Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Smoothwall Port Forwarding

Status
Not open for further replies.
jrwinterburn

jrwinterburn

IS-IT--Management
Joined
Jul 26, 2004
Messages
72
Location
GB
Hi All,

I have a smoothwall port forwarding problem. I recently implemented a smoothwall firewall and set it up with a green+orange+red configuration. I have the red card with my ISP's address and I can get to the outside world fine. My green card is on my lan (99.99.99.x) and my orange card is on my DMZ (10.10.10.x) and these can see each other fine.

However, I cannot access services on either the green or orange interface from the outside world. I can access the smoothwall from the outside world on port 222 but no other ports.

I have forwarded ports 20, 21, 25 & 80 to relevant IP's on my network (these are accessible from the smoothwall via SSH) but any attempts to access these ports from the outside world (RED interface) fail.

The firewall does not report any failures, so they are not being blocked. I have also added these ports to the "External Access" screen as well as the port forwarding screen, but it STILL won't work! Everything else works great and I love smoothwall, but I can't understand why the PF refuses to work.

Any ideas?

Thanks...

Jon
 
Sort by date Sort by votes
Why don't you post your ipgtables config, which is what smoothwall uses to implement all this. ssh to the box and do "iptables -L" and "iptables -L -t nat
 
Upvote 0 Downvote
Taken from "iptables -L -t nat"...

[root@smoothwall root]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
jmpsquid all -- anywhere anywhere
portfw all -- anywhere anywhere

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
MASQUERADE all -- anywhere anywhere
MASQUERADE all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain jmpsquid (1 references)
target prot opt source destination
RETURN all -- anywhere 10.0.0.0/8
RETURN all -- anywhere 172.16.0.0/12
RETURN all -- anywhere 192.168.0.0/16
RETURN all -- anywhere 169.254.0.0/16
squid all -- anywhere anywhere

Chain portfw (1 references)
target prot opt source destination
DNAT tcp -- anywhere 217.X.X.X tcp dpt:http to:10.10.10.252:80
DNAT tcp -- anywhere 217.X.X.X tcp dpt:smtp to:99.99.99.107:25
DNAT tcp -- anywhere 217.X.X.X tcp dpts:ftp-data:ftp to:10.10.10.253

Chain squid (1 references)
target prot opt source destination
 
Upvote 0 Downvote
You should have some entries in your standard "FORWARD" chain (of "iptables -L") corresponding to the lines in the portfw chain you show.

Code: 
Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            192.168.1.6        tcp spt:20 dpts:1024:65535 state NEW 
ACCEPT     tcp  --  0.0.0.0/0            192.168.1.6        multiport dports 21,80,25,22,4662 state NEW

Code: 
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  0.0.0.0/0            67.165.199.86      tcp spt:20 dpts:1024:65535 to:192.168.1.6 
DNAT       tcp  --  0.0.0.0/0            67.165.199.86      multiport dports 21,80,25,22,4662 to:192.168.1.6
 
Upvote 0 Downvote
Not sure if I have them right - I used the screens to edit the iptables; I didn't do it by hand, and the screens certainly appear to be right...

Code: 
# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ipac~o     all  --  anywhere             anywhere
ipblock    all  --  anywhere             anywhere
ipblock    all  --  anywhere             anywhere
ipblock    all  --  anywhere             anywhere
advnet     all  --  anywhere             anywhere
advnet     all  --  anywhere             anywhere
advnet     all  --  anywhere             anywhere
spoof      all  --  anywhere             anywhere
spoof      all  --  anywhere             anywhere
spoof      all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
secin      all  --  anywhere             anywhere
block      all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere           LOG level warning
REJECT     all  --  anywhere             anywhere           reject-with icmp-por
t-unreachable

Chain FORWARD (policy DROP)
target     prot opt source               destination
ipac~fi    all  --  anywhere             anywhere
ipac~fo    all  --  anywhere             anywhere
ipblock    all  --  anywhere             anywhere
ipblock    all  --  anywhere             anywhere
ipblock    all  --  anywhere             anywhere
secout     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           state NEW
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           state NEW
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           state NEW
portfwf    all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           state NEW,RELATED,ESTABLISHED
dmzholes   all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere           LOG level warning
REJECT     all  --  anywhere             anywhere           reject-with icmp-por
t-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ipac~i     all  --  anywhere             anywhere

