/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */ Hello all I've setup ipmasq for a LAN that includes a web server and MSMQ server that must be visible to the internet. I'm using ipmasqadm portw to make them visible. Port forwarding to the web server works fine, but I can't get the MSMQ server to work (although I'm following Microsoft recommendations on which ports to open - or forward - in this case) Has anyone got this working before ? Thanks Henty My setup is: Internal interface: eth0, External If: eth1 Internal IP: 192.168.2.31, External: 196.36.0.0 MSMQ server: 192.168.2.16 My (shortened) firewall/masq script is: #!/bin/sh IPCHAINS=/sbin/ipchains IPMASQADM=/usr/sbin/ipmasqadm MODPROBE=/sbin/modprobe LOCALNET="192.168.2.0/24" # the private network ETHINSIDE="192.168.2.31" ETHOUTSIDE="196.36.x.x" # Don't want to give a client's IP address away LOOPBACK="127.0.0.1/8" ANYWHERE="0/0" OUTSIDEIF=eth1 # fred.example.com's private interface WEBSERVER="192.168.2.16" # Web site for the outside world -> www.cargosuite.co.za MSMQSERVER="192.168.2.16" # MSMQ server for Neptume system replication FORWARD_PROCENTRY=/proc/sys/net/ipv4/ip_forward DEFRAG_PROCENTRY=/proc/sys/net/ipv4/ip_always_defrag echo "0" > ${FORWARD_PROCENTRY} $IPCHAINS -N outside $IPCHAINS -N portmap $MODPROBE ip_masq_ftp $MODPROBE ip_masq_irc $IPCHAINS -A forward -s $LOCALNET -d $LOCALNET -j ACCEPT > /dev/null 2>&1 $IPCHAINS -A forward -s $ETHOUTSIDE -d $ANYWHERE -j ACCEPT > /dev/null 2>&1 $IPCHAINS -A forward -s $LOCALNET -d $ANYWHERE -j MASQ > /dev/null 2>&1 $IPCHAINS -A input -i ${OUTSIDEIF} -j outside $IPCHAINS -A outside -s $LOCALNET -j DENY $IPCHAINS -A outside -s $LOOPBACK -j DENY $IPCHAINS -A outside -d $LOCALNET -j DENY # Web server - open and portforward $IPCHAINS -A outside -p TCP -s $ANYWHERE -d $ANYWHERE 80 -j ACCEPT $IPMASQADM portfw -a -P tcp -L $ETHOUTSIDE 80 -R $WEBSERVER 80 # MSMQ sever - open loads of ports and forward them (might not all be necessary) for tcpport in 1801 135 2101 2103 2105 do $IPCHAINS -A ouside -p TCP -s $ANYWHERE -d $ANYWHERE $tcpport -j ACCEPT $IPMASQADM portfw -a -P tcp -L $ETHOUTSIDE $tcpport -R $MSMQSERVER $tcpport done $IPCHAINS -A outside -p UDP -s $ANYWHERE -d $ANYWHERE 3527 -j ACCEPT $IPMASQADM portfw -a -P udp -L $ETHOUTSIDE 3527 -R $MSMQSERVER 3527 # Turn off and log all other packets incoming, TCP or UDP, on privileged ports $IPCHAINS -l -A outside -p TCP -s $ANYWHERE -d $ANYWHERE :1023 -y -j DENY $IPCHAINS -l -A outside -p UDP -s $ANYWHERE -d $ANYWHERE :1023 -j DENY echo "1" > ${FORWARD_PROCENTRY} echo "1" > ${DEFRAG_PROCENTRY} _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
