Re: [Leaf-user] Dachstein-CD: port forward w/dmz & proxy_arp ???

Mon, 24 Dec 2001 08:55:30 -0800 

Charles ==>

My bad ;>

Charles Steinkuehler wrote:
> 
> > No ideas?
> 
> Sorry...been busy w/XMas stuff.
> 
> > "Michael D. Schleif" wrote:
> > >
> > > I'm not sure where the problem is.  Here are the facts:
> > >
> > > external interface
> > >         wan1
> > >         a.b.C.157
> > >         a.b.C.156/30 -- public
> > >         proxy_arp=yes
> > >
> > > internal interface
> > >         eth0
> > >         192.168.1.254
> > >         192.168.1.0/24 -- private
> > >         proxy_arp=no
> > >
> > > dmz interface
> > >         eth1
> > >         a.b.D.65
> > >         a.b.D.64/26 -- public
> > >         proxy_arp=yes
> > >
> > > How can we port forward this?
> > >         tcp internet:55631 -> 192.168.1.20:5631
> > >         udp internet:55632 -> 192.168.1.20:5632
> > >
> > > We've tried:
> > >         tcp_${EXTERN_IP}_55631_${PAM}_5631
> > >         udp_${EXTERN_IP}_55632_${PAM}_5632
> 
> > > However, this results:
> > > # ipchains -nvL | grep 563
> > >    0   0 MASQ   tcp  ------ 0xFF 0x00  *   192.168.1.20   0.0.0.0/0
> > > 5631 -> *
> > >    0   0 MASQ   udp  ------ 0xFF 0x00  *   192.168.1.20   0.0.0.0/0
> > > 5632 -> *

My normal attempts resulted in failed connections.  Since this box uses
wanpipe for EXTERN_IP, I couldn't troubleshoot with the normal tools
(e.g., iptraf, tcpdump, &c.)  I kept thinking that I should see
5563[1|2] in the output of ipchains -nvL -- I was wrong ;>

I found the problem, which is nothing to do with /etc/network.conf --
indeed, the normal INTERN_SERVERS stuff works perfectly with this
network!

However, why is it that EXTERN_IP *and* port do not show up in ipchains
-nvL ?  Is it because 5563[1|2] are already open?

> With what variable?  I use the following to forward tftp and ssh (on port
> 221) to an internal system:
> 
> INTERN_SERVERS="udp_${EXTERN_IP}_tftp_10.28.18.33_tftp
>                 tcp_${EXTERN_IP}_221_10.28.18.33_22"
> 
> In your case, you need (assuming PAM=<internal IP>):
> INTERN_SERVERS="tcp_${EXTERN_IP}_55631_${PAM}_5631
>     udp_${EXTERN_IP}_55632_${PAM}_5632"
> 
> You shouldn't need to open the ports...being "high" ports, they should
> already be open for inbound connections.

Yes.

-- 

Best Regards,

mds
mds resource
888.250.3987

Dare to fix things before they break . . .

Our capacity for understanding is inversely proportional to how much we
think we know.  The more I know, the more I know I don't know . . .

_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Reply via email to