10937 – Port forward with changing port does not work

Bug 10937 - Port forward with changing port does not work

Summary: Port forward with changing port does not work

Status:	CLOSED WORKSFORME

Alias:	None

Product:	IPFire
Classification:	Unclassified
Component:	--- (show other bugs)
Version:	2
Hardware:	unspecified Unspecified

Importance:	Will affect an average number of users Minor Usability
Assignee:	Alexander Marx
QA Contact:

URL:
Keywords:

Depends on:
Blocks:	FWBUGS
	Show dependency tree / graph

Reported:	2015-10-14 12:41 UTC by Martin Wunderli
Modified:	2021-07-12 19:41 UTC (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Martin Wunderli 2015-10-14 12:41:21 UTC

I want to create a rule which forwards connections to port 230 of the firewall to port 22 of a machine in dmz (external ssh access). Forward to an existing port without port change works. With port change it does not.

Following the line of the firewall/confige file:

6,ACCEPT,FORWARDFW,ON,std_net_src,ALL,tgt_addr,192.168.2.16/32,,TCP,,,ON,,,TGT_PORT,22,SSH server on hathi,,,,,,,,,,00:00,00:00,ON,AUTO,230,dnat,,,,,second

If I start the SSH server on the internal host on port 230, connection works. So I think, that the port change is not reflected in the iptables command.

Cheers
Martin

Comment 1 Osmar Gonzalez 2015-10-20 11:18:49 UTC

This is not a bug? Should be posted on the forums.

Comment 2 Peter Müller 2017-11-08 16:48:11 UTC

(In reply to Martin Wunderli from comment #0)
> I want to create a rule which forwards connections to port 230 of the
> firewall to port 22 of a machine in dmz (external ssh access). Forward to an
> existing port without port change works. With port change it does not.
> 
> Following the line of the firewall/confige file:
> 
> 6,ACCEPT,FORWARDFW,ON,std_net_src,ALL,tgt_addr,192.168.2.16/32,,TCP,,,ON,,,
> TGT_PORT,22,SSH server on
> hathi,,,,,,,,,,00:00,00:00,ON,AUTO,230,dnat,,,,,second
> 
> If I start the SSH server on the internal host on port 230, connection
> works. So I think, that the port change is not reflected in the iptables
> command.
> 
> Cheers
> Martin
I am afraid I did not fully get what your problem is. Could you please describe it a bit more detailed?

Comment 3 Martin Wunderli 2017-11-16 12:07:56 UTC

It is about port forward.

Example:

You can define:
Firewall, Port 230 --- forward to --> Internal Host, Port 22
Does not work (Port changes while forwarding).

You can define:
Firewall, Port 230 --- forward to --> Internal Host, Port 230
Works (No Port change while forwarding)

Comment 4 Peter Müller 2018-02-06 20:36:40 UTC

Thank you.

Comment 5 Alexander Marx 2018-05-15 07:22:44 UTC

Well, maybe there is another problem here.
I can confirm that i am using exactly that setup on several IPFire systems since years now.

And the ports are correctly forwarded to an internal host on green,port 22

Maybe your problem is, that the orange network (DMZ) is what the name says: a DMZ. That means, servers in the DMZ are usually directly reachable from the internet.

But for that you have to make sure, that the servers in DMZ are able to use DNS.

The right firewall rule is:

SOURCE:  ALL
Target: ORANGE (host) / Port

Done

Please correct me if i am wrong as i dont have the time to test it right now.

Comment 6 Michael Tremer 2018-10-15 13:47:43 UTC

Why is this ticket on MODIFIED? Where is the change?

Comment 7 Peter Müller 2020-04-10 11:18:29 UTC

Seems to be another FWBUG...

Comment 8 Stefan Schantl 2021-07-12 19:41:06 UTC

Tested today with an DNAT rule on the external port 12345 which points to port 22 on a host in the Blue subnet - Everything worked fine.

I'm closing this bug because it is rather old and during testing I was not able to reproduce the issue.

Please feel free to re-open if the problem still exists.

Best regards,

-Stefan