ipchains and port forwarding trouble

Hey folks,

It's been a while since I fiddled with ipchains (which is probably why this
is evading me...)

I can't for the life of me seem to get a port forwarded from my firewall to
an internal ip, so I am hoping something will jump out at the forum
users....

Here's the scenario.
I have a Linux firewall connected to DSL via PPPoE, So let's assume ppp0
obtains an IP of 10.10.10.1
I have eth0 setup for the internal LAN as 192.168.0.1
I two boxes behind the firewall as 192.168.0.2 and .3

I want to forward all incoming request to the external IP (10.10.10.1) port
1085 (Windows Media Stream) to the Internal box 192.168.0.3 port 1085, and
this box should push to media stream to the source.

Here is what I have done so far to no avail...

I have setup to ACCEPT input via :
ipchains -A input -p tcp -y -m 1 -d 0/0 1085 -j ACCEPT

Then I have setup the FORWARD via :
ipchains -I forward -p tcp -s 10.10.10.1 1085 -d 192.168.0.3/32 1085 -j MASQ

I know it's not that simple and I am missing a step, but I can't figure it
out?
- Do I need to set my Forward Polidy to "Accept" it's set to DENY right now.
- Do I need to setup any output rules?

Here is my starting Chain output prior to any changes....
################################################## #########
root@ubox /# ipchains -L
Chain input (policy ACCEPT):
target prot opt source destination ports
- tcp ------ anywhere anywhere any ->
www
- tcp ------ anywhere anywhere any ->
ssh
- tcp ------ anywhere anywhere any ->
pop3
- tcp ------ anywhere anywhere any ->
smtp
- tcp ------ anywhere anywhere any ->
ftp
Chain forward (policy DENY):
target prot opt source destination ports
MASQ all ------ anywhere anywhere n/a
Chain output (policy ACCEPT):
################################################## #########

Any suggestions on where I have strayed?

Thank You
Chris

Chris LeBlanc <(E-Mail Removed)> wrote:
> Hey folks,
>
> It's been a while since I fiddled with ipchains (which is probably why this
> is evading me...)

> Any suggestions on where I have strayed?

I strongly urge you to make the move to iptables, its more secure (due
to its stateful nature), and that statefulness makes it easier to write
the firewall too.

PS. Your from address is obviously fake, please put INVALID somewhere in
it so agents will not attempt to send mail to it.

--
Cameron Kerr
(E-Mail Removed) : http://nzgeeks.org/cameron/
Empowered by Perl!

Chris LeBlanc wrote:
>
> Here is what I have done so far to no avail...
>
> I have setup to ACCEPT input via :
> ipchains -A input -p tcp -y -m 1 -d 0/0 1085 -j ACCEPT
>
> Then I have setup the FORWARD via :
> ipchains -I forward -p tcp -s 10.10.10.1 1085 -d 192.168.0.3/32 1085 -j MASQ

So now tcp traffic originating from 10.10.10.1 port 1058 and going to
192.168.0.3 port 1085 will be MASQed behind 192.168.0.1. Since
10.10.10.1 and 192.168.0.1 is the same computer, no packets that match
that rule will ever be generated. But that doesn't really matter, since
it wasn't what you wanted to do anyway.

Leave the first rule (input) as it is, remove the second, and try:

ipmasqadm portfw -P tcp -L 10.10.10.1 1085 -R 192.168.0.3 1085

"KR" <(E-Mail Removed)> wrote in message
news:40207b5c$(E-Mail Removed)...
> Chris LeBlanc wrote:
> >
> > Here is what I have done so far to no avail...
> >
> > I have setup to ACCEPT input via :
> > ipchains -A input -p tcp -y -m 1 -d 0/0 1085 -j ACCEPT
> >
> > Then I have setup the FORWARD via :
> > ipchains -I forward -p tcp -s 10.10.10.1 1085 -d 192.168.0.3/32 1085 -j
MASQ
>
> So now tcp traffic originating from 10.10.10.1 port 1058 and going to
> 192.168.0.3 port 1085 will be MASQed behind 192.168.0.1. Since
> 10.10.10.1 and 192.168.0.1 is the same computer, no packets that match
> that rule will ever be generated. But that doesn't really matter, since
> it wasn't what you wanted to do anyway.
>
> Leave the first rule (input) as it is, remove the second, and try:
>
> ipmasqadm portfw -P tcp -L 10.10.10.1 1085 -R 192.168.0.3 1085
>

Thank you for the reply.

Although your solution didn't work, it set me on the right path to find the
answer I needed

The following 3 rules were successful, any comments regarding these?

ipchains -I forward -p tcp -d 0/0 -s 192.168.0.3/32 1085 -j MASQ
ipchains -I input -p tcp -y -s 0/0 -d 0/0 1085 -m 2
ipmasqadm mfw -I -m 2 -r 192.168.0.3 1085

Cheers
Chris