Koozali.org: home of the SME Server

Port Forwarding - not all are working

Offline Gaetan

  • ***
  • 104
  • +0/-0
Port Forwarding - not all are working
« on: October 12, 2016, 05:33:41 PM »
Hi,
I have set up a few port forwarding.
Some of them do work but other don't despite the fact destination device is set up correctly.
All the Avaya one do not work.
Please check attached screen shots.

How can I check settings via the command line ?

Thanks
Regards

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: Port Forwarding - not all are working
« Reply #1 on: October 12, 2016, 06:01:54 PM »
You can check with

Code: [Select]
iptables -t nat -L -vn | less

Look for a PortForwarding_XXXX section (XXXX being a random number). You should see your NAT rules here. When you say "do not work", what do you get ? a timeout ? Are you sure the destination device is correctly configure ? One thing that could explain the dest device works from your LAN, but NATed ports does not respond would be that the device has no gateway defined (or not the correct one)
C'est la fin du monde !!! :lol:

guest22

Re: Port Forwarding - not all are working
« Reply #2 on: October 13, 2016, 01:34:28 AM »
One thing that could explain the dest device works from your LAN, but NATed ports does not respond would be that the device has no gateway defined (or not the correct one)


That would be my best guess too.

Offline Gaetan

  • ***
  • 104
  • +0/-0
Re: Port Forwarding - not all are working
« Reply #3 on: October 13, 2016, 10:26:53 AM »
The device is a gateway defined (sme server 192.168.1.2)

Here are the results:
 iptables -t nat -L -vn | less

Chain OUTPUT (policy ACCEPT 3788K packets, 271M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain PortForwarding (1 references)
 pkts bytes target     prot opt in     out     source               destination
17294 1172K PortForwarding_24452  all  --  *      *       0.0.0.0/0            xx.xxx.xxx.xxx(our public IP)

Chain PortForwarding_24452 (1 references)
 pkts bytes target     prot opt in     out     source               destination
  111  6548 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:4660 to:192.168.1.245:81
    1    60 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:4661 to:192.168.1.246:554
  315 16428 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:4662 to:192.168.1.5:443
    1    60 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:4664 to:192.168.1.36:21
   17  1000 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:5060 to:192.168.1.239:5060
    2   108 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:5061 to:192.168.1.239:5061
   55  3316 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:5222 to:192.168.1.234:5222
    1    60 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:5269 to:192.168.1.234:5269
   21  1052 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 to:192.168.1.234:8080
   15   848 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8443 to:192.168.1.234:8443
  105  6324 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8444 to:192.168.1.234:8444
    3   425 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:39152:43246 to:192.168.1.239:39152-43246
   62 27303 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:5060 to:192.168.1.239:5060

Chain PostroutingOutbound (1 references)
 pkts bytes target     prot opt in     out     source               destination
 427K   31M ACCEPT     all  --  *      *       xx.xxx.xxx.xxx(our public IP)       0.0.0.0/0
 401K   29M MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain SMTPProxy (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            127.0.0.1
 5709  293K ACCEPT     all  --  *      *       0.0.0.0/0            192.168.1.2
 7252  424K ACCEPT     all  --  *      *       0.0.0.0/0            xx.xxx.xxx.xxx(our public IP)
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain TransProxy (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            127.0.0.1
   22  1228 ACCEPT     all  --  *      *       0.0.0.0/0            192.168.1.2
   67  3504 ACCEPT     all  --  *      *       0.0.0.0/0            xx.xxx.xxx.xxx(our public IP)
54953 2908K DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           to:192.168.1.2:3128



Funny thing in the results:
Working Port forwarded are not shown (4660, 4661, 4662, 4663, 4664) ...


Any suggestions ?

Thanks and regards

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: Port Forwarding - not all are working
« Reply #4 on: October 13, 2016, 10:37:03 AM »
We can see the 13 NAT rules are all there. And all of them have a counter, which means packets matching the rules have been passed. Everything seems OK on the SME side.
C'est la fin du monde !!! :lol:

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: Port Forwarding - not all are working
« Reply #5 on: October 13, 2016, 12:24:34 PM »
What is it that you're trying to do from outside the network? 

When I do some googling for avaya firewall rules, FTP traffic is included in the results (TFTP for phone firmware loading, I presume).  FTP is a special case that is probably being intercepted by the SME server itself, and (as I understand it) requires special considerations in iptables.


Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Port Forwarding - not all are working
« Reply #6 on: October 14, 2016, 02:26:55 PM »
Chain PortForwarding_24452 (1 references)
 pkts bytes target     prot opt in     out     source               destination
  111  6548 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:4660 to:192.168.1.245:81
    1    60 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:4661 to:192.168.1.246:554
  315 16428 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:4662 to:192.168.1.5:443
    1    60 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:4664 to:192.168.1.36:21
....
Quote
Funny thing in the results:
Working Port forwarded are not shown (4660, 4661, 4662, 4663, 4664) ...

I don't understand what you are saying. I can see 4660, 4661, 4662, 4664. Cannot you?