ClearFoundation

Hi, I'm rather new to ClearOS and the more I read the more I think I made a good decision to use it as a firewall/gateway for my (really) small business network.

I installed ClearOS 6.2 and started to set it up as an inline transparent services platform, and, as such, I already started to set up the network configuration for all the services to be available for users, set up networking bridging, and access to the Internet from the workstations connected to the network works fine.

However, I've been having some issues with port forwarding since I need to allow access from outside the network to certain boxes.

I've tried configuring from the web adminsitrator and from the command line and I seem to be doing something wrong. When consulted, the firewall page states that access in ports 22 and 81 is open (obviously).



When I set up a port forwading rule in the web administrator (for example) access through TCP to 192.168.X.X:80, it is set up and shows as if it was working but it doesn't. In fact, when I try to configure manually /etc/sysconfig/iptables and /etc/clearos/firewall.conf, the rules still don't work nor they show when I call iptables -L -n -v

Contents of /etc/clearos/firewall.conf



Contents of /etc/sysconfig/iptables



As I said, iptables -L -n -v doesn't show anything, except for one time for about a few seconds that it showed all the configurations that were running. Connection on ports 81 and 22 is working well, but I don't know what I'm doing wrong.

I already tried by eliminating opening the ports and several alternative configurations but with the same structure and I get nowhere. Any ideas?

You shouldn't need to edit /etc/sysconfig/iptables, and if you do it will be wiped during a system update.. You should add custom entries to /etc/clearos/firewall.d/custom

Your custom entry above has the wrong syntax and has two -i flags for incoming device, for a forward rule you need an -i (incoming) and -o (outgoing)

I would avoid editing /etc/clearos/firewall.conf manually unless you are very careful about syntax again as you have ability to take the whole firewall down... a quick scan of what you posted above suggests you have the 0x10000008 fields wrong

One thing to check...you should not open these ports on the incoming firewall as well as trying to forward them. It will conflict...the former is for access to services on the ClearOS box itself, forwarding for traffic to pass through the gateway.

Going forward, test with 'service firewall restart' after any changes, and monitor the output of /var/log/system

Thanks Tim. You are as helpful as I have noticed for other posts.

I do realize that there are some issues with trying to configure manually and open the port while trying to forward (common mistake from what I can see). Anyway, my real point is to try to and find out which file is the one that I should be configuring since configuration through the web administrator has failed.

I will delete all the entries I wrote in those files and try to configure by editing /etc/clearos/firewall.d/custom, as you say.

Thanks a lot, I will post as soon as I do it to let you know how it went.

I just realized a couple of things. You say that there might be some sytax problems with the firewall conf file, but those rules were added through the web administrator. As I said, that seems to be the problem. Anyway, I'll try to find out why this is happening reading about firewall conf syntax.

As for the custom rules for the firewall, I tried locating /etc/clearos/firewall.d/custom but /etc/clearos/firewall.d/local seems to be the proper choice since it states that it is run after every firewall restart and "Add custom rules here". So, is this the correct location?

I've reset everything and still I cannot succesfully configure the forward.

The destination can be pinged from ClearOS but when I try to access the machine from the LAN with a request in the forwarded port it cannot reach the host.

Do you think by configuring /etc/clearos/firewall.d/custom (or local, whichever) might solve the problem? Quick question on this matter...what's the syntax for this configuration file: iptables or firewall?

A port forward does not work in the LAN. It is only for external machined accessing something in your LAN. Do you need to add the FQDN for your server to your hosts file with its LAN IP address?

I thought I could set up port forwarding within the LAN using iptables.

Anyway, I'll try to access the service using the external IP and if it works I'll count it as a victory.

Ok, so I had to work further into my network reconfiguration.

I already set up the ClearOS as a gateway for the whole of the LAN, something I meant to do but later in the game. It's working perfectly.

I use to have an independent moden/router acting as a DHCP server so I cancelled that function. It's a Huwaei hg530s provided by my ISP. It uses NAT-IP Address Mapping to redirect all incoming traffic to 192.168.0.151 (which used to be the web server and now is the ClearOS). Access on port 81 through https works fine. Even access through ssh. Using the external IP in both cases of course, so I'm sure it's not a problem with the external router/modem configuration.

Now the ClearOS machine is acting as a DNS and DHCP server with no aparent problems for the rest of the network.

BUT....the issue at hand still lingers. Trying to access the external network using port 80 fails. The port forward doesn't work.

Is there any possibility that this is related to ClearOS configuration or must it be something related to the modem/router handling the external redirection into the local machine? In this case, from what I know, the only way to set up an internal LAN port forward is by using iptables so...I'm right where I started.

Is ClearOS the web server? If it is and it is now the gateway as well you just need to open the incoming port 80 to the WAN. Internally this may without doing anything, but you may need to put your server's FQDN into your ClearOS hosts (you can get to it through the Webconfig on the DNS Server page, from memory) file and point it to the LAN IP address of ClearOS so, for example, internally www.mywebsite.com points to 192.168.1.1 or whatever the LAN IP of ClearOS is and externally it points to 1.2.3.4 or whatever your WAN IP address is.

Nope. If it was I'd be up and running already. Web server is on another machine. I used to have it as the main redirection forward in the adsl/router but I wanted to offer more services and set up a more secure infrastructure which is why I looked into clearos.