Koozali.org: home of the SME Server

Portforwarding not working after fresh install & updates

Offline rmoria

  • ***
  • 78
  • +0/-0
    • http://www.osvorca.nl
Portforwarding not working after fresh install & updates
« Reply #15 on: November 22, 2004, 10:56:49 AM »
I installed:

scripted:
Antivirus (latest by Knuddi)
Spamassasin (latest by Knuddi)
Dshield
php4.3.8-upgrade
webshare
dhcpconfig V0.3.3beta(suspect ?)

RPM:
awstats
backup2ws
crontab manager
lazyadmin tools
navmanager
netPBM
Samba 3.0
Sarg
Sysmon
Userpanel
Winupd
updates (al in directory from Knuddi)

Rob
(not trained enough to figure it out by himself)
...
Yes, I can ask more questions then you can answer  8-)
...

pwinkler

Portforwarding not working after fresh install & updates
« Reply #16 on: November 22, 2004, 10:10:37 PM »
I used the update script (http://forums.contribs.org/index.php?topic=24285.0) so all the contribs in that script and the only other contribs were the services panel & isoqlog

Offline rmoria

  • ***
  • 78
  • +0/-0
    • http://www.osvorca.nl
Portforwarding not working after fresh install & updates
« Reply #17 on: November 22, 2004, 11:50:57 PM »
Not having any patiance, I started a new installation to see if the problem lies with one of the installed contribs.

After a fresh install and restore (originaly made on a SME 6beta3) port forwarding is not already not working.
Same with remote access settings.
No contribs are installed.
...
Yes, I can ask more questions then you can answer  8-)
...

Offline rmoria

  • ***
  • 78
  • +0/-0
    • http://www.osvorca.nl
Portforwarding not working after fresh install & updates
« Reply #18 on: November 23, 2004, 10:02:40 AM »
Yes!
My problem lay in the backup / restore action. After removing all custom templates and practacly all files in the /home/e-smith directory (config files) from the backup gz/tar it works fine, even with all contribs.

I just have to setup all settings again  :cry:  but at least I can.
...
Yes, I can ask more questions then you can answer  8-)
...

Nicky

Clean Solution for UDP PortForwarding Bug
« Reply #19 on: May 20, 2006, 12:06:01 AM »
Replace /etc/e-smith/templates/etc/rc.d/init.d/masq/91ajustPortForward with this:

# ------------------------ cut here ----------------------------------------
#
# Corrected UDP PortForwarding Bug! (by Néstor D. Díaz - nestorddiaz@matelogic.com.ar)
#

{
my $pf_chain = "PortForwarding_\$\$";
$OUT .= "# Create a new PortForwarding chain\n";
$OUT .= "PFC=\$(/sbin/iptables --table nat ";
$OUT .= "--numeric --list PortForwarding |\\\n";
$OUT .= " sed -n '3s/ .*//p')\n";
$OUT .= " /sbin/iptables --table nat --new-chain $pf_chain\n";

foreach my $protocol (qw(tcp udp))
{
my $uproto = uc $protocol;
my $propname = $uproto . "Forwards";
my %forwards = split(/,/, $masq{$propname} || '');
foreach my $port (keys %forwards)
{
my ($ip, $dport) = split(/:/, $forwards{$port});
$port =~ s/-/:/;
$OUT .= " /sbin/iptables --table nat --append $pf_chain " .
"--protocol $protocol \\\n".
# Set up local port to forward
" --destination-port ${port} -j DNAT " .
# Set up the remote port to forward to
"--to-destination $ip";
# Append the dport if any.
$OUT .= ":$dport" if $dport;
$OUT .= "\n";
# And accept the incoming packets. Use the dport if there is one.
($port = $dport) =~ s/-/:/ if $dport;
# If this rule is forwarding to localhost, ExternalIP or LocalIP,
# then we must allow it on the INPUT chain instead of the FORWARD
# chain.
if (($ip eq '127.0.0.1') ||
($ip eq $InternalInterface{IPAddress}))
{
# Bad doggie! Bad!
die "Port-forwarding to localhost or internal interface not permitted.\n";
}
elsif ($ip eq $ExternalInterface{IPAddress})
{
if ($uproto eq 'tcp')
{
$OUT .= " adjust_tcp_in $port ACCEPT Inbound${uproto}_\$\$\n";
}
else
{
$OUT .= " adjust_udp_in $port ACCEPT Inbound${uproto}_\$\$\n";
}
}
else
{
if ($uproto eq 'tcp')
{
$OUT .= " adjust_tcp_in $port ACCEPT Forwarded${uproto}_\$\$ $ip/32\n";
}
else
{
$OUT .= " adjust_udp_in $port ACCEPT Forwarded${uproto}_\$\$ $ip/32\n";
}
}
}
}

# having created a new PortForwarding chain, activate it and destroy
# the old.
$OUT .= " /sbin/iptables --table nat --replace PortForwarding 1 " .
"--destination \$OUTERNET --jump $pf_chain\n";
$OUT .= " /sbin/iptables --table nat --flush \$PFC\n";
$OUT .= " /sbin/iptables --table nat --delete-chain \$PFC\n";
}
# ------------------------ cut here ----------------------------------------

Or Download this file from:
http://www.matelogic.com.ar/91adjustPortForward

Cheers!

Nicky

Correction!!!
« Reply #20 on: May 20, 2006, 03:57:43 AM »
Sorry!!!

Where "if ($uproto eq 'tcp')" must say "if ($protocol eq 'tcp')".

Download from here:
http://www.matelogic.com.ar/91adjustPortForward

Nicky

Example of the Bug
« Reply #21 on: May 20, 2006, 04:46:52 PM »
Example of the Bug:
-----------------------

Some IPTables Rules:

Chain ForwardedTCP (1 references)
target prot opt source destination
ForwardedTCP_24182 all -- anywhere anywhere
denylog tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN

Chain ForwardedTCP_24182 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere pc-00007.matelogic.com.artcp dpt:4890
ACCEPT tcp -- anywhere pc-00069.matelogic.com.artcp dpt:4357
ACCEPT tcp -- anywhere pc-00007.matelogic.com.artcp dpt:4500
ACCEPT tcp -- anywhere pc-00069.matelogic.com.artcp dpt:4889

Chain ForwardedUDP (1 references)
target prot opt source destination
ForwardedUDP_24182 all -- anywhere anywhere
denylog udp -- anywhere anywhere

Chain ForwardedUDP_24182 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere pc-00007.matelogic.com.arudp dpt:6430
ACCEPT tcp -- anywhere pc-00009.matelogic.com.arudp dpt:27015
ACCEPT tcp -- anywhere pc-00069.matelogic.com.arudp dpt:6474

Comment: The last 3 lines must be "udp" protocol.

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Portforwarding not working after fresh install & updates
« Reply #22 on: May 22, 2006, 12:05:46 AM »
Quote from: "guest22"
Ok, time to get it working first and then find out what's wrong ;-)


Quite the wrong thing to do. Find out what's wrong, then fix it.

Here's the ultimate recipe:

Step 1 - apply all updates
Step 2 - if there's still a malfunction, report via the Bug Tracker