IPCop and Port Forwarding

[Guest]

Archived from groups: comp.security.firewalls (More info?)

I'm attempting to get port forwarding working correctly on IPCop (latest
version - all patches).
IPCop is set up with Green and Red zones only (I know - I should have a
DMZ....) . Red zone has 1 normal IP and 5 aliases (all static IP addresses).
Green zone has a static address on private network.

I have managed to get port 25 on the red zone to succesfully port forward to
my internal SMTP server and incoming mail is being delivered as expected.

The problem I am having is trying to get port 8080 to forward to an internal
web server on port 8080. The physical web server has a different IP address
to the physical mail server (not sure if this makes a difference) and I have
tried forwarding different IP's on the red zone with no success.

Output from IPTables for the relevant chain is:

root@Fwall:/etc # iptables -L PORTFWACCESS
Chain PORTFWACCESS (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.1.5 tcp dpt:webcache
ACCEPT tcp -- anywhere 192.168.1.97 tcp dpt:smtp

As you can see, the entry appears to be correct (pointing to 'webcache' port
- 8080) but no traffic is reaching the web server and nothing is showing up
in the firewall logs. I have checked that the firewall can contact the web
server and there is no problem there.

Any assistance would be appreciated.

--
Andy.

 

[Mike]

Archived from groups: comp.security.firewalls (More info?)

Andrew Mitchell wrote:
> I'm attempting to get port forwarding working correctly on IPCop (latest
> version - all patches).
> IPCop is set up with Green and Red zones only (I know - I should have a
> DMZ....) . Red zone has 1 normal IP and 5 aliases (all static IP addresses).
> Green zone has a static address on private network.
>
> I have managed to get port 25 on the red zone to succesfully port forward to
> my internal SMTP server and incoming mail is being delivered as expected.
>
> The problem I am having is trying to get port 8080 to forward to an internal
> web server on port 8080. The physical web server has a different IP address
> to the physical mail server (not sure if this makes a difference) and I have
> tried forwarding different IP's on the red zone with no success.
>
> Output from IPTables for the relevant chain is:
>
> root@Fwall:/etc # iptables -L PORTFWACCESS
> Chain PORTFWACCESS (1 references)
> target prot opt source destination
> ACCEPT tcp -- anywhere 192.168.1.5 tcp dpt:webcache
> ACCEPT tcp -- anywhere 192.168.1.97 tcp dpt:smtp
>
> As you can see, the entry appears to be correct (pointing to 'webcache' port
> - 8080) but no traffic is reaching the web server and nothing is showing up
> in the firewall logs. I have checked that the firewall can contact the web
> server and there is no problem there.
>
> Any assistance would be appreciated.
>

Stupid question but your web server is listening on 8080 isn't it? Can
you connect to the web server internally via http://192.168.1.5:8080

Why 8080?

What happens if you port forward 80 to 80?

Also you can forward port 8080 externally to port 80 internally.

Oh and dont forget you can't test from inside. You must connect from
outside.

--

------------------------------------

Real email to mike. The header email is a spam trap and you will be
blacklisted.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Mike <info@michaelmoyse.co.uk> said

> Andrew Mitchell wrote:
>> I'm attempting to get port forwarding working correctly on IPCop
>> (latest version - all patches).
>> IPCop is set up with Green and Red zones only (I know - I should have
>> a DMZ....) . Red zone has 1 normal IP and 5 aliases (all static IP
>> addresses). Green zone has a static address on private network.
>>
>> I have managed to get port 25 on the red zone to succesfully port
>> forward to my internal SMTP server and incoming mail is being
>> delivered as expected.
>>
>> The problem I am having is trying to get port 8080 to forward to an
>> internal web server on port 8080. The physical web server has a
>> different IP address to the physical mail server (not sure if this
>> makes a difference) and I have tried forwarding different IP's on the
>> red zone with no success.
>>
>> Output from IPTables for the relevant chain is:
>>
>> root@Fwall:/etc # iptables -L PORTFWACCESS
>> Chain PORTFWACCESS (1 references)
>> target prot opt source destination
>> ACCEPT tcp -- anywhere 192.168.1.5 tcp
>> dpt:webcache ACCEPT tcp -- anywhere 192.168.1.97
>> tcp dpt:smtp
>>
>> As you can see, the entry appears to be correct (pointing to
>> 'webcache' port - 8080) but no traffic is reaching the web server and
>> nothing is showing up in the firewall logs. I have checked that the
>> firewall can contact the web server and there is no problem there.
>>
>> Any assistance would be appreciated.
>>
>
> Stupid question but your web server is listening on 8080 isn't it? Can
> you connect to the web server internally via http://192.168.1.5:8080
>

