[Firehol-support] Port forwarding failing, probably configuration error.

Phil Whineray phil at firehol.org
Mon Feb 8 19:33:54 GMT 2016

Hi Mark

On Sun, Feb 07, 2016 at 07:27:32PM +0100, Mark wrote:
> I've gotten some advice left and right, thank you, but still not working as
> desired.
> I've manually managed it now, via this, working from outside ip;
> iptables -A PREROUTING -t nat -i eth4 -p tcp --dport 88 -j DNAT --to
> iptables -A FORWARD -p tcp -d --dport 88 -j ACCEPT

Have you included these statements directly in your firehol.conf?
There should be no problem with doing that. You will probably need
a reverse rule on the FORWARD chain, in addition:

iptables -A FORWARD -p tcp -s --sport 88 -j ACCEPT

Try it, and if it works, replace the PREROUTING command with the
original nat4 one:

> >nat4 to-destination proto tcp dport 88 dst 83.84.x.x

I think it should continue to work. If so, we just have to contend
with the forwarding issue.

Note that if you did not already know this, you can check the output
which will be produced from firehol by running "firehol debug" or see
a loaded firewall with "firehol status | less".

> But cannot find the equivalent configuration options in firehol
> The connections are such
> Internet/Browser
>  |
> eth4, internet facing device on public IP on port 88
>  |
> br0 - Bridged eth0 and tap0 device
>  |
>, the camera
> Testing is done via Telnet.
> So, if I want port 88 to be forwarded all the way to the on
> the LAN, I need the appropiate server entry on the router. I tried doing
> that, my router entries are these;
> # Allow routing for the lan
> router lan2internet inface eth0 outface eth4
>         masquerade
>         client all      accept
>         server all      accept
> # Allow routing for the Bridge
> router br2internet inface br0 outface eth4
>         masquerade
>         client all      accept
>         server all      accept
> # Allow routing for Bridge To Bridge
> router br2br inface br0 outface br0
>         policy accept
>         server all      accept
>         client all      accept
> I still get the connection refused, from inside the LAN as well as from
> outside.

These do seem like they should allow pretty much everything. Your iptables
version of the rules is stateless and does not include any interface
matching which leaves open a couple of possible differences:

If firehol is dropping something it should log it e.g. as PASS-unknown.
If you run a test from outside you should see entries appearing. Does
your system log tell you anything useful? Perhaps packets are not routing
via the input/output interfaces as you expect (which will be evident in
the log)?

The other possibility is that packets routing back from the camera do not
take the same path as packets coming in. Try tcpdump on the camera-side
with the working and non-working firewalls. In both cases you should see
SYN packets both ways to establish the connection.

When it comes to connecting via the firewall on the local network, the
routing will definitely be a problem. You will need to masquerade or
snat connections that come from the local network or the packets will
go back via the LAN direct and the connection tracker will not allow
further packets to slow. You should be able to see this with tcpdump
as the firewall will only see half of the connection.

I recommend fixing the external to internal first, as using snat has
the potential to hide the real problem by making all external connections
look like they are coming from your firewall, which you probably do
not want.

Hope that helps

More information about the Firehol-support mailing list