Re: [Firestarter-user] Service Forwarding.
Brought to you by:
majix
Menu
▾
▴
Re: [Firestarter-user] Service Forwarding.
|
From: Mark L. W. <ma...@al...> - 2011-10-31 19:22:32
|
It is very possible that the forwarding is working properly, but something is blocking the replies from the web server. Make sure that you have not blocked outbound traffic ORIGINATING on the firestarter server. You can debug this by running tcpdump -ieth0 on the firestarter machine (assuming eth0 is the public side and eth1 is the private side) Then attempt from the outside to access the web server. You should see TCP traffic coming into the firestarter box AND REPLIES GOING BACK. If you don't see the reply traffic, then I would guess that you have a setting or user-pre/user-post entry that is blocking outbound tcp traffic originating from your firestarter box. You could add this rule to the /etc/firestarter/user-pre file: $IPT -A OUTPUT -s 192.168.10.0/24 -d 0.0.0.0/0 -o eth0 -j ACCEPT $IPT -A OUTPUT -s 192.168.10.0/24 -d 0.0.0.0/0 -i eth1 -j ACCEPT These rules should allow any traffic from the network 192.168.10. on eth1 to go out eth0. (Substitute your internal IP address space for the 192.168.10.0 network) I am surprised that there is not an entry in /etc/firestarter/inbound/forward It should look like this: HTTP, 80, 192.168.10.1, 80, Allow access to internal web server (Again, modify the 192.168.10.1 IP to be your internal web IP) I hope this points you in the right direction. Mark On 10/28/2011 7:11 PM, ad...@mm... wrote: > Mark, > > Yes I can ping outside machines from my local net and browse the web and > everything works fine. > The only thing that refuses to work is forwarding ports to my webserver. > > The webserver is a raq550 with Bluequartz and works perfectly. > I can access it perfectly on the internal lan. > > I did an nmap against the webserver, and forwarded all the open ports > with firewall. > It is way more than is needed, but still it will not be visible from the > outside. > I check from the outside with a laptop at my router before the firewalll > as well as with an iphone through 3G. > > > I have in my local.rc file the entry > > echo "1"> /proc/sys/net/ipv4/ip_forward > > so I make sure it is set at every boot. > > If that were the problem then, I wouldn't have been able to browse the > internet from the internal lan. > Again, I can do anything with any of the internal lan machines. > > I even installed firefox on the raq550 and can browse from it too, so > there is absolutely no problem there with DNS else browsing would be > impossible. The gateway entries are also correct and shows to the > firewall where firestarter resides. > > The problem is with Firestarter exporting ports to the raq550 and I > narrowed the problem down to firestarter. > Firestarter does everything else right, Doing a portscan with nmap > against my static IP shows everything stealth when I do not forward > ports, but shows the ports I forwarded as open once I do port forwarding. > > But, > $] cat /etc/firestarter/inbound/forward > is an empty file. > > Another problem I noticed is that firestarter cannot show active > connections. > The var log messages says: > Error reading /proc/net/IP_conntrack No Such File or Directory. > > Firestarter is running on > ~]# cat /proc/version > Linux version 2.6.23.17-88.fc7 (moc...@xe...) > (gcc version 4.1.2 20070925 (Red Hat 4.1.2-27)) #1 SMP Thu May 15 > 00:35:10 EDT 2008 > The servers are all rackservers and the firewall is an IBM 336 Dual > 64-bit CPU Dual core 3.x GHZ. > It is the slowest machine I have to use as a firewall. > > I fell back to FC7 as Firestarter absolutely refuses to work on FC-15 or > the Latest Debian. > On both FC-15 and Debian, firestarter shuts down the interfaces after an > hour. > ifconfig, shows that, and when I remove firestarter the interfaces are > not shut down after an hour. > > I used Firestarter on FC7 for years without problems, so I fell back to it. > It works really great on FC-7 except for port forwarding, which is > seemingly dead as a doornail. > One test I did was to verify that firestarter does forward Port 80 to > the webserver correctly, but it seemingly refuses the replies which > doesn't make sense at all. > > I would hate to learn IPtables again as I was burnt learning ipchains, > just to have them change everything to iptables as soon as I understood > ipchains. > > With my minimum knowledge of Iptables, I could write a script that works > better than firestarter to forward the needed ports and I could at least > start getting responses from my webserver from the internet, but my > knowledge is too limited to trust that it is ready to be used. > > > > > > > > > > > > > > > > Mark L. Wise wrote: >> Would you be able to post the contents of >> /etc/firestarter/inbound/forward here? >> >> Can you ping outside machines from your local net? >> >> do more /proc/sys/net/ipv4/ip_forward (Your location may be different, >> this is Fedora) >> >> Does it contain a "1"? >> >> Mark >> >> > > > > ------------------------------------------------------------------------------ > Get your Android app more play: Bring it to the BlackBerry PlayBook > in minutes. BlackBerry App World™ now supports Android™ Apps > for the BlackBerry® PlayBook™. Discover just how easy and simple > it is! http://p.sf.net/sfu/android-dev2dev > _______________________________________________ > Firestarter-user mailing list > To unsubscribe, visit https://lists.sourceforge.net/lists/listinfo/firestarter-user > -- Mark L. Wise Alpha II Service, Inc. 1312 Epworth Ave Reynoldsburg, Ohio 43068-2116 USA Office: (614) 868-5033 Fax: (614) 868-1060 Email: ma...@al... WEB: www.alpha2.com "People do not quit playing because they grow old; they grow old because they quit playing." Oliver Wendell Holmes -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. |