That's correct. The internal server listens on port 8080 and is
accessible by the http://192.168.1.5:8080 url.

> Why 8080?
>

No idea. It was like that when I got here (6 months ago) and
approximately 200 remote users have that URL, so if possible I'd like to
avoid changing it for now. It's used for Outlook Web Access (MS
Exchange), so I think the original idea was to have it listen on a non-
standard port to avoid people finding it by accident.

> What happens if you port forward 80 to 80?
>

Not sure. I'll give it a try.

> Also you can forward port 8080 externally to port 80 internally.
>

The strange thing is that I also have the web server listening on the SSL
port and forwarding port 443 (ext) to 443 (int) also fails.

> Oh and dont forget you can't test from inside. You must connect from
> outside.

Yep. I'm aware of that.

Thanks.

 

[Mike]

Archived from groups: comp.security.firewalls (More info?)

Andrew Mitchell wrote:
> Mike <info@michaelmoyse.co.uk> said
>
>
>>Andrew Mitchell wrote:
>>
>>>I'm attempting to get port forwarding working correctly on IPCop
>>>(latest version - all patches).
>>>IPCop is set up with Green and Red zones only (I know - I should have
>>>a DMZ....) . Red zone has 1 normal IP and 5 aliases (all static IP
>>>addresses). Green zone has a static address on private network.
>>>
>>>I have managed to get port 25 on the red zone to succesfully port
>>>forward to my internal SMTP server and incoming mail is being
>>>delivered as expected.
>>>
>>>The problem I am having is trying to get port 8080 to forward to an
>>>internal web server on port 8080. The physical web server has a
>>>different IP address to the physical mail server (not sure if this
>>>makes a difference) and I have tried forwarding different IP's on the
>>>red zone with no success.
>>>
>>>Output from IPTables for the relevant chain is:
>>>
>>>root@Fwall:/etc # iptables -L PORTFWACCESS
>>>Chain PORTFWACCESS (1 references)
>>>target prot opt source destination
>>>ACCEPT tcp -- anywhere 192.168.1.5 tcp
>>>dpt:webcache ACCEPT tcp -- anywhere 192.168.1.97
>>> tcp dpt:smtp
>>>
>>>As you can see, the entry appears to be correct (pointing to
>>>'webcache' port - 8080) but no traffic is reaching the web server and
>>>nothing is showing up in the firewall logs. I have checked that the
>>>firewall can contact the web server and there is no problem there.
>>>
>>>Any assistance would be appreciated.
>>>
>>
>>Stupid question but your web server is listening on 8080 isn't it? Can
>>you connect to the web server internally via http://192.168.1.5:8080
>>
>
>
> That's correct. The internal server listens on port 8080 and is
> accessible by the http://192.168.1.5:8080 url.
>
>
>>Why 8080?
>>
>
>
> No idea. It was like that when I got here (6 months ago) and
> approximately 200 remote users have that URL, so if possible I'd like to
> avoid changing it for now. It's used for Outlook Web Access (MS
> Exchange), so I think the original idea was to have it listen on a non-
> standard port to avoid people finding it by accident.

Unecessary. Run OWA on https not http. Works perfectly here behind IPCOP
box on port 80. Security by obscurity never works.

With 200 remote users you are obviously not a small installation so why
are you using IPCOP? Get a Watchguard - end of problems.

