[Firewall] Having trouble with https port forwarding

Romy Roma bouroy at googlemail.com
Mon Mar 29 15:29:37 CEST 2010


thanks for your reply

I changed it as you suggested in my custom-rules the forward to:
NAT_FORWARD_TCP="eth0#0/0~443>10.120.132.105:8543"

But still does not work. Here now the output of the arno start script

Enabling SNAT via external interface(s): eth0
 Adding (internal) host(s): 10.120.132.0/23 10.120.131.0/24
(eth0) Forwarding(NAT) TCP port(s) 0/0:25,143 to 10.120.132.6
(eth0) Forwarding(NAT) TCP port(s) 0/0:443 to 10.120.132.105:8543
Security is ENFORCED for external interface(s) in the FORWARD chain

Strange is that when I set a wrong destination port in the forward, the
browser gets a connection failed as expected, However when the right port is
set the browser get connected but get timeout and no reply.

When I disable AIF (bad idea, it is the only firewall I am using now) and
execute just this line it works fine:
iptables -t nat -A PREROUTING -s ! 10.120.132.0/23 -m tcp -p tcp --dport 443
-j DNAT --to-destination 10.120.132.105:8543

No idea what is blocking the forwarding when enable AIF

Many thanks
Romy

On Mon, Mar 29, 2010 at 2:13 PM, Gustin Johnson <gustin at meganerd.ca> wrote:

> Romy Roma wrote:
> <snip>
> >
> > �Adding (internal) host(s): 10.120.132.0/23 <http://10.120.132.0/23>
> > 10.120.131.0/24 <http://10.120.131.0/24>
> > (eth0) Forwarding(NAT) TCP port(s) 0/0:25,143 to 10.120.132.6
> > (eth0) Forwarding(NAT) TCP port(s) 188.40.124.147:443 to
> 10.120.132.105:8543
>
> You are only port forwarding if the source is 188.40.124.147, you might
> want to change that to 0/0 or to the IP and netmask of the source (if
> you want to lock down access).
>
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20100329/b0e13028/attachment.htm>


More information about the Firewall mailing list