Disclaimer: Yes, I have read the FAQ. I am trying to set up a port forward such that a connection to port 1111 on my external IP address will be forwarded to port 80 on 192.168.0.3. My rules entry looks as follows: DNAT net loc:192.168.0.3:80 tcp 1111 The box at that IP address is a VOIP ATA. From another computer on my internal LAN I can point my browser at 192.168.0.3 and I am presented with the ATA''s sign-on screenn. I verified that the ATA''s Gateway is set correctly. I can ping the box and get back a reply. When I access port 1111 on my external IP via my browser, the browser indicates that it is connecting to 192.168.0.3. This tells me that the port forwarding is working. But I get no reply and the browser times out. Is there some step that I missed in order to get this to work? TIA! ...Jake -- Jake Colman Sr. Applications Developer Principia Partners LLC Harborside Financial Center 1001 Plaza Two Jersey City, NJ 07311 (201) 209-2467 www.principiapartners.com ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Jake Colman wrote:> Disclaimer: Yes, I have read the FAQ.Then you have followed the DNAT troubleshooting instructions in FAQs 1a and 1b. Please describe the results you obtained at each step so we can help you interpret them. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> Disclaimer: Yes, I have read the FAQ. > > I am trying to set up a port forward such that a connection to port 1111 > on my > external IP address will be forwarded to port 80 on 192.168.0.3. > > My rules entry looks as follows: > > DNAT net loc:192.168.0.3:80 tcp 1111 > > The box at that IP address is a VOIP ATA. From another computer on my > internal LAN I can point my browser at 192.168.0.3 and I am presented with > the ATA''s sign-on screenn. I verified that the ATA''s Gateway is set > correctly. I can ping the box and get back a reply. > > When I access port 1111 on my external IP via my browser, the browser > indicates that it is connecting to 192.168.0.3. This tells me that the > port > forwarding is working. But I get no reply and the browser times out. Is > there some step that I missed in order to get this to work? > > TIA! >FAQ 1a: Ok -- I followed those instructions but it doesn''t work Answer: That is usually the result of one of four things: You are trying to test from inside your firewall (no, that won''t work -- see the section called “(FAQ 2) I port forward www requests to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my local network. External clients can browse http://www.mydomain.com but internal clients can''t.”). Are you trying to test from a machine in the same network as your ATA? As mentioned in the FAQ, that won''t work. Besides, if you''re connecting from "the outside," your browser should not be trying to connect to 192.168.0.3 as that IP address is not routable. It should be trying to connect to the external IP address of your firewall. If you haven''t already done so, try testing it from outside of your firewall (i.e. go home and try it) -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.392 / Virus Database: 268.5.6/338 - Release Date: 5/12/2006 ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Hi Jake I know that this response is a bit late, so maybe you have already solved your problem. But anyway: On 5/12/06, Jake Colman <colman@ppllc.com> wrote: [snip]> I am trying to set up a port forward such that a connection to port 1111 on my > external IP address will be forwarded to port 80 on 192.168.0.3. > > My rules entry looks as follows: > > DNAT net loc:192.168.0.3:80 tcp 1111[snip]> When I access port 1111 on my external IP via my browser, the browser > indicates that it is connecting to 192.168.0.3. This tells me that the port > forwarding is working. But I get no reply and the browser times out. Is > there some step that I missed in order to get this to work?Maybe you are testing the external IP from within your lan. By default, the external IP will only work from outside your lan, see Shorewall FAQ 2. If this is not the problem, try posting a shorewall dump. Rune ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>>>>> "RK" == Rune Kock <rune.kock@gmail.com> writes:RK> Hi Jake RK> I know that this response is a bit late, so maybe you have already RK> solved your problem. But anyway: RK> On 5/12/06, Jake Colman <colman@ppllc.com> wrote: RK> [snip] >> I am trying to set up a port forward such that a connection to port 1111 on my >> external IP address will be forwarded to port 80 on 192.168.0.3. >> >> My rules entry looks as follows: >> >> DNAT net loc:192.168.0.3:80 tcp 1111 RK> [snip] >> When