Forums

Subscribe via email Subscribe via email
Subscribe via rss
Guest
or Ask a Question
Add a reply View Replies (2) →
Sean Z
Sean Z
Offline
Issue

Port Forwarding newbie question

Resolved
0 votes
I am currently using COS7 and want to do a port forward. For example, I want to forward an external request 1.2.3.4:1234 to an internal IP 5.6.7.8:1234. Is it possible to achieve this all through the CLI. I have it working with the gui using the port forwarding app but not through CLI.
I am writing a script and would like to achieve this all through the command line without using the COS gui. Any pointers?
In Firewall
Tuesday, October 29 2019, 08:20 PM
Subscribe via email
Share this post:

Accepted Answer

Nick Howitt
Nick Howitt
Offline
Wednesday, October 30 2019, 10:43 AM - #Permalink
Resolved
0 votes
First of all you have to find the rules. I'd do a dump of the firewall before and after adding a port forward with something like:
iptables -nvL > before-filter

iptables -nvL -t nat > before-nat

iptables -nvL -t mangle > before-mangle
that add the port forward and repeat into different files. Then diff the files (not so neat because of the packet counters which you will need to ignore) to work out the rules you need. I think it is one FORWARD, PREROUTING and POSTROUTING rule per webconfig rule. Then you need to craft the rule with the "iptables" command.

Things to watch out for is that if the firewall ever restarts, it wipes all rules and starts again with rules in /etc/clearos/firewall.conf and the files in /etc/clearos/firewall.d/. Always use the -w switch with any of your iptables commands, or, better in the /etc/clearos/firewall.d/ folder use $IPTABLES instead of "iptables -w". If using /etc/clearos/firewall.d/ also be wary of ipv4 and ipv6 and see how it is done in, for example, /etc/clearos/firewall.d/custom.

What are you trying to do?
The reply is currently minimized Show
Responses (2)

  • Accepted Answer

    Nick Howitt
    Nick Howitt
    Offline
    Wednesday, October 30 2019, 04:45 PM - #Permalink
    Resolved
    0 votes
    To make the rules survive a reboot or firewall restart, they must be put in /etc/clearos/firewall.d/ and the file name may have to start with a number. ClearOS will run any script in that folder on a firewall restart.
    The reply is currently minimized Show

  • Accepted Answer

    Sean Z
    Sean Z
    Offline
    Wednesday, October 30 2019, 04:25 PM - #Permalink
    Resolved
    0 votes
    Thanks Nick. I managed to do the comparison before and after and crafted out the iptables rules. I just did a test and its working. Quick question, to make this stick after a reboot on COS7, I have to use iptables-w for the commands in cli correct?

    What I was trying to do was automate firewall rules via php script we have on a another server with various logic. The server then sends the port forward command via ssh ( I have a vpn from the server so no need to open ssh port to the world ).
    The reply is currently minimized Show
Your Reply