--

------------------------------------

Real email to mike. The header email is a spam trap and you will be
blacklisted.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Mike <info@michaelmoyse.co.uk> said

> Andrew Mitchell wrote:
>> Mike <info@michaelmoyse.co.uk> said
>>
>>
>>>Andrew Mitchell wrote:
>>>
>>>>I'm attempting to get port forwarding working correctly on IPCop
>>>>(latest version - all patches).
>>>>IPCop is set up with Green and Red zones only (I know - I should have
>>>>a DMZ....) . Red zone has 1 normal IP and 5 aliases (all static IP
>>>>addresses). Green zone has a static address on private network.
>>>>
>>>>I have managed to get port 25 on the red zone to succesfully port
>>>>forward to my internal SMTP server and incoming mail is being
>>>>delivered as expected.
>>>>
>>>>The problem I am having is trying to get port 8080 to forward to an
>>>>internal web server on port 8080. The physical web server has a
>>>>different IP address to the physical mail server (not sure if this
>>>>makes a difference) and I have tried forwarding different IP's on the
>>>>red zone with no success.
>>>>
>>>>Output from IPTables for the relevant chain is:
>>>>
>>>>root@Fwall:/etc # iptables -L PORTFWACCESS
>>>>Chain PORTFWACCESS (1 references)
>>>>target prot opt source destination
>>>>ACCEPT tcp -- anywhere 192.168.1.5 tcp
>>>>dpt:webcache ACCEPT tcp -- anywhere 192.168.1.97
>>>> tcp dpt:smtp
>>>>
>>>>As you can see, the entry appears to be correct (pointing to
>>>>'webcache' port - 8080) but no traffic is reaching the web server and
>>>>nothing is showing up in the firewall logs. I have checked that the
>>>>firewall can contact the web server and there is no problem there.
>>>>
>>>>Any assistance would be appreciated.
>>>>
>>>
>>>Stupid question but your web server is listening on 8080 isn't it? Can
>>>you connect to the web server internally via http://192.168.1.5:8080
>>>
>>
>>
>> That's correct. The internal server listens on port 8080 and is
>> accessible by the http://192.168.1.5:8080 url.
>>
>>
>>>Why 8080?
>>>
>>
>>
>> No idea. It was like that when I got here (6 months ago) and
>> approximately 200 remote users have that URL, so if possible I'd like to
>> avoid changing it for now. It's used for Outlook Web Access (MS
>> Exchange), so I think the original idea was to have it listen on a non-
>> standard port to avoid people finding it by accident.
>
> Unecessary. Run OWA on https not http.

I've tried that. Still nothing. The web server is listening on ports 8080
and https. I have set both ports to forward to the web server with no
success. Running snort on the LAN shows no packets coming from the firewall
to the web server. I might have to run a sniffer on the internet interface
and see if the packets are even reaching the firewall. It could be that the
ISP is blocking those ports, though they insist that they are not.


> Works perfectly here behind IPCOP
> box on port 80.

Shouldn't you be using port 443 for https?

> Security by obscurity never works.
>
> With 200 remote users you are obviously not a small installation so why
> are you using IPCOP?

It's only a backup. We had a recent situation where our Nokia/Checkpoint
IP330 failed and we were left with no email or 'net access for 6 hours
while we sourced a replacement. I'd like to have an IPCop box on standby,
ready to slot in if anything goes wrong with the Nokia box in the future.



--

Kwyj.

(Remove your panties to reply by email)

 

[Mike]

Archived from groups: comp.security.firewalls (More info?)

