I have a machine (Denali) running ClarkConnect 0.9.1 (RedHat 7.2) with two NICs. It is connected to the cable MODEM and an ethernet hub. It has been working great for over a year now. It runs Apache, has Gallery, acts as a physical firewall and DHCP server for all the little Windows boxen used for idle browsing or work.

I have a Windows 2000 Professional machine (PZY) from work sitting here. It is running IIS and I am trying to show some people at work what I'm doing on it. We are having problems with our test server and I don't feel like waiting until it is up. I've assigned a static address of 192.168.1.99 to PZY.

On Denali, I've tried to forward port 88 to port 80 on PZY using the ClarkConnect Admin utility. This didn't work so well, so I fired up Webmin. I upgraded everything in Webmin. I even logged into Denali via a shell and ran an apt-get cycle to make sure it was all up to date.

With Webmin, I can see the firewall chain rules that I tried to set up with the ClarkConnect Admin utility. But I can't figure out what my problem is. It looks like it should work, but it simply isn't.

From the machine I am on, which is also behind the Linux firewall, I can browse http://192.168.1.99/test.html, but I can't browse http://my.domain.net:88/test.html. I get a time out. If I watch the network traffic on PZY while I am making this request, I don't see the request get to PZY.

This is the Firewall status from the shell:

[root@denali root]# service firewall status
Table: filter
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
33798 2045K ACCEPT all -- !eth0 any anywhere anywhere
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 drop-reserved all -- eth0 any 127.0.0.0/8 anywhere
0 0 drop-reserved all -- eth0 any 1.0.0.0/8 anywhere
0 0 drop-reserved all -- eth0 any 23.0.0.0/8 anywhere
0 0 drop-reserved all -- eth0 any 31.0.0.0/8 anywhere
0 0 drop-reserved all -- eth0 any 96.0.0.0/3 anywhere
0 0 drop-reserved all -- eth0 any 128.0.0.0/16 anywhere
0 0 drop-reserved all -- eth0 any blackhole.isi.edu anywhere
0 0 drop-reserved all -- eth0 any 128.66.0.0/16 anywhere
0 0 drop-reserved all -- eth0 any 191.255.0.0/16 anywhere
0 0 drop-reserved all -- eth0 any 197.0.0.0/16 anywhere
0 0 drop-reserved all -- eth0 any 201-0-0-0.dsl.telesp.net.br/8 anywhere
0 0 drop-reserved all -- eth0 any 223.255.255.0/24 anywhere
0 0 drop-reserved all -- eth0 any 240.0.0.0/5 anywhere
0 0 drop-reserved all -- eth0 any 248.0.0.0/5 anywhere
0 0 DROP all -- eth0 any 172.16.0.0/12 anywhere
0 0 DROP all -- eth0 any 192.168.0.0/16 anywhere
1052 29456 ACCEPT icmp -- eth0 any anywhere rdu26-74-075.nc.rr.comicmp echo-reply
70 3920 ACCEPT icmp -- eth0 any anywhere rdu26-74-075.nc.rr.comicmp destination-unreachable
0 0 ACCEPT icmp -- eth0 any anywhere rdu26-74-075.nc.rr.comicmp time-exceeded
25 1911 ACCEPT icmp -- eth0 any anywhere rdu26-74-075.nc.rr.comicmp echo-request
2 714 ACCEPT udp -- eth0 any anywhere rdu26-74-075.nc.rr.comudp spt:bootps dpt:bootpc
0 0 ACCEPT tcp -- eth0 any anywhere rdu26-74-075.nc.rr.comtcp spt:bootps dpt:bootpc
0 0 ACCEPT tcp -- eth0 any anywhere rdu26-74-075.nc.rr.comtcp dpt:kerberos
14 624 ACCEPT tcp -- eth0 any anywhere rdu26-74-075.nc.rr.comtcp dpt:ftp
0 0 ACCEPT tcp -- eth0 any anywhere rdu26-74-075.nc.rr.comtcp dpt:ftp-data
2465 176K ACCEPT tcp -- eth0 any anywhere rdu26-74-075.nc.rr.comtcp dpt:http
0 0 ACCEPT tcp -- eth0 any anywhere rdu26-74-075.nc.rr.comtcp dpt:1875
0 0 drop-trojan tcp -- eth0 any anywhere anywhere tcp dpt:5742
0 0 drop-trojan tcp -- eth0 any anywhere anywhere tcp dpts:12345:12346
0 0 drop-trojan tcp -- eth0 any anywhere anywhere tcp dpt:20034
0 0 drop-trojan udp -- eth0 any anywhere anywhere udp dpt:31337
0 0 drop-trojan tcp -- eth0 any anywhere anywhere tcp dpt:30303
0 0 drop-trojan tcp -- eth0 any anywhere anywhere tcp dpt:40421
0 0 drop-trojan tcp -- eth0 any anywhere anywhere tcp dpt:27665
0 0 drop-trojan udp -- eth0 any anywhere anywhere udp dpt:27444
0 0 drop-trojan udp -- eth0 any anywhere anywhere udp dpt:31335
0 0 drop-trojan tcp -- eth0 any anywhere anywhere tcp dpt:20432
0 0 drop-trojan udp -- eth0 any anywhere anywhere udp dpt:18753
0 0 drop-trojan udp -- eth0 any anywhere anywhere udp dpt:20433
269 82672 ACCEPT udp -- any any anywhere rdu26-74-075.nc.rr.comudp dpts:1024:65535
6 252 ACCEPT tcp -- any any anywhere rdu26-74-075.nc.rr.comtcp dpts:1024:65535 state RELATED,ESTABLISHED
5208 1991K DROP all -- eth0 any anywhere anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 drop-lan tcp -- any eth0 anywhere anywhere tcp dpt:sunrpc
0 0 drop-lan udp -- any eth0 anywhere anywhere udp dpt:sunrpc
0 0 drop-lan tcp -- any eth0 anywhere anywhere tcp dpts:netbios-ns:netbios-ssn
0 0 drop-lan udp -- any eth0 anywhere anywhere udp dpts:netbios-ns:netbios-ssn
0 0 drop-lan tcp -- any eth0 anywhere anywhere tcp dpt:635
0 0 drop-lan udp -- any eth0 anywhere anywhere udp dpt:635
246K 16M ACCEPT all -- !eth0 any anywhere anywhere
176K 33M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 3 LOG level debug prefix `IPT FORWARD packet died: '
0 0 ACCEPT all -- any any anywhere anywhere

