On Thu, May 20, 2004 at 01:38:38PM -0500, Carl Karsten wrote:
> I have a port 5500 forwarded to internal IP: 192.168.1.30.
>
> If an external box hits my external IP:5500 the forwarding works.
>
> I would like an internal box to be able to hit the external IP and
> have the forwarding forward.
>
> example: 192.168.1.5 sends to 24.13.45.54:5500. it should be forwarded
> to 192.168.1.30:5500
Logic for this is already in the firewall script. In the 0.9 version
the logic is in port_forwards():
# logic here for internal clients attempting to connnect
# to external IP and port that have been forwarded internally.
for INT_NETWORK in $INT_NETWORKS; do
$IPTABLES -t nat -I POSTROUTING -p tcp -d $I_IP \
-s $INT_NETWORK --dport $I_PORT \
-j SNAT --to $INT_IP && \
$IPTABLES -t nat -I POSTROUTING -p udp -d $I_IP \
-s $INT_NETWORK --dport $I_PORT \
-j SNAT --to $INT_IP
done
I believe the problem lies in your configuration. You appear to have
removed the INT_IP definition which is required for the above logic.
INT_IP should be the internal IP address of your firewall.
> # Get the IP of the external interface
> BASE_EXT_IP="`/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print
> $2}' | sed -e 's/.*://'`"
>
> # IP address for internal network(s)
> INT_NETWORKS="192.168.1.0/24"
> BASE_INT_IP="192.168.1.1"
Why the BASE_ prefix on EXT_IP and INT_IP?
> # Ports for both TCP and UDP protocols
> ALLOWED_PORTS="1433 8000 8001 8002"
>
> # Ports for UDP only
> # 53 is used for DNS queries into the firewall machine
> ALLOWED_PORTS_UDP="53"
>
> # Ports for TCP
> # 22 is used for SSH connections into the firewall machine
> # 80 is used for HTTP connection into the firewall machine
> ALLOWED_PORTS_TCP="21 22 25 80 113 433 443 901 2222 3128 3306 3389
> 5504 5800 5900 5901 8000 8001 8002"
No need to list the same ports in both ALLOWED_PORTS and ALLOWED_PORTS_TCP.
--
Jamin W. Collins
Facts do not cease to exist because they are ignored. --Aldous Huxley,
"Proper Studies", 1927
