[Gllug] IPcop Question
Ken Smith
kens at kensnet.org
Thu Mar 18 21:00:51 UTC 2004
Hi Folks, I have an IPCop port forwarding question. Not having used IPCop
before I must be missing something but I have done lots of RTFM and Googling
and I can't see what I am missing.
I'm using IPCop 1.3 with all the patches connected to a public static IP,
RED and GREEN interfaces are configured. It is largely working - Internal to
external access is fine, the proxy is working.
On the assumption that IPCop can port forward Red to Green, I want to
forward external traffic to a Windoze 2K box via the green interface. For
testing I have configured VNC server on the 2K box and set IPCop to forward
port 5900 to the 2K box on internal address 10.1.1.1
>From other machines on the 10.1.1.* network I can VNC to the 2K box. I can
ping the 2K box from the IPCop box and vice-versa so the 10.1.1.* network is
OK
For testing I have enabled SSH on the RED interface of the IPCop box and I
can SSH into the IPCop box and ping it from the Internet. So the IPCop box
is accessible from the internet.
But here's the rub - no port forwarding.
I have tried configuring the reverse path IE: 10.1.1.1 port 5900 to external
as you need to on the firewall config in W2K. The web interface does not
understand doing that. So I guess setting the rule one way implies the
return path.
I have looked at the IP tables rules I have attached a copy of those.
So I'm stumped - but I'm sure its something obvious and I'll kick myself
when I find out......
Any assistance very welcome
Ken
root at ipcop:~ # iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ipac~o all -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:800
DROP tcp -- anywhere anywhere tcp dpt:squid
DROP tcp -- anywhere anywhere tcp dpt:8000
DROP tcp -- anywhere anywhere tcp dpt:8001
PSCAN tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
PSCAN tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE
tcp -- anywhere anywhere tcp
flags:SYN,RST,ACK/SYN limit: avg 10/sec burst 5
CUSTOMINPUT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
RED all -- anywhere anywhere
XTACCESS all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg
10/min burst 5 LOG level warning prefix `INPUT '
Chain FORWARD (policy DROP)
target prot opt source destination
ipac~fi all -- anywhere anywhere
ipac~fo all -- anywhere anywhere
PSCAN tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
PSCAN tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE
CUSTOMFORWARD all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
PORTFWACCESS all -- anywhere anywhere
DMZHOLES all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg
10/min burst 5 LOG level warning prefix `OUTPUT '
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ipac~i all -- anywhere anywhere
Chain CUSTOMFORWARD (1 references)
target prot opt source destination
Chain CUSTOMINPUT (1 references)
target prot opt source destination
Chain DMZHOLES (1 references)
target prot opt source destination
Chain PORTFWACCESS (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 10.1.1.1 tcp
dpts:5900:5910
Chain PSCAN (4 references)
target prot opt source destination
LOG tcp -- anywhere anywhere limit: avg
10/min burst 5 LOG level warning prefix `TCP Scan? '
LOG udp -- anywhere anywhere limit: avg
10/min burst 5 LOG level warning prefix `UDP Scan? '
LOG icmp -- anywhere anywhere limit: avg
10/min burst 5 LOG level warning prefix `ICMP Scan? '
LOG all -f anywhere anywhere limit: avg
10/min burst 5 LOG level warning prefix `FRAG Scan? '
DROP all -- anywhere anywhere
Chain RED (1 references)
target prot opt source destination
ACCEPT gre -- anywhere anywhere
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:isakmp
dpt:isakmp
Chain XTACCESS (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere *PublicIP* dpt:auth
ACCEPT tcp -- anywhere *PublicIP* dpt:222
ACCEPT tcp -- anywhere *PublicIP* dpt:81
Chain ipac~fi (1 references)
target prot opt source destination
all -- anywhere anywhere
all -- anywhere anywhere
Chain ipac~fo (1 references)
target prot opt source destination
all -- anywhere anywhere
all -- anywhere anywhere
Chain ipac~i (1 references)
target prot opt source destination
all -- anywhere anywhere
all -- anywhere anywhere
Chain ipac~o (1 references)
target prot opt source destination
all -- anywhere anywhere
all -- anywhere anywhere
root at ipcop:~ #
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list