Dear Community,
I have installed IPFire on a desktop with 2NICs, DHCP working fine etc.
I’m investigating how to correctly port forward. I have read this:
I would have several portforwards to different hosts on my LAN as follows:
IP-fire-serverIP:8080 => 192.168.0.5
IP-fire-serverIP:8081 => 192.168.0.6
IP-fire-serverIP:8082 => 192.168.0.7
IP-fire-serverIP:8083 => 192.168.0.8
How can I get this done:
Please advise,
regards
1960web
This is done as described in the wiki article cited.
Example:
<WAN address>:8080 ( source )
192.168.0.5:<service port> ( destination )
<service port> = 80 for HTTP or what ever the webserver is listening to.
@bbitsch
Thanks for your reply.
Your example was exactly what I did, yet it seems something is wrong somewhere, the port forwarding is not working.
Just to add:
I checked through log, I can see:
time, DROP_HOSTILE red0 TCP IP im accessing server from / server IP …
Pls, whats the meaning of DROP_HOSTILE?
this is the config of my firewall: just one
Source: standard networks(any)
NAT: use NAT, Destination NAT(port forwarding)
Firewall interface = automatic
Destination: destination address(IP address/network) = private-IP of LAN webserver
Protocol:
TCP
source port: 8080
destination port: 80
what I want to achieve:
public-IP:8080 - should forward to webserver
public-IP:8081 - should forward to another webserver
Pls help
regards
1960web,
The wiki states for port forward 8080 to 192.168.0.5:80
To be sure define the rule position as a low number ( 1,2,3, … ). The rules are checked in increasing order. Therefore it may be possible that hits first and deactivates the port forward rule(s).
Based on this then the IP you are using to access the server from is part of the IP set for an ISP or Hosting Company that also provides IP’s to Hostile activities such as criminals, malware providers etc.
This link provides info on the DROP list that is provided by Spamhaus.
https://www.spamhaus.org/blocklists/do-not-route-or-peer/
As of 10th April Spamhause combined the DROP and EDROP lists. The following link gives info on this.
https://www.spamhaus.org/resource-hub/network-security/spamhaus-drop-and-edrop-to-become-a-single-list/#what-are-the-spamhaus-drop-lists
IPFire uses the DROP list and the DROPv6 list from Spamhaus and also have an IPFire specific list
https://git.ipfire.org/?p=location/location-database.git;a=blob;f=overrides/override-xd.txt
The public IP you are using must be included in one of the DROP, DROPv6 or override-xd.txt lists
You can also check and confirm if the Public IP you are using is in the drop list with the following:-
In the console run the command
location lookup public-ip
Using a known hostile ip the following info came back
[root@ipfire]# location lookup 147.78.102.37
147.78.102.37:
Network : 147.78.102.0/24
Country : Netherlands
Autonomous System : AS51396 - Pfcloud UG
Hostile Network safe to drop: yes
You can then confirm that the specified Network, which includes your public IP is in the drop list by running the following command, replacing the known hostile Network with the Network that your public IP is part of.
[root@ipfire]# location list-networks-by-flags --drop | grep 147.78.102.0
147.78.102.0/24
[root@ipfire]#
This shows that the hostile network has been found in the drop list.
If the network that your public IP is part of is not in the drop list then the console will just return to the cursor with no network info provided. For example:-
[root@ipfire]# location lookup 81.3.27.38
81.3.27.38:
Network : 81.3.0.0/18
Country : Germany
Autonomous System : AS24679 - kyberio GmbH[root@ipfire]# location list-networks-by-flags --drop | grep 81.3.0.0
[root@ipfire]#