Port forwarding not working for me

Andrasf · August 2, 2022, 10:54am

NethServer Version: 7.9.2009
Module: firewall, port forward

Hi,
I’m new to Nethserver and I’m having an issue with port forwarding.
I have a green and a red lan port configured, both working fine.
I have set 3 port forwarding rules but none of them are working (I need to set a couple more).

grep -i DNAT /etc/shorewall/rules
DNAT:none	net	loc:192.168.100.202:51322	tcp	51322	-	&em1
DNAT:info	net	loc:192.168.100.202:2354	tcp	2354	-	&em1
DNAT:info	net	loc:192.168.100.60:22	tcp	24	-	&em1

Port checkers report that the ports are not open, I can’t access to the machine on the corresponding port either.

tcpdump -i em1 port 2354
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 262144 bytes
12:43:28.973382 IP mail1.gyar.hu.52029 > ad.gyar.hu.psprserver: Flags [S], seq 13030700, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3221620384 ecr 0,sackOK,eol], length 0
12:43:29.981460 IP mail1.gyar.hu.52029 > ad.gyar.hu.psprserver: Flags [S], seq 13030700, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3221621384 ecr 0,sackOK,eol], length 0
12:43:30.997118 IP mail1.gyar.hu.52029 > ad.gyar.hu.psprserver: Flags [S], seq 13030700, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3221622384 ecr 0,sackOK,eol], length 0
12:43:32.007882 IP mail1.gyar.hu.52029 > ad.gyar.hu.psprserver: Flags [S], seq 13030700, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3221623385 ecr 0,sackOK,eol], length 0
12:43:33.015513 IP mail1.gyar.hu.52029 > ad.gyar.hu.psprserver: Flags [S], seq 13030700, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3221624385 ecr 0,sackOK,eol], length 0
12:43:34.025885 IP mail1.gyar.hu.52029 > ad.gyar.hu.psprserver: Flags [S], seq 13030700, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3221625386 ecr 0,sackOK,eol], length 0

Aug  2 12:53:34 ad kernel: Shorewall:net_dnat:DNAT:IN=em1 OUT= MAC=44:a8:42:06:8f:67:98:da:c4:aa:1d:14:08:00 SRC=94.21.1.96 DST=94.21.1.97 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=52211 DPT=2354 WINDOW=65535 RES=0x00 SYN URGP=0 
Aug  2 12:53:37 ad kernel: Shorewall:net_dnat:DNAT:IN=em1 OUT= MAC=44:a8:42:06:8f:67:98:da:c4:aa:1d:14:08:00 SRC=94.21.1.96 DST=94.21.1.97 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=52213 DPT=2354 WINDOW=65535 RES=0x00 SYN URGP=0 
Aug  2 12:53:39 ad kernel: Shorewall:net_dnat:DNAT:IN=em1 OUT= MAC=44:a8:42:06:8f:67:98:da:c4:aa:1d:14:08:00 SRC=94.21.1.96 DST=94.21.1.97 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=52214 DPT=2354 WINDOW=65535 RES=0x00 SYN URGP=0

Please help
Thx

pike · August 2, 2022, 11:32am

forward for 443 works.
Then: 100.60 and 100.202 firewall allows connections from WAN?

giacomo · August 2, 2022, 12:05pm

Also make sure they have configured the firewall as gateway (this is a common error).

Andrasf · August 2, 2022, 12:08pm

red (wan) is 94.21.1.97
green is 192.168.100.56
443 isn’t forwarded from this wan port.
100.60 and 100.202 have open ports, they can accept connections on these ports.

Andrasf · August 2, 2022, 12:13pm

what fw rule would be that? (gateway)

giacomo · August 2, 2022, 1:22pm

No rule at all, the gateway must be configured inside the target machines (100.60 and 100.202).

Andrasf · August 2, 2022, 1:37pm

the target machines work fine on these ports, for the .60 it’s the ssh that was set from wan 24 to lan 22 port, these machines have only 1 lan port active, I can connect to them on the internal network and from the other wan that goes through a tplink router.

Andrasf · August 2, 2022, 1:39pm

As mentioned before, if I scan for open ports on the wan IP address I get only open ports 22, 80 and 443, both go to the Nethserver webadmin, the rest of the ports that are port forwarded are closed (or not forwarded as they should)

mrmarkuz · August 2, 2022, 6:59pm

Are you using two routers, Neth and tplink? There may be DHCP issues…

As @giacomo already mentioned, you need to set the right gateway on the target machines. I assume it’s now set to the TP Link router and you need to change it to point to the NethServer.

Which OS are running on the target machines?

Andrasf · August 2, 2022, 7:18pm

Hi,
Yes, I have a tplink router for one wan IP address and the Nethserver for another one.
I have only 1 dhcp server (not the router nor the Nethserver) so it can’t be dhcp issue.
The target machines are Linuxes, one is openSuse, the other one is Ubuntu 20.
I can change the gateway on them (it’s 192.168.100.33 now for all machines on the network) to the Nethserver to test it,
DHCP and DNS server runs on a MacOS (Xserve) 192.168.100.30
TpLink touter is 192.168.100.33
Nethserver is 192.168.100.56

Andy_Wismer · August 2, 2022, 7:36pm

@Andrasf

As a Mac User myself, you ARE aware that the last version of Mac OS Server which included DNS / DHCP Server Services was 5.3.1, and that does contain rather dated versions of DNS and DHCP?

Yes, they do work, if configured correctly (including reverse!).

The DNS Server included in Mac OSX Server is NOT suitable for Internet DNS resolution (As little as the NethServer DNS!), but can do internal DNS well enough.

As DNS would be intrernal only, and DHCP is anyway only Internal, there’s not much risk from dated versions, but they should NOT be accessible from the Internet.

My 2 cents
Andy

Andrasf · August 3, 2022, 10:20am

Hi Andy,
Configured the gateway on the target machine and port forwarding works now.

I’m aware of the Mac server issues, I have configured it manually and it works for us.
The Ldap is one of the services I wanted to replace (with the dns dhcp etc) by the Nethserver but so far I had to do a lot of other things lately.
If you have a suggestion for a better way to replace the services running on the old MacOs server I’m happy to hear them.

Andras