Port Forwards Not Working

Support
,
1

NethServer Version: 7.7.1908

I am new to Nethserver and trying to get portforwards done.
I have setup the Port Forward in NETH

PF
PF1101×91 8.82 KB

When I try and connect to the port it does not work.

[root@FW ~]# grep -i DNAT /etc/shorewall/rules
DNAT-:info net 10.107.0.2:8989 tcp 8989 - &enp2s0,&enp3s0

[root@FW ~]# tcpdump -i enp2s0 port 8989
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp2s0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:51:14.001922 IP vc-gp-n-41-13-212-204.umts.vodacom.co.za.51910 > FW.itts.co.za.sunwebadmins: Flags [S], seq 3822142757, win 65535, options [mss 1350,sackOK,TS val 75697782 ecr 0,nop,wscale 8], length 0
16:51:14.014400 IP vc-gp-n-41-13-212-204.umts.vodacom.co.za.51911 > FW.itts.co.za.sunwebadmins: Flags [S], seq 1818226737, win 65535, options [mss 1350,sackOK,TS val 75697782 ecr 0,nop,wscale 8], length 0

And when i open URL on my local machine it works. So the PF is set correctly on LAN side just not getting in from the WAN.

Any advice?

2

Hi, welcome @Juan_Kilian,
Can you tell us something about your network configuration.
What is in front of the red interface? A router? If so you have to forward the port at your router.

3

Hi
I have fibre connected to RED interface, and my red interface has a public facing /29 ip address.

I have a couple of Mikrotik devices on the green interface side of the Neth server that I need to PF some ports to.

4

You may have to enable hairpin NAT in the firewall settings to make port forwards work from internal:

image

https://docs.nethserver.org/en/v7/firewall2.html#settings

1 Like
5

Good morning

Port Forwards works internal without hairpin nat.

I cant get it to work from outside in.

6

hey, also got port forwarding issues to a client…
nethserver7.8 as gateway,one red wan, one bridge(lan switch, wifi), firewall and fail2ban enabled.
made an alias for my wan -> dunno if that was necessary
firewall port forward: 6881 tcp as source and destination, client ip to wan alias
Enable hairpin NAT -> on
what am i missing? thanks.

shorewall check
Checking using Shorewall 5.1.10.2…
Processing /etc/shorewall/params …
Processing /etc/shorewall/shorewall.conf…
Loading Modules…
Checking /etc/shorewall/zones…
Checking /etc/shorewall/interfaces…
Determining Hosts in Zones…
Locating Action Files…
Checking /etc/shorewall/policy…
Running /etc/shorewall/initdone…
Adding Anti-smurf Rules
Adding rules for DHCP
Checking TCP Flags filtering…
Checking Kernel Route Filtering…
Checking Martian Logging…
Checking /etc/shorewall/snat…
Checking MAC Filtration – Phase 1…
Checking /etc/shorewall/blrules…
Checking /etc/shorewall/rules…
Checking /etc/shorewall/conntrack…
Checking MAC Filtration – Phase 2…
Applying Policies…
Checking /etc/shorewall/mangle…
Checking /etc/shorewall/stoppedrules…
Shorewall configuration verified

[root@tank ~]# grep -i DNAT /etc/shorewall/rules
DNAT:info net loc:CLIENT-IP:6881 tcp 6881 - WAN-ALIAS-IP
DNAT:info loc loc:CLIENT-IP:6881 tcp 6881 - WAN-ALIAS-IP
DNAT:none net loc:CLIENT-IP:8881 udp 8881 - WAN-ALIAS-IP
DNAT:none loc loc:CLIENT-IP:8881 udp 8881 - WAN-ALIAS-IP

tcpdump -i enp0s31f6 ‘port 6881’
listening on enp0s31f6, link-type EN10MB (Ethernet), capture size 262144 bytes
17:30:59.557335 IP 198.199.98.246.50244 > ISP-IP.6881: Flags [S], seq 682372862, win 14600, options [mss 1460,sackOK,TS val 3165964309 ecr 0,nop,wscale 8], length 0

tail -f /var/log/firewall.log
Oct 26 17:29:00 tank kernel: Shorewall:net2fw:DROP:IN=enp0s31f6 OUT= MAC=2c:4d:54:d0:64:87:00:17:10:7f:52:20:08:00 SRC=45.129.33.14 DST=ISP-IP LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=58912 PROTO=TCP SPT=41366 DPT=33898 WINDOW=1024 RES=0x00 SYN URGP=0

7

@support_team
Can somebody help?

8

For bittorrent Hairpin NAT should not be necessary…

9

ok turned it off. but the issue remains. i checked that the prob is not at the client firewall by temporarily turning it off. maybe it’s related to the bridge that i have?