SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0004129: PortForward form Red IP to computer in the Green Interface does not work - MantisBT
MantisBT - Endian Firewall
View Issue Details
0004129Endian FirewallFirewall (iptables)public2011-08-24 17:552011-11-04 16:43
rodrigodc01 
 
normalmajoralways
feedbackopen 
2.4.1 
 
0004129: PortForward form Red IP to computer in the Green Interface does not work
Creating portforward rules to on any port to any ip in the network simply does not work at all

Situation

# Incoming IP Service Policy Translate to Remark Actions
1 189.90.55.66 (Uplink main) TCP/80 ALLOW with IPS 172.16.1.81 : 80 SERVIDOR WEB

The outgoing firewall is working fine, just the portforward with nat that is not working.



No tags attached.
jpg Snap1.jpg (129,111) 2011-08-24 17:55
https://bugs.endian.com/file_download.php?file_id=877&type=bug
jpg
Issue History
2011-08-24 17:55rodrigodc01New Issue
2011-08-24 17:55rodrigodc01File Added: Snap1.jpg
2011-08-24 17:59baldyNote Added: 0007336
2011-08-24 18:17rodrigodc01Note Added: 0007337
2011-08-24 18:17rodrigodc01Statusnew => feedback
2011-08-24 18:22rodrigodc01Note Added: 0007338
2011-08-24 18:27rodrigodc01Note Edited: 0007338
2011-08-24 18:33baldyNote Added: 0007339
2011-08-24 18:36rodrigodc01Note Added: 0007340
2011-08-24 18:52baldyNote Added: 0007341
2011-08-24 18:55rodrigodc01Note Added: 0007342
2011-08-24 18:59baldyNote Added: 0007343
2011-08-24 19:01rodrigodc01Note Added: 0007344
2011-08-24 19:05baldyNote Added: 0007345
2011-08-24 19:15rodrigodc01Note Added: 0007346
2011-08-24 19:23baldyNote Added: 0007347
2011-08-24 19:28rodrigodc01Note Added: 0007348
2011-08-24 19:34baldyNote Added: 0007349
2011-08-24 19:38rodrigodc01Note Added: 0007350
2011-08-24 19:59baldyNote Added: 0007351
2011-08-24 23:23rodrigodc01Note Added: 0007352
2011-09-05 11:49baldyNote Added: 0007383
2011-11-04 16:43rodrigodc01Note Added: 0007528

Notes
(0007336)
baldy   
2011-08-24 17:59   
Hi rodrigo,

Just tested with the IP you have on the external site and I get a html page with It works!

If you are trying to access the webserver from green thru red and back to green again, this does not work.

Regards,

Klaas-Jan
(0007337)
rodrigodc01   
2011-08-24 18:17   
Ahhh got it !! Just a little something is there any way to erase the ip from my post ? Dont wanna leave there cause of security concerns
(0007338)
rodrigodc01   
2011-08-24 18:22   
(edited on: 2011-08-24 18:27)
Well since u got the ip already, i got say its quite strange i tried to access from 3G on my cell and it does not work, then i tried a vpn and still no luck....

Im loosing my mind over this...

(0007339)
baldy   
2011-08-24 18:33   
Just checked again from the system it worked from and now I can't connect to the webserver.
Same from my phone.

Can you setup the firewall without IPS ?

Regards,

Klaas-Jan
(0007340)
rodrigodc01   
2011-08-24 18:36   
Well i tried again using a external vpn with no luck, i just disabled the IPS on the rule, lets see if it works now for u at least
(0007341)
baldy   
2011-08-24 18:52   
Still no go.

Can you recreate the rule with <ANY Uplink> ?

Can you also create a rule for TCP port 81 to your internal IP port 80 ?

This may help determining the source of the problem.

I am supporting around 15 EFW's and have no problems whatsoever with forwarding port 80, also no issues on the bug forum.

Regards,

Klaas-Jan
(0007342)
rodrigodc01   
2011-08-24 18:55   
Hey thanks for the help ! so here are the new rules

# Incoming IP Service Policy Translate to Remark Actions
1 Uplink ANY TCP/80 ALLOW 172.16.1.81 : 80 SERVIDOR WEB
      ALLOW from: <ANY>
2 Uplink ANY TCP+UDP/81 ALLOW 172.16.1.81 : 81 WEB2
      ALLOW from: <ANY>
(0007343)
baldy   
2011-08-24 18:59   
Can you modify the second rule so the internal port is 80 ?
(0007344)
rodrigodc01   
2011-08-24 19:01   
Done,

# Incoming IP Service Policy Translate to Remark Actions
1 Uplink ANY TCP/80 ALLOW 172.16.1.81 : 80 SERVIDOR WEB
      ALLOW from: <ANY>
2 Uplink ANY TCP+UDP/81 ALLOW 172.16.1.81 : 80 WEB2
      ALLOW from: <ANY>

Still no luck here
(0007345)
baldy   
2011-08-24 19:05   
Can you temporarily disable the outgoing firewall ?
(0007346)
rodrigodc01   
2011-08-24 19:15   
Yes, just did that, but it seen to have no effect
(0007347)
baldy   
2011-08-24 19:23   
Can you internally access the server ?