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 drop-stuffed all -- any eth0 anywhere 192.168.1.0/24
0 0 drop-stuffed all -- any eth0 192.168.1.0/24 anywhere
4 352 ACCEPT all -- any lo anywhere anywhere
49393 67M ACCEPT all -- any !eth0 anywhere anywhere
1130 59796 ACCEPT icmp -- any eth0 rdu26-74-075.nc.rr.com anywhere
0 0 ACCEPT tcp -- any eth0 rdu26-74-075.nc.rr.com anywhere tcp spt:bootpc dpt:bootps
0 0 ACCEPT udp -- any eth0 rdu26-74-075.nc.rr.com anywhere udp spt:bootpc dpt:bootps
0 0 ACCEPT tcp -- any eth0 rdu26-74-075.nc.rr.com anywhere tcp spt:kerberos
8 510 ACCEPT tcp -- any eth0 rdu26-74-075.nc.rr.com anywhere tcp spt:ftp
0 0 ACCEPT tcp -- any eth0 rdu26-74-075.nc.rr.com anywhere tcp spt:ftp-data
2234 1177K ACCEPT tcp -- any eth0 rdu26-74-075.nc.rr.com anywhere tcp spt:http
0 0 ACCEPT tcp -- any eth0 rdu26-74-075.nc.rr.com anywhere tcp spt:1875
10 520 ACCEPT tcp -- any eth0 rdu26-74-075.nc.rr.com anywhere tcp spts:1024:65535
237 15802 ACCEPT udp -- any eth0 rdu26-74-075.nc.rr.com anywhere udp spts:1024:65535
0 0 DROP all -- any eth0 anywhere anywhere

Chain drop-lan (6 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere LOG level warning prefix `Drop - LAN only: '
0 0 DROP all -- any any anywhere anywhere

Chain drop-reserved (14 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere LOG level warning prefix `Drop - reserved network: '
0 0 DROP all -- any any anywhere anywhere

Chain drop-stuffed (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere LOG level warning prefix `Drop - stuffed packet: '
0 0 DROP all -- any any anywhere anywhere