Chain advnet (3 references)
target     prot opt source               destination

Chain block (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABL
ISHED
ACCEPT     all  --  anywhere             anywhere
xtaccess   all  --  anywhere             anywhere
ipsec      all  --  anywhere             anywhere
ipsec      all  --  anywhere             anywhere
ipsec      all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     icmp --  anywhere             217.X.X.X/26

Chain dmzholes (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  10.10.10.252         99.99.99.154       state NEW tcp dpt:34

ACCEPT     tcp  --  10.10.10.253         99.99.99.154       state NEW tcp dpt:34

ACCEPT     tcp  --  10.10.10.252         99.99.99.155       state NEW tcp dpt:34

ACCEPT     tcp  --  10.10.10.253         99.99.99.155       state NEW tcp dpt:34

ACCEPT     tcp  --  10.10.10.252         99.99.99.131       state NEW tcp dpt:34

ACCEPT     tcp  --  10.10.10.253         99.99.99.131       state NEW tcp dpt:34


Chain ipac~fi (1 references)
target     prot opt source               destination
           all  --  anywhere             anywhere
           all  --  anywhere             anywhere
           all  --  anywhere             anywhere

Chain ipac~fo (1 references)
target     prot opt source               destination
           all  --  anywhere             anywhere
           all  --  anywhere             anywhere
           all  --  anywhere             anywhere

Chain ipac~i (1 references)
target     prot opt source               destination
           all  --  anywhere             anywhere
           all  --  anywhere             anywhere
           all  --  anywhere             anywhere

Chain ipac~o (1 references)
target     prot opt source               destination
           all  --  anywhere             anywhere
           all  --  anywhere             anywhere
           all  --  anywhere             anywhere
Chain ipblock (6 references)
target     prot opt source               destination

Chain ipsec (3 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere           udp dpt:isakmp
ACCEPT     gre  --  anywhere             anywhere
ACCEPT     ipv6-crypt--  anywhere             anywhere

Chain portfwf (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             10.10.10.252       state NEW tcp dpt:ht
tp
ACCEPT     tcp  --  anywhere             99.99.99.107       state NEW tcp dpt:sm
tp
ACCEPT     tcp  --  anywhere             10.10.10.253       state NEW tcp dpts:ftp-data:ftp

Chain secin (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain secout (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain spoof (3 references)
target     prot opt source               destination
DROP       all  --  99.99.99.0/24        anywhere
DROP       all  --  10.10.10.0/24        anywhere

Chain xtaccess (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:auth
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:auth
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:auth
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:441
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:441
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:441
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:222
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:222
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:222
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ftp
 
Upvote 0 Downvote
I don't see any issues with the rules, either. I don't know anything about Smoothwall, per se, so I'll be of no more help.
 
Upvote 0 Downvote
Thanks for your help anyway, it's appreciated.
 
Upvote 0 Downvote
I have since discovered that Smoothwall do in fact have support forums (missed this the first time I checked their site) so have posted it there (should anyone else have this problem and come across this posting). It's at:


Thanks,

Jon
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

kristiandg
  • Locked
  • Question Question
Linux, "port mirror" between two boxes...
Replies
0
Views
540
kristiandg
kristiandg
cpkiran
  • Locked
  • Question Question
Remove port number from URL
Replies
9
Views
786
cpkiran
cpkiran
hortonhearsawho
  • Locked
  • Question Question
opening a port on the server
Replies
1
Views
270
ChrisHirst
ChrisHirst
AlStl
  • Locked
  • Question Question
Port Redirect and Apache Virtual Server Directive
Replies
1
Views
205
IRudebwoy
IRudebwoy
minicompbx
  • Locked
  • Question Question
Serail port installation Debian 6.0.4
Replies
2
Views
179
minicompbx
minicompbx

Part and Inventory Search

Sponsor

Back
Top