Welcome to the Sophos User Bulletin Board.
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Reply
 
LinkBack Thread Tools Display Modes
Junior Member
Join Date: Sep 2011
Posts: 9
#1 (permalink)  
Old 09-24-2011, 02:27 AM
Angry Port forward TCP 8000 -> TCP 80 (HTTP)

Help ... Help ...

I have 2 webservers inside the office.
The first one which is HTTP works like a charm but the 2nd webserver I am trying to use port 8000 externally and keep getting this.

Default DROP TCP X.X.X.X:17499 -> 10.0.1.14:80 [SYN]

DNAT [demo]
Traffic selector: Any -> HTTP -> WAN1
Destination translation: demo HTTP
Automatic Firewall rule: check mark
(THIS WORKS)

DNAT [qa]
Traffic selector: Any -> 8000 -> WAN1
Destination translation: qa HTTP
Automatic Firewall rule: check mark
(DOES NOT WORK)

I defined 8000 as:
Name: 8000
Type of Defination: TCP
Desination port: 8000
Source port: 1:65535
Reply With Quote
Senior Member
Join Date: Oct 2008
Posts: 251
#2 (permalink)  
Old 09-24-2011, 02:58 AM
Default

try removing the automatic FW rule and create a manual PF rule
Reply With Quote
Wizard
Join Date: Nov 2008
Posts: 1,516
#3 (permalink)  
Old 09-24-2011, 07:16 AM
Default

Is the internal Webserver running on Port 8000 as well? Because you don't seem to translate it back to 80...

EDIT: Sorry, ignore me . You translate to 'qa' HTTP (Port 80, right)

Is the internal QA webserver configured with a default route to the ASG? If this is not what you want, you need a Full NAT rule.
__________________
<Mastaaa> Du.. ich brach ma ne Serial für Windows -.-
<Xiaolong> F1CKD-1CHUN-DK4UF-350R1-61N4L
<Mastaaa> Geht nicht...

Last edited by trollvottel; 09-24-2011 at 07:20 AM.
Reply With Quote
Junior Member
Join Date: Sep 2011
Posts: 9
#4 (permalink)  
Old 09-24-2011, 04:14 PM
Default

I created the new DNAT with no automatic firewall rules.

I added the firewall rule
Source: WAN1
Service: 8000
Destination: qa

I also cloned that rule and placed HTTP

Didn't work.

Yes the qa server has a default gateway as the ASG.
Reply With Quote
BAlfson's Avatar
Grandis Professorem Astaro
Join Date: Mar 2007
Location: Oklahoma City
Posts: 20,852
#5 (permalink)  
Old 09-24-2011, 05:17 PM
Default

Hi ncsnetwork, and welcome to the User BB!

Your firewall rule in #4 would need to be Source: Any or Internet instead of WAN1. From your first post, it appears that your configuration is correct if qa has the Astaro as its default gateway, so that test in Post #4 shouldn't give any different result.

Please [Go Advanced] below and show an actual pic of your failing DNAT rule. Also, try trollvottel's Full NAT suggestion (Source Translation: Internal (Address)) just to help figure out what's happening.

In general in D/SNAT rules, it's a best practice to leave unchanged fields blank.

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
SCA/UTM - Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!

Last edited by BAlfson; 09-24-2011 at 06:50 PM.
Reply With Quote
Junior Member
Join Date: Sep 2011
Posts: 9
#6 (permalink)  
Old 09-24-2011, 07:12 PM
Default

Attached are the screenshots of:
DNAT
Full NAT
Firewall Rules
http://www.ncsnetwork.net/astaro
Reply With Quote
BAlfson's Avatar
Grandis Professorem Astaro
Join Date: Mar 2007
Location: Oklahoma City
Posts: 20,852
#7 (permalink)  
Old 09-24-2011, 07:26 PM
Default

That all looks perfect to me. The 'Any -> {8000} -> qa : Allow' rule isn't necessary.

With the Full NAT rule, if you still see Default DROP TCP X.X.X.X:17499 -> 10.0.1.14:80 [SYN] in the live log, please show the complete line from the full log as it contains more information. And, during debugging, let's enable logging on the NAT rule and the FW rule.

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
SCA/UTM - Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!
Reply With Quote
Junior Member
Join Date: Sep 2011
Posts: 9
#8 (permalink)  
Old 09-24-2011, 08:00 PM
Default

16:56:18 Default DROP 2 192.168.1.1
→ 224.0.0.1
len=28 ttl=1 tos=0x00 srcmac=1c:af:f7:db:a9:e5 dstmac=0:2:b3:d4:db:8f

16:56:26 Default DROP UDP 10.0.1.126 : 626
→ 224.0.0.1 : 626
len=62 ttl=1 tos=0x00 srcmac=34:15:9e:2e:e2:5a dstmac=0:2:b3:d4:db:8f

16:56:38 Default DROP 2 192.168.2.1
→ 224.0.0.1
len=28 ttl=64 tos=0x00 srcmac=e8:be:81:ef:ac:95 dstmac=0:d:56:6f:56:95

16:56:56 Default DROP UDP 10.0.1.126 : 626
→ 224.0.0.1 : 626
len=62 ttl=1 tos=0x00 srcmac=34:15:9e:2e:e2:5a dstmac=0:2:b3:d4:db:8f

16:57:26 Default DROP UDP 10.0.1.126 : 626
→ 224.0.0.1 : 626
len=62 ttl=1 tos=0x00 srcmac=34:15:9e:2e:e2:5a dstmac=0:2:b3:d4:db:8f

16:57:38 Default DROP 2 192.168.2.1
→ 224.0.0.1
len=28 ttl=64 tos=0x00 srcmac=e8:be:81:ef:ac:95 dstmac=0:d:56:6f:56:95

16:57:56 Default DROP UDP 10.0.1.126 : 626
→ 224.0.0.1 : 626
len=62 ttl=1 tos=0x00 srcmac=34:15:9e:2e:e2:5a dstmac=0:2:b3:d4:db:8f

16:58:23 Default DROP 2 192.168.1.1
→ 224.0.0.1
len=28 ttl=1 tos=0x00 srcmac=1c:af:f7:db:a9:e5 dstmac=0:2:b3:d4:db:8f

16:58:23 Connection using NAT TCP 216.118.153.208 : 4736
→ 207.231.236.17 : 8000
[SYN] len=48 ttl=113 tos=0x00

16:58:23 Default DROP TCP 216.118.153.208 : 4736
→ 10.0.1.14 : 80
[SYN] len=48 ttl=112 tos=0x00 srcmac=0:2:b3:d4:db:8f

16:58:26 Connection using NAT TCP 216.118.153.208 : 4736
→ 207.231.236.17 : 8000
[SYN] len=48 ttl=113 tos=0x00

16:58:26 Default DROP TCP 216.118.153.208 : 4736
→ 10.0.1.14 : 80
[SYN] len=48 ttl=112 tos=0x00 srcmac=0:2:b3:d4:db:8f

16:58:26 Default DROP UDP 10.0.1.126 : 626
→ 224.0.0.1 : 626
len=62 ttl=1 tos=0x00 srcmac=34:15:9e:2e:e2:5a dstmac=0:2:b3:d4:db:8f

16:58:32 Connection using NAT TCP 216.118.153.208 : 4736
→ 207.231.236.17 : 8000
[SYN] len=48 ttl=113 tos=0x00

16:58:32 Default DROP TCP 216.118.153.208 : 4736
→ 10.0.1.14 : 80
[SYN] len=48 ttl=112 tos=0x00 srcmac=0:2:b3:d4:db:8f

16:58:32 Connection using NAT TCP 216.118.153.208 : 4742
→ 207.231.236.17 : 8000
[SYN] len=48 ttl=113 tos=0x00

16:58:32 Default DROP TCP 216.118.153.208 : 4742
→ 10.0.1.14 : 80
[SYN] len=48 ttl=112 tos=0x00 srcmac=0:2:b3:d4:db:8f

16:58:36 Connection using NAT TCP 216.118.153.208 : 4742
→ 207.231.236.17 : 8000
[SYN] len=48 ttl=113 tos=0x00

16:58:36 Default DROP TCP 216.118.153.208 : 4742
→ 10.0.1.14 : 80
[SYN] len=48 ttl=112 tos=0x00 srcmac=0:2:b3:d4:db:8f

16:58:39 Default DROP 2 192.168.2.1
→ 224.0.0.1
len=28 ttl=64 tos=0x00 srcmac=e8:be:81:ef:ac:95 dstmac=0:d:56:6f:56:95

16:58:42 Connection using NAT TCP 216.118.153.208 : 4742
→ 207.231.236.17 : 8000
[SYN] len=48 ttl=113 tos=0x00

16:58:42 Default DROP TCP 216.118.153.208 : 4742
→ 10.0.1.14 : 80
[SYN] len=48 ttl=112 tos=0x00 srcmac=0:2:b3:d4:db:8f

16:58:56 Default DROP UDP 10.0.1.126 : 626
→ 224.0.0.1 : 626
len=62 ttl=1 tos=0x00 srcmac=34:15:9e:2e:e2:5a dstmac=0:2:b3:d4:db:8f

16:58:56 Connection using NAT TCP 216.118.153.208 : 4755
→ 207.231.236.17 : 8000
[SYN] len=48 ttl=113 tos=0x00

16:58:56 Default DROP TCP 216.118.153.208 : 4755
→ 10.0.1.14 : 80
[SYN] len=48 ttl=112 tos=0x00 srcmac=0:2:b3:d4:db:8f

16:59:00 Connection using NAT TCP 216.118.153.208 : 4755
→ 207.231.236.17 : 8000
[SYN] len=48 ttl=113 tos=0x00

16:59:00 Default DROP TCP 216.118.153.208 : 4755
→ 10.0.1.14 : 80
[SYN] len=48 ttl=112 tos=0x00 srcmac=0:2:b3:d4:db:8f

16:59:08 Connection using NAT TCP 216.118.153.208 : 4755
→ 207.231.236.17 : 8000
[SYN] len=48 ttl=113 tos=0x00

16:59:08 Default DROP TCP 216.118.153.208 : 4755
→ 10.0.1.14 : 80
[SYN] len=48 ttl=112 tos=0x00 srcmac=0:2:b3:d4:db:8f
Reply With Quote
BAlfson's Avatar
Grandis Professorem Astaro
Join Date: Mar 2007
Location: Oklahoma City
Posts: 20,852
#9 (permalink)  
Old 09-24-2011, 08:19 PM
Default

Quote:
16:58:56 Connection using NAT TCP 216.***.yyy.208 : 4755 → 207.***.yyy.17 : 8000 [SYN] len=48 ttl=113 tos=0x00

16:58:56 Default DROP TCP 216.***.yyy.208 : 4755 → 10.x.y.14 : 80 [SYN] len=48 ttl=112 tos=0x00 srcmac=0:2:b3:d4:db:8f
Are these lines from the Full NAT rule? If so, then I would have expected 10.x.y.1 → 10.x.y.14. Please activate logging on the FW and NAT rules, then let's try again.

The full Packet Filter log is in 'Logging >> View Log Files'.

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
SCA/UTM - Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!

Last edited by BAlfson; 09-24-2011 at 08:22 PM. Reason: obfuscate IPs
Reply With Quote
Junior Member
Join Date: Sep 2011
Posts: 9
#10 (permalink)  
Old 09-24-2011, 09:06 PM
Default

Quote:
Originally Posted by BAlfson
Are these lines from the Full NAT rule? If so, then I would have expected 10.x.y.1 &rarr; 10.x.y.14. Please activate logging on the FW and NAT rules, then let's try again.

The full Packet Filter log is in 'Logging >> View Log Files'.

Cheers - Bob
I don't have Packet Filter in the list.
Reply With Quote
Reply

Tags
8000 to 80, http, port forwarding

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT. The time now is 07:59 PM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2015, Jelsoft Enterprises Ltd.

These pages are specifically maintained for the discussion of firewall issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases.