Bug 10937 - Port forward with changing port does not work
Summary: Port forward with changing port does not work
Status: CLOSED WORKSFORME
Alias: None
Product: IPFire
Classification: Unclassified
Component: --- (show other bugs)
Version: 2
Hardware: unspecified Unspecified
: Will affect an average number of users Minor Usability
Assignee: Alexander Marx
QA Contact:
URL:
Keywords:
Depends on:
Blocks: FWBUGS
  Show dependency treegraph
 
Reported: 2015-10-14 12:41 UTC by Martin Wunderli
Modified: 2021-07-12 19:41 UTC (History)
4 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Wunderli 2015-10-14 12:41:21 UTC
I want to create a rule which forwards connections to port 230 of the firewall to port 22 of a machine in dmz (external ssh access). Forward to an existing port without port change works. With port change it does not.

Following the line of the firewall/confige file:

6,ACCEPT,FORWARDFW,ON,std_net_src,ALL,tgt_addr,192.168.2.16/32,,TCP,,,ON,,,TGT_PORT,22,SSH server on hathi,,,,,,,,,,00:00,00:00,ON,AUTO,230,dnat,,,,,second

If I start the SSH server on the internal host on port 230, connection works. So I think, that the port change is not reflected in the iptables command.

Cheers
Martin
Comment 1 Osmar Gonzalez 2015-10-20 11:18:49 UTC
This is not a bug? Should be posted on the forums.
Comment 2 Peter Müller 2017-11-08 16:48:11 UTC
(In reply to Martin Wunderli from comment #0)
> I want to create a rule which forwards connections to port 230 of the
> firewall to port 22 of a machine in dmz (external ssh access). Forward to an
> existing port without port change works. With port change it does not.
> 
> Following the line of the firewall/confige file:
> 
> 6,ACCEPT,FORWARDFW,ON,std_net_src,ALL,tgt_addr,192.168.2.16/32,,TCP,,,ON,,,
> TGT_PORT,22,SSH server on
> hathi,,,,,,,,,,00:00,00:00,ON,AUTO,230,dnat,,,,,second
> 
> If I start the SSH server on the internal host on port 230, connection
> works. So I think, that the port change is not reflected in the iptables
> command.
> 
> Cheers
> Martin
I am afraid I did not fully get what your problem is. Could you please describe it a bit more detailed?
Comment 3 Martin Wunderli 2017-11-16 12:07:56 UTC
It is about port forward.

Example:

You can define:
Firewall, Port 230 --- forward to --> Internal Host, Port 22
Does not work (Port changes while forwarding).

You can define:
Firewall, Port 230 --- forward to --> Internal Host, Port 230
Works (No Port change while forwarding)
Comment 4 Peter Müller 2018-02-06 20:36:40 UTC
Thank you.
Comment 5 Alexander Marx 2018-05-15 07:22:44 UTC
Well, maybe there is another problem here.
I can confirm that i am using exactly that setup on several IPFire systems since years now.

And the ports are correctly forwarded to an internal host on green,port 22

Maybe your problem is, that the orange network (DMZ) is what the name says: a DMZ. That means, servers in the DMZ are usually directly reachable from the internet.

But for that you have to make sure, that the servers in DMZ are able to use DNS.

The right firewall rule is:

SOURCE:  ALL
Target: ORANGE (host) / Port

Done

Please correct me if i am wrong as i dont have the time to test it right now.
Comment 6 Michael Tremer 2018-10-15 13:47:43 UTC
Why is this ticket on MODIFIED? Where is the change?
Comment 7 Peter Müller 2020-04-10 11:18:29 UTC
Seems to be another FWBUG...
Comment 8 Stefan Schantl 2021-07-12 19:41:06 UTC
Tested today with an DNAT rule on the external port 12345 which points to port 22 on a host in the Blue subnet - Everything worked fine.

I'm closing this bug because it is rather old and during testing I was not able to reproduce the issue.

Please feel free to re-open if the problem still exists.

Best regards,

-Stefan