Hello,

I've been racking my brain tring to figure out how to create a port forwarding rule with ipchains. Currently, I have pmfirewall installed which seems to be working pretty well and I have forwarding compiled into the kernel.

Setup:

Debian Potato firewall box with 2 nics, eth0 is dhcp and is my internet link. eth1 is my link to my internal network and is set to 192.168.0.1.

What I wan tot do is forward anything hitting on port 451 to an ftp on my WIndows 2k box (ftp thing) It's ip is 192.168.0.10

Could someone maybe help me with the ipchain rule? PMFirewall's setup was great for helping me to open ports but it didn't have a forwarding option.

Also, where should I put this rule? PMFirewall's conf file or do you think its ok to put it into its own little script?

THanks for any help with this. Its been a pain in my side for days now. :(

You need ipmasqadm to pull that off, see if it is installed. For the rules you'll need something like:

------
#!/bin/sh
EXTIP=xx.xx.xx.xx
PORTFWIP1=192.168.0.15


echo " * Enabling Port Forwarding onto internal hosts."
/usr/sbin/ipmasqadm portfw -f

echo " * Forwarding SSH traffic on port 26 to $PORTFWIP1"

/usr/sbin/ipmasqadm portfw -a -P tcp -L $EXTIP 26 -R $PORTFWIP1 22

----------
You can add it to your present script.

Hope it helps......

Thanks, i'll give that a try

Originally posted by jumpedintothefire:
<STRONG>EXTIP=xx.xx.xx.xx
</STRONG>

How would I set this for any host? I tried using '*' characters but I get the following:

crenfax:/etc/init.d# ./ftpfwd stop
* Enabling FTP Port Forwarding to Boreal.
* Forwarding FTP traffic on port 451 to 192.168.0.10
*.*.*.*: Unknown host
portfw: illegal local address/port specified
crenfax:/etc/init.d#

(Boreal is the name of the machine being connected to. Its name is only in the echo so it shouldn't make a difference)

I did change the port numbers you supplied to 451 in both instances)

Mascarading works fine otherwise. Oh, this is Debian Potato too. Do I need an lmhosts files? Can't currently find one on my system.

[ 13 January 2002: Message edited by: Syngin ]

EXTIP=xx.xx.xx.xx

Needs to be your external ip.....

Ok. What if its dynamic though? Can I just specify $ETH0 ?

no.
instead try:

EXTIF="eth0"
EXTIP=`/sbin/ifconfig | grep -A 4 $EXTIF \
| awk '/inet/ { print $2 } ' | sed \
-s /addr://`


Should pick out your external ip.....

Hmm, I'm getting an error from the following script:

#!/bin/sh

EXTIF="eth0"
EXTIP=`/sbin/ifconfig | grep -A 4 $EXTIF \ | awk '/inet/ { print $2 } ' | sed \ -s /ad$

PORTFWIP1=192.168.0.10

echo " * Enabling FTP Port Forwarding to Boreal."
/usr/sbin/ipmasqadm portfw -f

echo " * Forwarding FTP traffic on port 451 to $PORTFWIP1"

/usr/sbin/ipmasqadm portfw -a -P tcp -L $EXTIP 451 -R $PORTFWIP1 451


The error is:
crenfax:/etc/init.d# ./ftpfwd restart
sed: -e expression #1, char 2: Unknown command: ``-''
grep: : No such file or directory
* Enabling FTP Port Forwarding to Boreal.
* Forwarding FTP traffic on port 451 to 192.168.0.10
portfw: illegal local address/port specified


Thanks for your help by the way.

try:

EXTIP=`/sbin/ifconfig | grep -A 4 $EXTIF | awk '/inet/ { print $2 } ' | sed -s /addr://`


the \ means continued on next line

was worried about word wrap

Hmm, still nothing. I'm getting an error saying that the -s argument isn't valid for sed.

EXTIP=`/sbin/ifconfig | grep -A 4 $EXTIF | awk '/inet/ { print $2 } ' | sed -e s/addr://`

the -e was missing

[ 14 January 2002: Message edited by: jumpedintothefire ]

Great. That stopped the script from crashing and it loads ok now. Doesn't seem to want to allow the port forwarding though.
With or without the firewall (ipmasq running when the firewall's down though)


This is for ftp forwarding. Any special additional protocols I should look into loading? Gotta admit, I'm completely stumped on this one. Sucks getting stuck an the very last thing I need to have this box fully set up.

Cheers for your patience. Would have replied earlier but I put in a 14 hour day today. :)

It won't do it by itself, needs to have the firewall configured also.

PMFirewall is OK I guess.....
What did it teach you about ipchains?

You need to have a masq rule loaded for ipmasqadm to work. Depending on your policy, you may also need to have input & output rules for both external and internal interfaces for the ports involved.

Some of the best examples for ipchains can be found here:
http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS/cHTML/TrinityOS-c-10.html#ss10.7

hope it helps....

Actually, that looks like a nice boiled down explanation of IPCHAINS. Just what I could use. :) Thanks for the link. Going to go and do some reading :)