[Firehol-support] Port forwarding failing, probably configuration error.

Wed Feb 3 17:12:40 GMT 2016

I am trying to get a simple bit of portforwarding to work, but this is a 
new kind of frustrating, also because this it's the goram baby monitor 
and that fact does kinda put a little stress on me :)

I want all traffic coming in on port 88 on the firewall to go to an IP 
on the LAN at 192.168.40..55
I've tried a whole list of things, but currently I keep getting this.

-------------------------
root at ruby:/home/rider# telnet 83.84.x.x 88
Trying 83.84.x.x...
telnet: Unable to connect to remote host: Connection refused
root at ruby:/home/rider# telnet 192.168.40.55 88
Trying 192.168.40.55...
Connected to 192.168.40.55.
Escape character is '^]'.
^]

telnet> quit
Connection closed.
root at ruby:/home/rider#
-------------------------

The forwarding doens't work, telnet directly does. This is the latest 
version of the configuration line I've used;

nat4 to-destination 192.168.40.55 proto tcp dport 88 dst 83.84.x.x

As far as I understand, this should work. But, I get connection refused. 
Can anyone tell me what the flaw in my logic is? After a few hours of 
this, I am beat.

Many thanks. The Firehol config is below this

-------------------------

# FireHOL configuration file
#
# See firehol.conf(5) manual page and FireHOL Manual for details.
#
# This configuration file will allow all requests originating from the
# local machine to be send through all network interfaces.
#
# No requests are allowed to come from the network. The host will be
# completely stealthed! It will not respond to anything, and it will
# not be pingable, although it will be able to originate anything
# (even pings to other hosts).
#

version 6

FIREHOL_LOG_MODE="NFLOG"
FIREHOL_LOG_LEVEL=6

FIREHOL_DROP_ORPHAN_TCP_ACK_FIN=1
FIREHOL_LOG_DROP_INVALID=0

# My cool SSH thing
server_SSHSafe_ports="tcp/6036"
client_SSHSafe_ports="default"

# My cool SSH thing
server_SSH_ports="tcp/22"
client_SSH_ports="default"

server_SSH443_ports="tcp/443"
client_SSH443_ports="default"

server_vent_ports="tcp/3784 udp/3784"
client_vent_ports="default"

# VPN Server
server_openvpn_ports="tcp/1194"
client_openvpn_ports="default"

# IMAP SSL
server_imapssl_ports="tcp/993"
client_imapssl_ports="default"

# MySQL
server_mysql_ports="tcp/3306"
client_mysql_ports="default"

# Teampspeak
server_teamspeak_ports="udp/8767"
client_teamspeak_ports="default"

# rdp
server_rdp_ports="tcp/3300"
client_rdp_ports="default"

# IPCam
server_ipcam_ports="tcp/88"
client_ipcam_ports="default"

# voip
server_voip_ports="udp/5060 tcp/5060"
client_voip_ports="default"
server_ts_ports="udp/9987"
client_ts_ports="default"

# block
server_blocker_ports="  tcp/23          udp/23
                         tcp/57          udp/67
                         tcp/68          udp/68
                         tcp/111         udp/111
                         tcp/135         udp/135
                         tcp/137         udp/137
                         tcp/138         udp/138
                         tcp/139         udp/139
                         tcp/445         udp/445
                         tcp/1433        udp/1433
                         tcp/1434        udp/1434
                         tcp/2967        udp/2967
                         tcp/5900        udp/5900
                         tcp/6881        udp/6881
                         tcp/3128        udp/3128
                         tcp/59001       udp/59001"
client_blocker_ports="default"

# My Internet Host Ziggo
interface eth4 InetZiggo
         policy drop
         server ident reject with tcp-reset

         # I don't know why this doesn't work
         # client multicast reject with proto-unreach

         server SSH              accept
         server SSHSafe          accept
         server SSH443           accept
         server http             accept
         server smtp             accept
         server dns              accept
         server openvpn          accept
         server imapssl          accept
         server icmp             accept
         server ipcam            accept
         server blocker          reject

         client  all             accept
         server  all             reject

nat4 to-destination 192.168.40.55 proto tcp dport 88 dst 83.84.x.x

# Accept all on the Lan
interface eth0 LAN
         client all      accept
         server all      accept

# Accept all on the Bridge
interface br0 Bridge
         client all      accept
         server all      accept

# LXC Bridge
interface lxcbr0 LXCBridge
         policy accept
         server all              accept
         client all              accept

# LXC Nic
interface veth+ LXCNIC
         policy accept
         server all              accept
         client all              accept

# VPN Tap Device
interface tap0 TapDecvice
         policy accept
         server  all             accept
         client  all             accept

# Allow routing for the lan
router lan2internet inface eth0 outface eth4
         masquerade
         client all      accept
         server all      accept

# Allow routing for the Bridge
router br2internet inface br0 outface eth4
         masquerade
         client all      accept
         server all      accept

# Allow routing for Bridge To Bridge
router br2br inface br0 outface br0
         policy accept

# Allow all routing for inface lxcbr0
router lx2veth inface lxcbr0 outface veth+
         masquerade
         server all      accept
         client all      accept

router veth2lx inface veth+ outface lxcbr0
         masquerade
         client all      accept
         server all      accept