433        udp/1433
>                         tcp/1434        udp/1434
>                         tcp/2967        udp/2967
>                         tcp/5900        udp/5900
>                         tcp/6881        udp/6881
>                         tcp/3128        udp/3128
>                         tcp/59001       udp/59001"
> client_blocker_ports="default"
> 
> # My Internet Host Ziggo
> interface eth4 InetZiggo
>         policy drop
>         server ident reject with tcp-reset
> 
>         # I don't know why this doesn't work
>         # client multicast reject with proto-unreach
> 
>         server SSH              accept
>         server SSHSafe          accept
>         server SSH443           accept
>         server http             accept
>         server smtp             accept
>         server dns              accept
>         server openvpn          accept
>         server imapssl          accept
>         server icmp             accept
>         server ipcam            accept
>         server blocker          reject
> 
>         client  all             accept
>         server  all             reject
> 
> nat4 to-destination 192.168.40.55 proto tcp dport 88 dst 83.84.x.x
> 
> # Accept all on the Lan
> interface eth0 LAN
>         client all      accept
>         server all      accept
> 
> # Accept all on the Bridge
> interface br0 Bridge
>         client all      accept
>         server all      accept
> 
> # LXC Bridge
> interface lxcbr0 LXCBridge
>         policy accept
>         server all              accept
>         client all              accept
> 
> # LXC Nic
> interface veth+ LXCNIC
>         policy accept
>         server all              accept
>         client all              accept
> 
> # VPN Tap Device
> interface tap0 TapDecvice
>         policy accept
>         server  all             accept
>         client  all             accept
> 
> # Allow routing for the lan
> router lan2internet inface eth0 outface eth4
>         masquerade
>         client all      accept
>         server all      accept
> 
> # Allow routing for the Bridge
> router br2internet inface br0 outface eth4
>         masquerade
>         client all      accept
>         server all      accept
> 
> # Allow routing for Bridge To Bridge
> router br2br inface br0 outface br0
>         policy accept
> 
> # Allow all routing for inface lxcbr0
> router lx2veth inface lxcbr0 outface veth+
>         masquerade
>         server all      accept
>         client all      accept
> 
> router veth2lx inface veth+ outface lxcbr0
>         masquerade
>         client all      accept
>         server all      accept
> 
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support

More information about the Firehol-support mailing list