[Masq] forwarding external network web requests of firewall tointernal http server internal http server

Thu, 10 Jun 1999 07:18:10 -0700 


Steve Shrader <[EMAIL PROTECTED]> wrote:
>
> On the firewall I have set up testing rules of
>       ipchains -F forward
>       ipchains -P forward ACCEPT
Fuzzy Fox <[EMAIL PROTECTED]> wrote:
#There is no masquerading specified here at all.

I have tried it now with
        ipchains -F forward
        ipchains -P forward DENY
        ipchains -A forward -s 192.168.1.0/24 -d 172.16.0.0/12
        ipchains -A forward -s 192.168.1.0/24 -d 161.254.0.0/12
        ipchains -A forward -s 192.168.1.0/24 -d 0/0 -j MASQ
        ipmasqadm portfw -f
        ipmasqadm portfw -a -P tcp -L 216.37.28.196 80 -R 192.168.1.202 80
and from the juanjox FAQ
          ipchains -F forward
          ipchains -A forward -p tcp -s 192.168.1.202/32 80 -j MASQ
          ipmasqadm portfw -a -P tcp -L 216.37.28.196 80 -R 192.168.1.202 80
still no luck.  I get the same telnet timeout when I try to telnet
216.37.28.196 80 from a machine outside of the network (my school account).

> With the above entries, from the outside network I can pull up the web
> server on the firewall.  However when I add the portfw command
> "ipmasqadm portfw -a -P tcp -L 216.37.28.196 80 -R 192.168.1.202 80"
> and telnet 216.37.28.196 80 the session hangs at "Trying
> 216.37.28.196..." and after several minutes "telnet:  Unable to
> connect to remote host:  Connection timed out"
Fuzzy Fox <[EMAIL PROTECTED]> wrote:
#Two things:
#
#1.  Are you testing from inside your local LAN?  This will always fail,
#    because the kernel will notice that the packets come in one
#    interface, and then attempt to leave via the *same* interface.
#    That is not a valid forwarding method, so the kernel drops it.
#
#2.  Port-forwarding requires a masquerade entry to be found in the
#    forward ruleset, so that it can determine what sort of masq tunnel
#    needs to be set up.  Since you have no masq rules in your forward
#    rules, the kernel cannot determine what masquerading it must perform
#    on the connection.  Thus it fails.
I am testing from outside the LAN and I tried it with the MASQ above, but it
still has the telnet timeout.  Without the ipmasqadm portfw line I can pull
up the webpage on the firewall from the firewall, but when I add the
ipmasqadm portfw line the telnet to port 80 from the Internet times out.
All other traffic still works, I can read mail and browse the web from the
LAN and telnet 23 to the machine from the Internet so MASQ is working, just
port 80 is dead.  So it looks like something is going on, just not what I
want.

-----
Steve Shrader
Allegiant Technology Group
(317)803-7446
[EMAIL PROTECTED]



_______________________________________________
Masq maillist  -  [EMAIL PROTECTED]
http://tiffany.indyramp.com/mailman/listinfo/masq
Admin requests can be handled by web (above) or [EMAIL PROTECTED]

Reply via email to