Also please enable logging on the firewall rule and check for traffic from 77.251.247.241 and what happens to the packets.

If you see activity from my IP copy and paste the firewall log entries.

Logs can be viewed using the logs option on the right.
Do not use the Live log viewer, just use the normal one.

Regards,

Klaas-Jan
(0007348)
rodrigodc01   
2011-08-24 19:28   
Yes the server is available for the internal network, heres the log

Aug 24 16:20:36 PORTFWACCESS:ACCEPT:1 eth1 TCP
77.251.247.241
    5724 e4:1f:13:93:44:94
172.16.1.81
    80
Aug 24 16:20:35 PORTFWACCESS:ACCEPT:1 eth1 TCP
77.251.247.241
    5721 e4:1f:13:93:44:94
172.16.1.81
    80
Aug 24 16:20:35 PORTFWACCESS:ACCEPT:1 eth1 TCP
77.251.247.241
    5722 e4:1f:13:93:44:94
172.16.1.81
    80
Aug 24 16:20:29 PORTFWACCESS:ACCEPT:1 eth1 TCP
77.251.247.241
    5724 e4:1f:13:93:44:94
172.16.1.81
    80
Aug 24 16:20:29 PORTFWACCESS:ACCEPT:1 eth1 TCP
77.251.247.241
    5721 e4:1f:13:93:44:94
172.16.1.81
    80
Aug 24 16:20:29 PORTFWACCESS:ACCEPT:1 eth1 TCP
77.251.247.241
    5722 e4:1f:13:93:44:94
172.16.1.81
    80
Aug 24 16:20:27 PORTFWACCESS:ACCEPT:1 eth1 TCP
77.251.247.241
    5724 e4:1f:13:93:44:94
172.16.1.81
    80
Aug 24 16:20:27 PORTFWACCESS:ACCEPT:1 eth1 TCP
77.251.247.241
    5722 e4:1f:13:93:44:94
172.16.1.81
    80
Aug 24 16:20:27 PORTFWACCESS:ACCEPT:1 eth1 TCP
77.251.247.241
    5721 e4:1f:13:93:44:94
172.16.1.81
    80
Aug 24 16:17:23 PORTFWACCESS:ACCEPT:1 eth1 TCP
77.251.247.241
    54295 e4:1f:13:93:44:94
172.16.1.81
    80
Aug 24 16:17:23 PORTFWACCESS:ACCEPT:1 eth1 TCP
77.251.247.241
    54294 e4:1f:13:93:44:94
172.16.1.81
    80
(0007349)
baldy   
2011-08-24 19:34   
Hi Rodrigo,

The logs show that the packets are acccepted and forwarded.

Any ip restrictions on the webserver ?
Also are there logs on the webserver you can check ?

Is the webserver itself also using the EFW box as gateway ?

Regards,

Klaas-Jan
(0007350)
rodrigodc01   
2011-08-24 19:38   
Hello, so theres no restrictions on the webserver, but the portfw also does not work with RDP ( port 3389 to a server 2008 in the nerwork)

Gonna check the webserver logs .

And the webserver is using the EFW box as a gateway indeed.
(0007351)
baldy   
2011-08-24 19:59   
have you changed anything ?

I can connect from 2 different ip's and my android phone.

Regards,

Klaas-Jan
(0007352)
rodrigodc01   
2011-08-24 23:23   
Hey Klass-Jan, sorry i had to go for some time, well i deleted all the portfw rules and created a new one

# Incoming IP Service Policy Translate to Remark Actions
1 Uplink ANY TCP+UDP/80 ALLOW with IPS 172.16.1.81 : 80 WEB
      ALLOW with IPS from: <ANY>

Its the same thing as the ones we had before but now it seens to work, i made no changes to the outgoing firewall or anything else

Gonna try other rules to see with it still works, thanks a lot for all you help !!!

* On a note this portfw problem seen to happen only when your turn on the proxy, cause on another endian box i got portfw working without a problem
(0007383)
baldy   
2011-09-05 11:49   
Hi rodrigo,

Are you using the transparent proxy ?

Regards,

Klaas-Jan
(0007528)
rodrigodc01   
2011-11-04 16:43   
Hello, I had to redo everything and then I forgot to check back here, anyways out of nothing the portforward started working again.

But im still trying to find a relation with the activation of the proxy.

Thanks for everything.