[Firewall] Having trouble with https port forwarding

Romy Roma bouroy at googlemail.com
Mon Mar 29 13:57:38 CEST 2010


Hi,
I started this issue earlier in a different thread, but had the impression I
might have made a mistake on the subject. Maybe the reason many did not
react. However many thanks an Randy for his support in that thread.

The problem I encounter with arno-iptables-firewall is that I can't get the
https port forwarding work.
Obviously I successfully setup a port forwarding for my smtp on the same
system. But when doing the save for https it just does not work.

Environment:
Linux Dist.: debian lenny
1 Interface (eth0) and virtual interfaces for my internal vservers
eth0 =  internet interface
dummy0= internal virtual interface

Following settings in the custom-rules file:
OPEN_TCP="25 443"
NAT_FORWARD_TCP="25,143>10.120.132.6 443>10.120.132.105~8543"

in firewall.conf:
NAT_STATIC_IP="188.40.124.147" # IP address of the external interface eth0
-> global IP

Ofcause the NAT is activated via global settings using dpkg-reconfigure
arno-iptables-firewall

log from the arno-iptables-firewall restart

Arno's Iptables Firewall Script v1.9.2d
------------------------------
-------------------------------------------------
Sanity checks passed...OK
Stopping (user) plugins...
Checking/probing IPv4 Iptables modules:
 Module check done...
Setup kernel settings:
 Setting the max. amount of simultaneous connections to 16384
 Setting default conntrack timeouts
 Enabling protection against source routed packets
 Enabling packet forwarding
 Enabling reduction of the DoS'ing ability
 Enabling anti-spoof with rp_filter
 Enabling SYN-flood protection via SYN-cookies
 Disabling the logging of martians
 Disabling the acception of ICMP-redirect messages
 Setting default TTL=64
 Disabling ECN (Explicit Congestion Notification)
 Flushing route table
 Kernel setup done...
Reinitializing firewall chains
 Setting default INPUT/FORWARD policy to DROP
Using loglevel "debug" for syslogd

Setting up firewall rules:
-------------------------------------------------------------------------------
Enabling setting the maximum packet size via MSS
Enabling mangling TOS
Logging of stealth scans (nmap probes etc.) enabled
Logging of packets with bad TCP-flags enabled
Logging of INVALID TCP packets disabled
Logging of INVALID UDP packets disabled
Logging of INVALID ICMP packets disabled
Logging of fragmented packets enabled
Logging of access from reserved addresses enabled
Setting up (antispoof) INTERNAL net(s): 10.120.132.0/23 10.120.131.0/24
Logging incoming connections of 10.120.132.2 to TCP port(s): 3306
Logging incoming connections of  to TCP port(s): 10.120.132.105
Logging outgoing connections of  to TCP port(s): 10.120.132.105
Reading custom rules from /etc/arno-iptables-firewall/custom-rules
Checking for (user) plugins in /usr/share/arno-iptables-firewall/plugins...
 Loaded 0 plugin(s)...
Setting up INPUT policy for the external net (INET):
 Logging of explicitly blocked hosts enabled
 Logging of denied local output connections enabled
 Packets will NOT be checked for private source addresses
 Allowing ANYHOST for TCP port(s): 22
 Allowing ANYHOST for TCP port(s): 25
 Allowing ANYHOST for UDP port(s): 1194
 Allowing ANYHOST to send ICMP-requests(ping)
 Logging of dropped ICMP-request(ping) packets enabled
 Logging of dropped other ICMP packets enabled
 Logging of possible stealth scans enabled
 Logging of (other) connection attempts to PRIVILEGED TCP ports enabled
 Logging of (other) connection attempts to PRIVILEGED UDP ports enabled
 Logging of (other) connection attempts to UNPRIVILEGED TCP ports enabled
 Logging of (other) connection attempts to UNPRIVILEGED UDP ports enabled
 Logging of other IP protocols (non TCP/UDP/ICMP) connection attempts
enabled
 Logging of ICMP flooding enabled
Setting up OUTPUT policy for the external net (INET):
 Allowing all (other) ports/protocols
Applying INET policy to external interface: eth0 (without an external subnet
specified)
Setting up INPUT policy for internal (LAN) interface(s): dummy+ tun0 tap+
 Allowing ICMP-requests(ping)
 Allowing all (other) ports/protocols
Accepting ALL INPUT traffic from trusted interface(s): tun+ dummy0
Accepting ALL FORWARD traffic for trusted interface(s): tun+ dummy0
Setting up FORWARD policy for internal (LAN) interface(s): dummy+ tun0 tap+
 Logging of denied LAN->INET FORWARD connections enabled
 Setting up LAN->INET policy:
  Allowing ICMP-requests(ping)
  Allowing all (other) TCP ports
  Allowing all (other) UDP ports
  Allowing all (other) protocols
Enabling SNAT via external interface(s): eth0
 Adding (internal) host(s): 10.120.132.0/23 10.120.131.0/24
(eth0) Forwarding(NAT) TCP port(s) 0/0:25,143 to 10.120.132.6
(eth0) Forwarding(NAT) TCP port(s) 188.40.124.147:443 to 10.120.132.105:8543
Security is ENFORCED for external interface(s) in the FORWARD chain

Mar 28 15:20:55 All firewall rules applied.


many thanks for your help!
Regards,
Romy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20100329/45669410/attachment.htm>


More information about the Firewall mailing list