Can't get port forwarding to work

Support for security such as Firewalls and securing linux
logicprobe
Posts: 6
Joined: 2018/03/04 05:51:53

Can't get port forwarding to work

Postby logicprobe » 2018/03/04 07:08:25

i want to forward port 25 (smtp) from a gateway system to a mail server that is connected to the gateway on a vpn tunnel.

I used firewall-cmd to configure port forwarding:
# firewall-cmd --zone=public --query-forward-port=port=25:proto=tcp:toaddr=10.8.0.101

I verified that the firewall is forwarding port 25:
# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client openvpn
ports: 25/tcp
protocols:
masquerade: yes
forward-ports: port=25:proto=tcp:toport=:toaddr=10.8.0.101
source-ports:
icmp-blocks:
rich rules:

# firewall-cmd --zone=public --query-forward-port=port=25:proto=tcp:toaddr=10.8.0.101
yes

I confirmed that the mail server is listening on port 25. I can telnet to port 25 from the gateway system:
$ telnet 10.8.0.101 25
Trying 10.8.0.101...
Connected to 10.8.0.101.
Escape character is '^]'.
220 mydomain.com SMTP (Version 0.0.0)
^]
telnet> quit

But when I try to telnet to port 25 from the outside, the connection times out. The output of "netstat -an" doesn't show anything listening on port 25 on the gateway system; is that a problem? Have I missed something in the configuration?

# firewall-cmd --zone=internal --list-all
internal (active)
target: default
icmp-block-inversion: no
interfaces: tun0
sources:
services: ssh mdns samba-client dhcpv6-client
ports: 25/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

I thought port forwarding would be straightforward. Apparently not! ;-)

logicprobe
Posts: 6
Joined: 2018/03/04 05:51:53

Re: Can't get port forwarding to work

Postby logicprobe » 2018/03/05 00:50:22

I think packets are not coming in on port 25 from outside, even though I think I opened the port:

# firewall-cmd --zone public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client openvpn
ports: 25/tcp
protocols:
masquerade: yes
forward-ports: port=25:proto=tcp:toport=:toaddr=10.8.0.101
source-ports:
icmp-blocks:
rich rules:

I ran tcpdump while telnet'ing to port 25 from outside. No packets were reported:

# tcpdump -i eth0 'port 25'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

I ran tcpdump on tun0 while telnet'ing to port 25 from the gateway and captured packets:

# tcpdump -i tun0 'port 25'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
01:36:54.466588 IP 10.8.0.1.55082 > 10.8.0.101.smtp: Flags [S], seq 2837239411, win 29200, options [mss 1460,sackOK,TS val 29336862 ecr 0,nop,wscale 6], length 0
01:36:54.628943 IP 10.8.0.101.smtp > 10.8.0.1.55082: Flags [S.], seq 2825527737, ack 2837239412, win 28960, options [mss 1358,sackOK,TS val 21473983 ecr 29336862,nop,wscale 7], length 0
01:36:54.628991 IP 10.8.0.1.55082 > 10.8.0.101.smtp: Flags [.], ack 1, win 457, options [nop,nop,TS val 29337024 ecr 21473983], length 0
01:37:14.395459 IP 10.8.0.1.55082 > 10.8.0.101.smtp: Flags [F.], seq 1, ack 1, win 457, options [nop,nop,TS val 29356791 ecr 21473983], length 0
01:37:14.554854 IP 10.8.0.101.smtp > 10.8.0.1.55082: Flags [.], ack 2, win 227, options [nop,nop,TS val 21493911 ecr 29356791], length 0
01:37:38.692601 IP 10.8.0.101.smtp > 10.8.0.1.55082: Flags [P.], seq 1:66, ack 2, win 227, options [nop,nop,TS val 21518026 ecr 29356791], length 65: SMTP: 220 wilkes.com SurgeSMTP (Version 7.3c3-3) http://surgemail.com
01:37:38.692665 IP 10.8.0.1.55082 > 10.8.0.101.smtp: Flags [R], seq 2837239413, win 0, length 0
01:37:38.693034 IP 10.8.0.101.smtp > 10.8.0.1.55082: Flags [F.], seq 66, ack 2, win 227, options [nop,nop,TS val 21518026 ecr 29356791], length 0
01:37:38.693065 IP 10.8.0.1.55082 > 10.8.0.101.smtp: Flags [R], seq 2837239413, win 0, length 0
^C
9 packets captured
9 packets received by filter
0 packets dropped by kernel

hunter86_bg
Posts: 1035
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Can't get port forwarding to work

Postby hunter86_bg » 2018/03/06 04:57:44

What is the output of

Code: Select all

sysctl net.ipv4.ip_forward

logicprobe
Posts: 6
Joined: 2018/03/04 05:51:53

Re: Can't get port forwarding to work

Postby logicprobe » 2018/03/07 16:08:28

The OpenVPN client's default route was not set to tun0. I added 'push "redirect-gateway def1"' to the server's conf file, and port forwarding is working.