U.S. CitiesCity-Data Forum Index
Go Back   City-Data Forum > General Forums > Science and Technology > Computers
 [Register]
Please register to participate in our discussions with 2 million other members - it's free and quick! Some forums can only be seen by registered members. After you create your account, you'll be able to customize options and access all our 15,000 new posts/day with fewer ads.
View detailed profile (Advanced) or search
site with Google Custom Search

Search Forums  (Advanced)
 
Old 06-13-2013, 11:01 PM
 
11,715 posts, read 36,346,982 times
Reputation: 7514

Advertisements

I am trying to forward incoming Internet traffic on port 8181 through a NAT router to a LAN host at 10.30.50.22. Connections must only be accepted from two specific IP addresses on the Internet.

This is a Linksys/Cisco RV042. The default rules denies all WAN to LAN traffic. When I added rules to forward port 8181 from aaa.bbb.ccc.ddd and eee.fff.ggg.hhh to 10.30.50.22 (lines 2-3 in the screen shot) it appeared to open access from ALL Internet IP addresses to that local IP address. I used grc.com's Shields Up to probe port 8181 and it showed as open.

When I added my own global WAN to LAN deny rule for port 8181, Shields Up shows stealth. I'm just not sure that the intended Internet IP addresses still have access. I am not at those locations to test it. The router's documentation says that higher rules on the list override lower rules. So the specific "allow" rules should trump the global "deny" as long as they're higher on the list, right?
Attached Thumbnails
Do these firewall rules look right?-firewall.jpg  
Reply With Quote Quick reply to this message

 
Old 06-14-2013, 08:52 AM
 
Location: Tyler, TX
15,210 posts, read 18,497,278 times
Reputation: 8052
Not familiar with that device, but you shouldn't need the rule with priority 4, as that condition will match the first built-in deny rule.

Do you have to use a range of IPs when entering a rule? Or can you define the rule using a single host (which is what you want)?

I don't see anything in that image about forwarding. A firewall will typically just "allow" or "deny" a connection, but it still has to be routed. Is there something in there that also says that when a connection comes in on 8181, it must also be forwarded to the internal host? Again, I don't know this device, but based only on what I see, I don't know how the connection is going where it's supposed to in the first place.
Reply With Quote Quick reply to this message
 
Old 06-14-2013, 03:47 PM
 
Location: 10110001010110100
6,385 posts, read 10,847,586 times
Reputation: 5589
I don't know that one either but what you did in the screenshot seemed correct in theory. If the outside IPs are pingable, you should be able to ping them from the machine with the 10.30.50.22 IP address, no?
Reply With Quote Quick reply to this message
 
Old 06-14-2013, 05:01 PM
 
Location: Tyler, TX
15,210 posts, read 18,497,278 times
Reputation: 8052
Another thing that doesn't seem right about that - if the firewall rule is also supposed to enable forwarding, how can it forward to a range of IPs? Even if you define that range as starting and ending with the same address, internally, it's still a range, and the device would almost certainly handle forwarding elsewhere.

Cisco has really gone downhill since they bought Linksys. I say dump it and get a Sonicwall. Or take an old, unused desktop machine and set it up as a linux box to handle your firewall and nat. I could help you a lot better if you were using one of those setups.
Reply With Quote Quick reply to this message
 
Old 06-14-2013, 06:41 PM
 
455 posts, read 775,313 times
Reputation: 637
Are you using one-to-one NAT or any sort of Port Forwarding?
If your Firewall has that capability, then you need to tell it what your public IP is and what private IP it needs to translate to. The ACL itself is just dictating that the source interface is the WAN side, which is where the rule will apply coming in, versus, say, a DMZ zone. It's probably not NATing the IP that's assigned to the interface, as that would be pretty restrictive if you had multiple public IP addresses at your disposal.

Your static or advanced NAT (assuming it also does port translation) should look something like this (I don't know your Firewall, but this is general):
Original address: X.X.X.X (Your static public IP)
Translated address: 10.30.50.22
Original port: 8181
Translated port: 8181 (or original/same)

That will tell the Firewall that anything coming through port 8181 with your public static address in the destination field of the header will use the NAT table to translate the destination to your 10.30.50.22 address on port 8181, which is in your LAN, presumably.
Try to access with that.

If you only have basic static NAT and can't forward ports along with it, then you'd just create the basic static NAT that translates your public to your private, then create a port forwarding rule that says when a packet comes through on port 8181 destined for your public address, forward the packet without changing the port to your private address.

Your ACL is simply allowing traffic to be processed further by your NAT and/or Port Forwarding rules.
Simply having an ACL that isn't translating isn't going to work, because it's basically just the reservation guy that checks to see if you have a reservation at the restaurant and are indeed that person. If you don't, you get denied. If you do, the seating guy will see what table you have reserved, then guide you to it and overcharge you for drinks.


I realize that I may be telling you what you already know or have already configured, but the existence of a private IP in the destination field of your ACL tells me quite a bit, considering that your firewall is a NAT-capable firewall, which means you're supposed to set that up, in which case you should have your static public address in the destination field, since external packets are not going to be addressed to your private IP.

As an aside, I keep saying "static" public address because it's pretty important to have one if you don't want to have to change your settings every time your ISP's DHCP lease runs out. I don't know if this is a home setup or a business setup, so I'm just putting it out there.
I business, you might still configure your firewall as a DHCP client from your ISP, but you'll provide them with the MAC address of your WAN interface and they'll lock your reservation in, while still allowing you to receive DNS and Gateway information dynamically.

Last edited by Soup Sandwich; 06-14-2013 at 06:50 PM..
Reply With Quote Quick reply to this message
 
Old 06-14-2013, 06:43 PM
 
455 posts, read 775,313 times
Reputation: 637
Quote:
Originally Posted by swagger View Post
Another thing that doesn't seem right about that - if the firewall rule is also supposed to enable forwarding, how can it forward to a range of IPs? Even if you define that range as starting and ending with the same address, internally, it's still a range, and the device would almost certainly handle forwarding elsewhere.

Cisco has really gone downhill since they bought Linksys. I say dump it and get a Sonicwall. Or take an old, unused desktop machine and set it up as a linux box to handle your firewall and nat. I could help you a lot better if you were using one of those setups.
A good free solution is ClearOS. Linux-based, and super easy.
Doesn't need a beast of a server either. Can run fine on a home PC for small business. Just went to a Cisco ISA 550W from ClearOS. It was agonizing.
Reply With Quote Quick reply to this message
Please register to post and access all features of our very popular forum. It is free and quick. Over $68,000 in prizes has already been given out to active posters on our forum. Additional giveaways are planned.

Detailed information about all U.S. cities, counties, and zip codes on our site: City-data.com.


Reply
Please update this thread with any new information or opinions. This open thread is still read by thousands of people, so we encourage all additional points of view.

Quick Reply
Message:

Over $104,000 in prizes was already given out to active posters on our forum and additional giveaways are planned!

Go Back   City-Data Forum > General Forums > Science and Technology > Computers
Similar Threads
Follow City-Data.com founder on our Forum or

All times are GMT -6. The time now is 05:13 AM.

© 2005-2019, Advameg, Inc. · Please obey Forum Rules · Terms of Use and Privacy Policy · Bug Bounty

City-Data.com - Archive 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35 - Top