Kwyjibo. wrote:

> Mike <info@michaelmoyse.co.uk> said
>
>
>>Andrew Mitchell wrote:
>>
>>>Mike <info@michaelmoyse.co.uk> said
>>>
>>>
>>>
>>>>Andrew Mitchell wrote:
>>>>
>>>>
>>>>>I'm attempting to get port forwarding working correctly on IPCop
>>>>>(latest version - all patches).
>>>>>IPCop is set up with Green and Red zones only (I know - I should have
>>>>>a DMZ....) . Red zone has 1 normal IP and 5 aliases (all static IP
>>>>>addresses). Green zone has a static address on private network.
>>>>>
>>>>>I have managed to get port 25 on the red zone to succesfully port
>>>>>forward to my internal SMTP server and incoming mail is being
>>>>>delivered as expected.
>>>>>
>>>>>The problem I am having is trying to get port 8080 to forward to an
>>>>>internal web server on port 8080. The physical web server has a
>>>>>different IP address to the physical mail server (not sure if this
>>>>>makes a difference) and I have tried forwarding different IP's on the
>>>>>red zone with no success.
>>>>>
>>>>>Output from IPTables for the relevant chain is:
>>>>>
>>>>>root@Fwall:/etc # iptables -L PORTFWACCESS
>>>>>Chain PORTFWACCESS (1 references)
>>>>>target prot opt source destination
>>>>>ACCEPT tcp -- anywhere 192.168.1.5 tcp
>>>>>dpt:webcache ACCEPT tcp -- anywhere 192.168.1.97
>>>>> tcp dpt:smtp
>>>>>
>>>>>As you can see, the entry appears to be correct (pointing to
>>>>>'webcache' port - 8080) but no traffic is reaching the web server and
>>>>>nothing is showing up in the firewall logs. I have checked that the
>>>>>firewall can contact the web server and there is no problem there.
>>>>>
>>>>>Any assistance would be appreciated.
>>>>>
>>>>
>>>>Stupid question but your web server is listening on 8080 isn't it? Can
>>>>you connect to the web server internally via http://192.168.1.5:8080
>>>>
>>>
>>>
>>>That's correct. The internal server listens on port 8080 and is
>>>accessible by the http://192.168.1.5:8080 url.
>>>
>>>
>>>
>>>>Why 8080?
>>>>
>>>
>>>
>>>No idea. It was like that when I got here (6 months ago) and
>>>approximately 200 remote users have that URL, so if possible I'd like to
>>>avoid changing it for now. It's used for Outlook Web Access (MS
>>>Exchange), so I think the original idea was to have it listen on a non-
>>>standard port to avoid people finding it by accident.
>>
>>Unecessary. Run OWA on https not http.
>
>
> I've tried that. Still nothing. The web server is listening on ports 8080
> and https. I have set both ports to forward to the web server with no
> success. Running snort on the LAN shows no packets coming from the firewall
> to the web server. I might have to run a sniffer on the internet interface
> and see if the packets are even reaching the firewall. It could be that the
> ISP is blocking those ports, though they insist that they are not.
>
>
>
>>Works perfectly here behind IPCOP
>>box on port 80.
>
>
> Shouldn't you be using port 443 for https?

Doh! I thought one thing and typed another.

OK you've done the port forwarding, have you done external service access?

--

------------------------------------

Real email to mike. The header email is a spam trap and you will be
blacklisted.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Mike <info@michaelmoyse.co.uk> said


> Doh! I thought one thing and typed another.
>



> OK you've done the port forwarding, have you done external service
> access?

I haven't because, according to the FAQ, version 1.3 should not require
External Access enablement for port forwarding to work. External access is
only to be used for access to the box itself, not to any services behind the
firewall.

Maybe I have misunderstood this.

 

[Mike]

Archived from groups: comp.security.firewalls (More info?)

Andrew Mitchell wrote:

> Mike <info@michaelmoyse.co.uk> said
>
>
>
>>Doh! I thought one thing and typed another.
>>
>
>
>
>
>
>>OK you've done the port forwarding, have you done external service
>>access?
>
>
> I haven't because, according to the FAQ, version 1.3 should not require
> External Access enablement for port forwarding to work. External access is
> only to be used for access to the box itself, not to any services behind the
> firewall.
>
> Maybe I have misunderstood this.
>
>
>
Well I'm out of ideas. It works here straight out of the box.

Got to be something weird like netmask or gateway address etc.


--

------------------------------------

Real email to mike. The header email is a spam trap and you will be
blacklisted.