I access port 1111 on my external IP via my browser, the browser >> indicates that it is connecting to 192.168.0.3. This tells me that the port >> forwarding is working. But I get no reply and the browser times out. Is >> there some step that I missed in order to get this to work? RK> Maybe you are testing the external IP from within your lan. By RK> default, the external IP will only work from outside your lan, see RK> Shorewall FAQ 2. RK> If this is not the problem, try posting a shorewall dump. This is not the problem. I am trying to access this internal host from outside my house. I am attaching a shorewall dump file and I very much appreciate your help. -- Jake Colman Sr. Applications Developer Principia Partners LLC Harborside Financial Center 1001 Plaza Two Jersey City, NJ 07311 (201) 209-2467 www.principiapartners.com
>>>>> "R" == Russel <rusabus@hotmail.com> writes:>> Disclaimer: Yes, I have read the FAQ. >> >> I am trying to set up a port forward such that a connection to port 1111 >> on my >> external IP address will be forwarded to port 80 on 192.168.0.3. >> >> My rules entry looks as follows: >> >> DNAT net loc:192.168.0.3:80 tcp 1111 >> >> The box at that IP address is a VOIP ATA. From another computer on my >> internal LAN I can point my browser at 192.168.0.3 and I am presented with >> the ATA''s sign-on screenn. I verified that the ATA''s Gateway is set >> correctly. I can ping the box and get back a reply. >> >> When I access port 1111 on my external IP via my browser, the browser >> indicates that it is connecting to 192.168.0.3. This tells me that the >> port >> forwarding is working. But I get no reply and the browser times out. Is >> there some step that I missed in order to get this to work? >> >> TIA! >> R> FAQ 1a: R> Ok -- I followed those instructions but it doesn''t work R> Answer: That is usually the result of one of four things: R> You are trying to test from inside your firewall (no, that won''t work -- see R> the section called (FAQ 2) I port forward www requests to www.mydomain.com R> (IP 130.151.100.69) to system 192.168.1.5 in my local network. External R> clients can browse http://www.mydomain.com but internal clients can''t.). R> Are you trying to test from a machine in the same network as your ATA? As R> mentioned in the FAQ, that won''t work. Besides, if you''re connecting from R> "the outside," your browser should not be trying to connect to 192.168.0.3 R> as that IP address is not routable. It should be trying to connect to the R> external IP address of your firewall. R> If you haven''t already done so, try testing it from outside of your firewall R> (i.e. go home and try it) Yes, I am testing this from outside my network, not inside. When I''m inside my network I point my browser directly to 192.68.0.3 and I get the ATA''s login prompt. When I am outside my network, I point my browser to "http://<extipaddress>:1111". The browser then says it''s connecting to 192.168.0.3. Doesn''t that imply that it followed my port forwarding rule? Otherwise, how would it ever know that internal IP address? The entry in my rules file reads: DNAT net loc:192.168.0.3:80 tcp 1111 TIA! ...Jake -- Jake Colman Sr. Applications Developer Principia Partners LLC Harborside Financial Center 1001 Plaza Two Jersey City, NJ 07311 (201) 209-2467 www.principiapartners.com ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Jake Colman wrote:>>>>>> "R" == Russel <rusabus@hotmail.com> writes: > > >> Disclaimer: Yes, I have read the FAQ. > >> > >> I am trying to set up a port forward such that a connection to port 1111 > >> on my > >> external IP address will be forwarded to port 80 on 192.168.0.3. > >> > >> My rules entry looks as follows: > >> > >> DNAT net loc:192.168.0.3:80 tcp 1111 > >> > Yes, I am testing this from outside my network, not inside. When I''m inside > my network I point my browser directly to 192.68.0.3 and I get the ATA''s > login prompt. When I am outside my network, I point my browser to > "http://<extipaddress>:1111". The browser then says it''s connecting to > 192.168.0.3. Doesn''t that imply that it followed my port forwarding rule? > Otherwise, how would it ever know that internal IP address? > > The entry in my rules file reads: > > DNAT net loc:192.168.0.3:80 tcp 1111It sounds like your ATA is receiving the initial browser request, then issuing an HTTP redirect to the internal IP, which the external browser can''t access. There''s no other reason that the browser would display 192.168.0.3 (and no other mechanism for it to know that IP). Packet sniff the HTTP traffic to be sure.