Chain drop-trojan (12 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere LOG level warning prefix `Drop - trojan-flooder: '
0 0 DROP all -- any any anywhere anywhere

Chain flag-lan (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere LOG level warning prefix `Flag: '
0 0 ACCEPT all -- any any anywhere anywhere

Chain testing (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere LOG level warning prefix `testing: '
0 0 ACCEPT all -- any any anywhere anywhere
Table: nat
Chain PREROUTING (policy ACCEPT 6820 packets, 2137K bytes)
pkts bytes target prot opt in out source destination
2 96 DNAT tcp -- any any anywhere rdu26-74-075.nc.rr.comtcp dpt:kerberos to:192.168.1.99:80
0 0 DROP tcp -- any any anywhere anywhere tcp dpt:ircd
0 0 DROP all -- any any anywhere 81.222.131.52

Chain POSTROUTING (policy ACCEPT 91 packets, 21531 bytes)
pkts bytes target prot opt in out source destination
1958 76918 MASQUERADE all -- any eth0 anywhere anywhere

Chain OUTPUT (policy ACCEPT 1303 packets, 61862 bytes)
pkts bytes target prot opt in out source destination
Table: mangle
Chain PREROUTING (policy ACCEPT 465K packets, 54M bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 53157 packets, 69M bytes)
pkts bytes target prot opt in out source destination

It shows the forward statement. If you need it, I can take a few screen shots of the Firewall configuration in Webmin.

Any idea why port forwarding isn't working? Any documentation that would help?

Web admin is nice but you can only do what it will allow you to do...

2 96 DNAT tcp -- any any anywhere rdu26-74-075.nc.rr.comtcp dpt:kerberos to:192.168.1.99:80

will forward to your webserver from your external ip, for this to work you have to have a masqurade rule, which is inplace. What is missing is a masqurade rule for the internal interface to cover traffic coming in on the internal interface and leaving on it... Given that the masq rule's out interface is eth0 then internal one should be eth1

1958 76918 MASQUERADE all -- eth1 eth1 <locallan> <externalip>

translation all traffic coming in on eth1 and leaving on eth1 who has a source of your private lan(192.168.0.0/24?) going to your webserver's public ip, masqurade.... downside is all the interna web requests will look like they are from the firewall. The best way is to run bind and do your own DNS for internal use.

Originally posted by jumpedintothefire
Web admin is nice but you can only do what it will allow you to do...
I'm having a hard time translating your post. I am assuming you are missing a period at the end of this statement.
2 96 DNAT tcp -- any any anywhere rdu26-74-075.nc.rr.comtcp dpt:kerberos to:192.168.1.99:80

will forward to your webserver from your external ip, for this to work you have to have a masqurade rule, which is inplace. What is missing is a masqurade rule for the internal interface to cover traffic coming in on the internal interface and leaving on it... Given that the masq rule's out interface is eth0 then internal one should be eth1
Again, lots of ambigious grammar makes this hard to understand. It sounds like you are saying that the way I have it set up right now, someone outside of my home network can see the webserver on PZY using my domain name and the forwarded port as a URL, but someone inside my home network can not. I so don't understand that, but I can give someone a call and have them test it.

Again, lots of ambigious grammar makes this hard to understand.

Then learn how DNS works on your own, and you won't be asking why this doesn't work. I can get checky too you know...

It sounds like you are saying that the way I have it set up right now, someone outside of my home network can see the webserver on PZY using my domain name and the forwarded port as a URL, but someone inside my home network can not. I so don't understand that, but I can give someone a call and have them test it.

yes, that is correct.
hints here (http://www.shorewall.net/FAQ.htm#faq2)

Ok, that was a bit out of line... Sorry
When your testing from the private lan and your dns servers are external to your lan, a DNS lookup will return the external ip address of the firewall. You could run you own little DNS server for the private lan that will resolve the domain name to internal machines as required. A quick work around is to just add www.mydomain.com to the hosts file on a client machine that has the internal ipaddress of the webserver. Short of doing the above fixes you will have to masqurade the internal traffic back to the lan itself, this would be a masq rule for the internal interface using the -i & -o options.
something like(may have errors):
iptables -t nat -A POSTROUTING -i eth1 -o eth1 -s <192.168.0.0/24> -d <webserver> -j MASQUARDE.
Having never used webmin, I have no clue what the screen looks like, so what to put in which box, I do not know. Show me its script, that I can help you with.