What's missing from my rc.firewall?

[smp]

#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Masquerade test for 2.1.x and 2.2.x kernels $
#
# Load all required IP MASQ modules
#
# NOTE: Only load the IP MASQ modules you need. All current IP MASQ modules
# are shown below but are commented out from loading.

EXTERNAL_INTERFACE="eth0"
EXT_IP=xx.xxx.xx.xx
WEB_SERVER=192.168.0.22
#because you are going to forward the request later with ipmasqadm
ANYWHERE="any/0"
UNPRIVPORTS="1024:65535"
#Make sure all port forwarding is denied, then allow incoming requests to be forwarded to your NAT
#via your external connection interface (i.e. eth0)
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -i eth0 -j MASQ
#Flush ipmasqadm
/usr/sbin/ipmasqadm portfw -f
#Acessing remote websites
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $EXT_IP $UNPRIVPORTS -d $ANYWHERE 80 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -s $ANYWHERE 80 -d $EXT_IP $UNPRIVPORTS -j ACCEPT
#Allowing incoming requests to your LAN (for port 3450 in your case)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $WEB_SERVER $UNPRIVPORTS -d $ANYWHERE 3450 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE ! -y -p tcp -s $ANYWHERE 3450 -d $WEB_SERVER $UNPRIVPORTS -j ACCEPT
ipchains -A forward -i $EXTERNAL_INTERFACE -p tcp -s $WEB_SERVER $UNPRIVPORTS -d $ANYWHERE 3450 -j MASQ
#we are allowing NAT forwarding of this request with ipchains



What I'm trying to do is get port forwarding to work .... this is basically a very slimmed down version of my rc.firewall.old right now because I'm trying to troubleshoot what is going wrong. I suck at this stuff so please bear with me. I'm trying to forward port 3450 to my web box which is internal .. what am I doing wrong? Please .. thanks.

 

[TonyRic]

Got a Cable/DSL router that will do that for ya.

 

[smp]

Originally posted by: TonyRic
Got a Cable/DSL router that will do that for ya.

Doesn't help me .. how much shipped?

 

[n0cmonkey]

#Make sure all port forwarding is denied, then allow incoming requests to be forwarded to your NAT
#via your external connection interface (i.e. eth0)
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -i eth0 -j MASQ

I thought IPChains/IPTables was a first hit type of firewall config?
Sorry, I dont use it and dont know a whole lot about it...

That comment was probably dumb, I havent setup netfilter so I know nothing about it. And the netfilter scripts I have access too are much more complex and dont cover this :/

 

[smp]

I'm thinking about going freeBSD for my firewall .. n0c you think that's a good idea?

 

[TheOmegaCode]

Originally posted by: smp
I'm thinking about going freeBSD for my firewall .. n0c you think that's a good idea?

He won't, he's an OpenBSD person... Point and scorn :disgust:

 

[smp]

Er .. at the risk of recieving a trout smacking for being insolent ... what's the diff?

 

[n0cmonkey]

Originally posted by: smp
Er .. at the risk of recieving a trout smacking for being insolent ... what's the diff?

Different kernels, different philosophy.

FreeBSD wants to be linux, OpenBSD wants to be good

 

[smp]

up

 

[Nothinman]

ipchains doesn't have support for portforwarding from the outside to the inside AFAIK, you need ipmasqadm and the portfw module.

ipmasqadm portfw -h
Usage: portfw -a -P PROTO -L LADDR LPORT -R RADDR RPORT [-p PREF] add entry
portfw -d -P PROTO -L LADDR LPORT [-R RADDR RPORT] delete entry
portfw -f clear table
portfw -l list table
portfw <args> -n no names

PROTO is the protocol, can be "tcp" or "udp"
LADDR is the local interface receiving packets to be forwarded.
LPORT is the port being redirected.
RADDR is the remote address.
RPORT is the port being redirected to.
PREF is the preference level (load balancing, default=10)