Bug 10937

Summary: Port forward with changing port does not work
Product: IPFire Reporter: Martin Wunderli <martin>
Component: ---Assignee: Alexander Marx <alexander.marx>
Status: CLOSED WORKSFORME QA Contact:
Severity: Minor Usability    
Priority: Will affect an average number of users CC: mibs510, michael.tremer, peter.mueller, stefan.schantl
Version: 2   
Hardware: unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 12278    

Description Martin Wunderli 2015-10-14 12:41:21 UTC 
I want to create a rule which forwards connections to port 230 of the firewall to port 22 of a machine in dmz (external ssh access). Forward to an existing port without port change works. With port change it does not.

Following the line of the firewall/confige file:

6,ACCEPT,FORWARDFW,ON,std_net_src,ALL,tgt_addr,192.168.2.16/32,,TCP,,,ON,,,TGT_PORT,22,SSH server on hathi,,,,,,,,,,00:00,00:00,ON,AUTO,230,dnat,,,,,second

If I start the SSH server on the internal host on port 230, connection works. So I think, that the port change is not reflected in the iptables command.

Cheers
Martin
Comment 1 Osmar Gonzalez 2015-10-20 11:18:49 UTC 
This is not a bug? Should be posted on the forums.
Comment 2 Peter Müller 2017-11-08 16:48:11 UTC 
(In reply to Martin Wunderli from comment #0)
> I want to create a rule which forwards connections to port 230 of the
> firewall to port 22 of a machine in dmz (external ssh access). Forward to an
> existing port without port change works. With port change it does not.
> 
> Following the line of the firewall/confige file:
> 
> 6,ACCEPT,FORWARDFW,ON,std_net_src,ALL,tgt_addr,192.168.2.16/32,,TCP,,,ON,,,
> TGT_PORT,22,SSH server on
> hathi,,,,,,,,,,00:00,00:00,ON,AUTO,230,dnat,,,,,second
> 
> If I start the SSH server on the internal host on port 230, connection
> works. So I think, that the port change is not reflected in the iptables
> command.
> 
> Cheers
> Martin
I am afraid I did not fully get what your problem is. Could you please describe it a bit more detailed?
Comment 3 Martin Wunderli 2017-11-16 12:07:56 UTC 
It is about port forward.

Example:

You can define:
Firewall, Port 230 --- forward to --> Internal Host, Port 22
Does not work (Port changes while forwarding).

You can define:
Firewall, Port 230 --- forward to --> Internal Host, Port 230
Works (No Port change while forwarding)
Comment 4 Peter Müller 2018-02-06 20:36:40 UTC 
Thank you.
Comment 5 Alexander Marx 2018-05-15 07:22:44 UTC 
Well, maybe there is another problem here.
I can confirm that i am using exactly that setup on several IPFire systems since years now.

And the ports are correctly forwarded to an internal host on green,port 22

Maybe your problem is, that the orange network (DMZ) is what the name says: a DMZ. That means, servers in the DMZ are usually directly reachable from the internet.

But for that you have to make sure, that the servers in DMZ are able to use DNS.

The right firewall rule is:

SOURCE:  ALL
Target: ORANGE (host) / Port

Done

Please correct me if i am wrong as i dont have the time to test it right now.
Comment 6 Michael Tremer 2018-10-15 13:47:43 UTC 
Why is this ticket on MODIFIED? Where is the change?
Comment 7 Peter Müller 2020-04-10 11:18:29 UTC 
Seems to be another FWBUG...
Comment 8 Stefan Schantl 2021-07-12 19:41:06 UTC 
Tested today with an DNAT rule on the external port 12345 which points to port 22 on a host in the Blue subnet - Everything worked fine.

I'm closing this bug because it is rather old and during testing I was not able to reproduce the issue.

Please feel free to re-open if the problem still exists.

Best regards,

-Stefan