>>>>> "TE" == Tom Eastep <teastep@shorewall.net> writes:TE> Jake Colman wrote: >> Disclaimer: Yes, I have read the FAQ. TE> Then you have followed the DNAT troubleshooting instructions in FAQs 1a TE> and 1b. Please describe the results you obtained at each step so we can TE> help you interpret them. Yes I have and I determined that the port forwarding rule is firing yet ATA box is not responding. I have also checked the ATA''s default gateway and it is set to 192.168.0.1 which is the firewall''s internal interface. Following is the specific information you asked me to post. FAQ 1A: 1) I am not testing from inside the my firewall. When working inside my home network, I can successfully connect directly to 192.168.0.3. It is when I am trying this from my outside office that I cannot access that box. 2) The default gateway of the ATA is 192.168.0.1, which is the firewall''s internal interface. The ATA''s IP address is 192.168.0.3 and its subnet mask is 255.255.255.0. 3) I am 99% certain that port 1111 is not blocked. In any event, I tried other ports but to no avail. CableVision only blocks ports 80, 8080, and 25 AFAIK. 4) I am running Gentoo, not Mandriva Linux. FAQ 1B: The packet count shows non-zero, which implies that the port forwarding rule did fire. As a matter of fact, when I point my browser to the external IP adress at port 1111, the browser says it is connecting to 192.168.0.3. Doesn''t that prove that the port forwarding rule fired? If so, what might explain why the ATA does not respond? Thanks! ...Jake -- Jake Colman Sr. Applications Developer Principia Partners LLC Harborside Financial Center 1001 Plaza Two Jersey City, NJ 07311 (201) 209-2467 www.principiapartners.com ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Jake Colman wrote:> > FAQ 1B: > > The packet count shows non-zero, which implies that the port forwarding rule > did fire. As a matter of fact, when I point my browser to the external IP > adress at port 1111, the browser says it is connecting to 192.168.0.3. > Doesn''t that prove that the port forwarding rule fired? If so, what might > explain why the ATA does not respond?Sounds like the ATA server is HTTP redirecting the connection to it''s own local IP address and of course the remote client cannot connect directly to 192.168.0.3. In other words, the initial connection works but then the server is asking the client to open another connection directly to 192.168.0.3 which naturally fails. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>>>>> "TE" == Tom Eastep <teastep@shorewall.net> writes:TE> Jake Colman wrote: >> >> FAQ 1B: >> >> The packet count shows non-zero, which implies that the port TE> forwarding rule >> did fire. As a matter of fact, when I point my browser to the TE> external IP >> adress at port 1111, the browser says it is connecting to 192.168.0.3. >> Doesn''t that prove that the port forwarding rule fired? If so, what TE> might >> explain why the ATA does not respond? TE> Sounds like the ATA server is HTTP redirecting the connection to it''s TE> own local IP address and of course the remote client cannot connect TE> directly to 192.168.0.3. In other words, the initial connection works TE> but then the server is asking the client to open another connection TE> directly to 192.168.0.3 which naturally fails. You and Stephen both gave the same answer: the ATA is doing a redirect to itself using its internal IP which, of course, is not routable from the outside. I guess I''m screwed then. As an aside, does you or anyone else have any idea why a box would bother to do that? Unless, maybe, it is redirecting from port 80 to another port within itself? But why even do that? It just strikes me as an odd thing for a box to do: accept connections on a port just to do a redirect to the same address. I''m wondering what the benefit is. -- Jake Colman Sr. Applications Developer Principia Partners LLC Harborside Financial Center 1001 Plaza Two Jersey City, NJ 07311 (201) 209-2467 www.principiapartners.com ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Jake Colman wrote:> You and Stephen both gave the same answer: the ATA is doing a redirect to > itself using its internal IP which, of course, is not routable from the > outside. I guess I''m screwed then. > > As an aside, does you or anyone else have any idea why a box would bother to > do that? Unless, maybe, it is redirecting from port 80 to another port > within itself? But why even do that? It just strikes me as an odd thing for > a box to do: accept connections on a port just to do a redirect to the same > address. I''m wondering what the benefit is. >Is there anywhere in the ATA configuration where you can supply it with it''s own DNS name? If so, it might use that rather than using it''s own IP address. I ask because I''ve seen Apache get upset during startup if it can''t determine what its own DNS name should be. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Jake Colman wrote: > > >>You and Stephen both gave the same answer: the ATA is doing a redirect to >>itself using its internal IP which, of course, is not routable from the >>outside. I guess I''m screwed then. >> >>As an aside, does you or anyone else have any idea why a box would bother to >>do that? Unless, maybe, it is redirecting from port 80 to another port >>within itself? But why even do that? It just strikes me as an odd thing for >>a box to do: accept connections on a port just to do a redirect to the same >>address. I''m wondering what the benefit is. >> > > > Is there anywhere in the ATA configuration where you can supply it with > it''s own DNS name? If so, it might use that rather than using it''s own > IP address. I ask because I''ve seen Apache get upset during startup if > it can''t determine what its own DNS name should be.Alternatively, supplying a valid PTR record for 192.168.0.3 in your internal DNS might also help (assuming that the ATA includes a builtin DNS client). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key