Can't get port forwarding to work
Posted: 2018/03/04 07:08:25
i want to forward port 25 (smtp) from a gateway system to a mail server that is connected to the gateway on a vpn tunnel.
I used firewall-cmd to configure port forwarding:
# firewall-cmd --zone=public --query-forward-port=port=25:proto=tcp:toaddr=10.8.0.101
I verified that the firewall is forwarding port 25:
# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client openvpn
ports: 25/tcp
protocols:
masquerade: yes
forward-ports: port=25:proto=tcp:toport=:toaddr=10.8.0.101
source-ports:
icmp-blocks:
rich rules:
# firewall-cmd --zone=public --query-forward-port=port=25:proto=tcp:toaddr=10.8.0.101
yes
I confirmed that the mail server is listening on port 25. I can telnet to port 25 from the gateway system:
$ telnet 10.8.0.101 25
Trying 10.8.0.101...
Connected to 10.8.0.101.
Escape character is '^]'.
220 mydomain.com SMTP (Version 0.0.0)
^]
telnet> quit
But when I try to telnet to port 25 from the outside, the connection times out. The output of "netstat -an" doesn't show anything listening on port 25 on the gateway system; is that a problem? Have I missed something in the configuration?
# firewall-cmd --zone=internal --list-all
internal (active)
target: default
icmp-block-inversion: no
interfaces: tun0
sources:
services: ssh mdns samba-client dhcpv6-client
ports: 25/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
I thought port forwarding would be straightforward. Apparently not!
I used firewall-cmd to configure port forwarding:
# firewall-cmd --zone=public --query-forward-port=port=25:proto=tcp:toaddr=10.8.0.101
I verified that the firewall is forwarding port 25:
# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client openvpn
ports: 25/tcp
protocols:
masquerade: yes
forward-ports: port=25:proto=tcp:toport=:toaddr=10.8.0.101
source-ports:
icmp-blocks:
rich rules:
# firewall-cmd --zone=public --query-forward-port=port=25:proto=tcp:toaddr=10.8.0.101
yes
I confirmed that the mail server is listening on port 25. I can telnet to port 25 from the gateway system:
$ telnet 10.8.0.101 25
Trying 10.8.0.101...
Connected to 10.8.0.101.
Escape character is '^]'.
220 mydomain.com SMTP (Version 0.0.0)
^]
telnet> quit
But when I try to telnet to port 25 from the outside, the connection times out. The output of "netstat -an" doesn't show anything listening on port 25 on the gateway system; is that a problem? Have I missed something in the configuration?
# firewall-cmd --zone=internal --list-all
internal (active)
target: default
icmp-block-inversion: no
interfaces: tun0
sources:
services: ssh mdns samba-client dhcpv6-client
ports: 25/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
I thought port forwarding would be straightforward. Apparently not!