Page 2 of 2 FirstFirst 12
Results 11 to 15 of 15

Thread: Forward Service 3389/7000

  1. #11

    Re: Forward Service 3389/7000

    Hi Jens

    I did used this rules iptables for testing connection and this did correctly, but now I using SuSEfirewall because this is best security.


  2. #12

    Re: Forward Service 3389/7000

    I have also tried with "|" and it has not worked.

  3. Re: Forward Service 3389/7000

    Hi Fabian,

    I believe you need to to give an overview of your setup... because if the service is *on a remote server*, how can "-j DNAT --to" help?

    So please indicate
    - where is your client running (the initiator of the TCP session)
    - where is your server process running (the receiving end of the TCP session)
    - your client's network setup (including IP network info)
    - clients's connection to the firewall you're trying to configure
    - firewall setup (interfaces + their IP addresses, eventually routing table)
    - connection from firewall to server
    - server network setup

    As you can see, you've got me sufficiently confused :[


  4. #14

    Re: Forward Service 3389/7000

    Hi Jens:
    I'm sorry for your confused. My english is not very good.

    My Configuration Networks is:

    External Server: Dynamic IP use DNS (

    Sever Internet / Firewall: eth0 external / internet interface (Static IP
    eth1 internal interface (Static IP

    Workstation: Gateway need use port 7000 NET Application connection server of provider telephony card Gateway need use port 3389 for Remote Control Server External (

    Thank you for your response.

  5. #15

    Re: Forward Service 3389/7000

    fabianmk wrote:

    > I need help with Forward Service in Server Linux Enterprise SP3.

    In your other post you say:
    > Sever Internet / Firewall: eth0 external / internet interface (Static
    > IP

    You say this is your Internet interface but you are using a private IP
    address which not valid for the Internet. May I assume your gateway to
    the Internet is through another router? If this is so, then that router
    is is likely providing a NAT function so you would not need to use
    masquerading on this server. Besides, to me it doesn't make much sense
    to use masquerading to substitute one private IP address for another.

    > eth1 internal interface (Static IP
    > Workstation: Gateway need use
    > port 7000 NET Application connection server of provider telephony card
    > Gateway need
    > use port 3389 for Remote Control Server External

    Ok, to simplify,
    Port 3389 traffic must be directed to
    Port 7000 traffic must be directed to

    These packets must be forwarded from the external interface to their
    respective hosts on your LAN.

    I will comment on your firewall settings...

    As Jens already mentioned, this does not seem to be a valid interface:
    > FW_DEV_DMZ="usb0"

    # Setting this option one alone doesn't do anything. Either activate
    # masquerading with FW_MASQUERADE below if you want to masquerade
    # your internal network to the internet, or configure FW_FORWARD to
    # define what is allowed to be forwarded.
    While this setting is correct, you need to make sure FW_FORWARD has the
    correct settings.
    > FW_ROUTE="yes"

    This sets up masquerading but your Internet interface has a private IP
    address. All outgoing packets will be assigned instead
    of 192.168.0.n. I suspect you don't need this. All these settings
    should be set to "".
    > FW_MASQUERADE="yes"
    > FW_MASQ_DEV="zone:ext"
    > FW_MASQ_NETS="0/0"

    FW_SERVICES_xxx_xxx specified which services you want to allow access
    to ON THE FIREWALL. From what you have told us, you don't want to do
    that except for possibly 3050. You already said traffic on ports 3389
    and 7000 is to be directed to specific hosts on the LAN.
    > FW_SERVICES_EXT_TCP="3050 3389 7000"

    > FW_SERVICES_EXT_UDP="3389 7000"


    Do you really want to allow access to these services on your server
    > FW_CONFIGURATIONS_EXT="samba-client samba-server vnc-server
    > xorg-x11-server"

    Here you are saying to allow this traffic to enter your server from the
    Ext interface (Internet) but these services aren't running on your
    server so this is incorrect.
    > FW_SERVICES_ACCEPT_EXT="0/0,tcp,3389,3389
    > 0/0,udp,3389,3389
    > 0/0,tcp,7000,7000
    > 0/0,udp,7000,7000"


    I'm not exactly sure what you are trying to do here. It looks as if you
    are allowing EVERYTHING through the external interface to enter the
    server. I suspect this should be changed.


    FW_FORWARD determines WHAT gets forwarded. The syntax is the same as is
    used for FW_FORWARD_MASQ. You are telling the firewall to forward
    outgoing (only) traffic but only between two specific networks.
    > FW_FORWARD=","

    At the very least, this syntax is incorrect. It must be on one line or
    else you have to use a line continuation character: "\"
    > FW_FORWARD_MASQ="0/0,,tcp,7000
    > 0/0,,udp,7000
    > 0/0,,tcp,3389
    > 0/0,,udp,3389"

    0/0,,tcp,7000 \
    0/0,,udp,7000 \
    0/0,,tcp,3389 \
    0/0,,udp,3389 \
    Assuming you don't use masquerading and you want to allow ALL outgoing
    traffic, FW_FORWARD should look something like this:
    FW_FORWARD=" \,0/0 \
    0/0,,tcp,7000 \
    0/0,,udp,7000 \
    0/0,,tcp,3389 \
    0/0,,udp,3389 \

    I have not verified your other firewall settings.

    Please see /etc/sysconfig/SuSEfirewall2 for a description of what each
    setting does.

    Kevin Boyle - Knowledge Partner
    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

Page 2 of 2 FirstFirst 12


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts