This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port Forwarding With Service Translation

I'm not quite understanding the following error:

The matching service protocol is not the same as the translated one.

I want to accept connections at 8081 on the external interface and then forward them to port 80 of a machine on the LAN. I defined a service for 8081, and called it"HTTP-8081". I attempted to define a DNAT/SNAT rule that matched inbound packets destine for the external address port 8081, and then change the destination to a machine on the LAN, and set the service destination to "HTTP".

Why is this not allowing me to set this up?

This thread was automatically locked due to age.

Parents

0 bagira over 21 years ago

Should work, any entries in your packetfilter.log? Do you see the rule with 'iptables -L NAT_PRE -t nat' ?
/bagira
Cancel
Vote Up 0 Vote Down

Cancel
0 DrFooMod2 over 21 years ago in reply to bagira

Well, packetfilter.log has packet filter log entries. No iptables script commands. Also, dnat/snat is working. The problem is it appears as if the web page is broke and won't let me add the rule. This is the latest version of ASL, 5.008.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 DrFooMod2 over 21 years ago in reply to bagira

Well, packetfilter.log has packet filter log entries. No iptables script commands. Also, dnat/snat is working. The problem is it appears as if the web page is broke and won't let me add the rule. This is the latest version of ASL, 5.008.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 bagira over 21 years ago in reply to DrFooMod2

Firstly, update to the latest version 5.010. Which entries do you see in your packetfilter.log regarding the port/ip-address?
What do you mean with ' No iptables script commands '? If you cannot find an entry of your defined DNAT-rule, the rule was nor set by the mdw.
/bagira
Cancel
Vote Up 0 Vote Down

Cancel
0 DrFooMod2 over 21 years ago in reply to bagira

If you recall, I said that my ASL box was _not_ allowing the rule to be created. That;s why there;s no entry in the log file.
Cancel
Vote Up 0 Vote Down

Cancel
0 DrFooMod2 over 21 years ago in reply to DrFooMod2

OK, v. 5.010, and it still won;t allow me to create a rule the allows for a packet to come into ASL on one port, and forward it to an internal machine at a different port.
Cancel
Vote Up 0 Vote Down

Cancel
0 slapmonster over 21 years ago in reply to DrFooMod2

perhapes you have already another rule that uses a port you want to use and your rules would no be well defined because for the computer it is not clear which rule to use?

only an idea.

cu
pat
Cancel
Vote Up 0 Vote Down

Cancel
0 bagira over 21 years ago in reply to slapmonster

Please make sure, that the service HTTP-8081 you defined is only set to TCP, not TCP and UDP. Then create a DNAT:
From: Any
To: External Interface
Service: HTTP
Change Destination To: your Webserver
Service: HTTP-8081

Also create a packet filter rule saying:
From: Any
Service HTTP-8081
To: your Webserver
Action: Allow

I tested it and it works without any problems.

/bagira
Cancel
Vote Up 0 Vote Down

Cancel
0 DrFooMod2 over 21 years ago in reply to bagira

As soon as I set my service to just TCP, it worked like a charm. Perhaps the error message needs to be a bit more descriptive.
Cancel
Vote Up 0 Vote Down

Cancel