From: Herman <Herman@AerospaceSoftware.com>
To: netfilter@lists.netfilter.org
Subject: Re: Help with port forwarding
Date: Fri, 24 Oct 2003 20:52:02 -0600 [thread overview]
Message-ID: <200310242052.02101.Herman@AerospaceSoftware.com> (raw)
In-Reply-To: <FDAFEC98D318F74CA26B5A26F2B4965227C54D@exchange.jfctechnologies.com>
Hmm, run lsmod and see whether iptable_mangle is loaded. Contrary to popular
belief, that module is absolutely needed to make port forwarding work. I
fought that issue two weeks ago. See my web site for my howto.
Cheers,
Herman
http://www.AerospaceSoftware.com
On Friday 24 October 2003 11:17 am, Kleiner, Peter wrote:
It's already in the script and I've checked several times.
Thanks for trying, though.
> -----Original Message-----
> From: Alistair Tonner [mailto:Alistair@nerdnet.ca]
> Sent: Friday, October 24, 2003 1:05 PM
> To: Kleiner, Peter; 'netfilter@lists.netfilter.org'
> Subject: Re: Help with port forwarding
>
>
> On October 24, 2003 09:34 am, Kleiner, Peter wrote:
>
> Just a bizarre thought, since you seem to be looking at
> forwarded traffic not
> getting out .. .did you check
> /proc/sys/net/ipv4/ip_forward to ensure it
> exists on PC2 and contains 1? -- not sure why but I have seen
> an install
> where it did NOT exist. -- rebuilt the kernel to fix it ..
> .so I suppose the
> kernel that was in place was not properly configured.
> *shrugs* ... I'm only
> asking since it wasn't said.. and sometimes the simple answer
> is the fast
> one.
>
> > Thus spake Mark E. Donaldson:
> > > Peter - I don't see anything obvious in the script that could be
> > > problematic. What do you mean by "port forwarding not
> > > working"?
> >
> > When I run the script as shown, I can telnet through any of
>
> the filtered
>
> > ports (110, 143, 443) on the working PC, but not on the
>
> not-working PC.
>
> > > Are you
> > > getting any error messages?
> >
> > None whatsoever. I tried logging the traffic, but nothing
>
> showed up.
>
> > Interestingly, when I had logging on, it showed various attempts at
> > port 135:
> > Oct 21 16:55:45 gw kernel: IN=eth1 OUT=
> > MAC=00:30:21:07:ef:94:00:02:b9:91:7d:40:08:00 SRC=63.67.218.114
> > DST=XX.XX.4.7 LEN=64 TOS=0x00 PREC=0x00 TTL=115 ID=44619 DF
>
> PROTO=TCP
>
> > SPT=4168 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0
> > Oct 21 16:55:46 gw kernel: IN=eth1 OUT=
> > MAC=00:30:21:07:ef:94:00:02:b9:91:7d:40:08:00 SRC=63.67.218.114
> > DST=XX.XX.4.7 LEN=64 TOS=0x00 PREC=0x00 TTL=115 ID=44889 DF
>
> PROTO=TCP
>
> > SPT=4168 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0
> > Oct 21 16:55:46 gw kernel: IN=eth1 OUT=
> > MAC=00:30:21:07:ef:94:00:02:b9:91:7d:40:08:00 SRC=63.67.218.114
> > DST=XX.XX.4.7 LEN=64 TOS=0x00 PREC=0x00 TTL=115 ID=45129 DF
>
> PROTO=TCP
>
> > SPT=4168 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0
> > Oct 21 16:59:23 gw kernel: IN=eth1 OUT=
> > MAC=00:30:21:07:ef:94:00:02:b9:91:7d:40:08:00 SRC=66.156.169.85
> > DST=XX.XX.4.7 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=47221 DF
>
> PROTO=TCP
>
> > SPT=2180 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
> > Oct 21 16:59:24 gw kernel: IN=eth1 OUT=
> > MAC=00:30:21:07:ef:94:00:02:b9:91:7d:40:08:00 SRC=66.156.169.85
> > DST=XX.XX.4.7 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=47351 DF
>
> PROTO=TCP
>
> > SPT=2180 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
> > [sorry for the long text lines]
> > But nothing was recorded when I tried to telnet to ports
>
> 110, 143 or 443.
>
> > > Is translation being performed
> > > but the packets
> > > are not routed?
> >
> > I'm not sure how to tell that. Possibly. Running nmap of
>
> the public
>
> > address shows:
> > Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
> > Interesting ports on (XX.XX.4.7):
> > (The 1596 ports scanned but not shown below are in state: closed)
> > Port State Service
> > 22/tcp open ssh
> > 25/tcp open smtp
> > 110/tcp filtered pop-3
> > 143/tcp filtered imap2
> > 443/tcp filtered https
> >
> > > I might be able to generate some ideas here
> > > if you can be
> > > more specific.
> >
> > Please let me know what else you need. I am completely
>
> baffled. Why would
>
> > the same
> > script work on one machine and not the other? That is why
>
> I listed the
>
> > lsmod in my
> > original post. I wonder if it's something not related to
>
> iptables.....?
>
> > > By the way, I believe you are meaning to
> > > block the Auth
> > > protocol (port 113): that being the case, you need to
> > > specify TCP and not
> > > UDP.
> >
> > Fixed. Thanks!
> >
> > Pete
>
> --
>
> Alistair Tonner
> nerdnet.ca
> Senior Systems Analyst - RSS
>
> Any sufficiently advanced technology will have the
> appearance of magic.
> Lets get magical!
next prev parent reply other threads:[~2003-10-25 2:52 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-10-24 17:17 Help with port forwarding Kleiner, Peter
2003-10-25 2:52 ` Herman [this message]
-- strict thread matches above, loose matches on Subject: below --
2003-10-27 12:48 Kleiner, Peter
2003-10-24 13:34 Kleiner, Peter
2003-10-24 17:04 ` Alistair Tonner
2003-10-25 4:59 ` Mark E. Donaldson
2003-10-22 16:41 Kleiner, Peter
2003-10-24 6:03 ` Mark E. Donaldson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200310242052.02101.Herman@AerospaceSoftware.com \
--to=herman@aerospacesoftware.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox