[Firewall] Having trouble with https port forwarding

Arno van Amersfoort arnova at rocky.eld.leidenuniv.nl
Mon Mar 29 16:49:48 CEST 2010


I'm surprised that the script doesn't spit out an error since the syntax 
is wrong. It should be:

"eth0#0/0~443>10.120.132.105~8543"

And you may want to use an up-2-date stable version of my firewall....

a.

Romy Roma wrote:
> thanks for your reply
> 
> I changed it as you suggested in my custom-rules the forward to:
> NAT_FORWARD_TCP="eth0#0/0~443>10.120.132.105:8543 
> <http://10.120.132.105:8543>"
> 
> But still does not work. Here now the output of the arno start script
> 
> Enabling SNAT via external interface(s): eth0
>  Adding (internal) host(s): 10.120.132.0/23 <http://10.120.132.0/23> 
> 10.120.131.0/24 <http://10.120.131.0/24>
> (eth0) Forwarding(NAT) TCP port(s) 0/0:25,143 to 10.120.132.6
> (eth0) Forwarding(NAT) TCP port(s) 0/0:443 to 10.120.132.105:8543 
> <http://10.120.132.105:8543>
> Security is ENFORCED for external interface(s) in the FORWARD chain
> 
> Strange is that when I set a wrong destination port in the forward, the 
> browser gets a connection failed as expected, However when the right 
> port is set the browser get connected but get timeout and no reply.
> 
> When I disable AIF (bad idea, it is the only firewall I am using now) 
> and execute just this line it works fine:
> iptables -t nat -A PREROUTING -s ! 10.120.132.0/23 
> <http://10.120.132.0/23> -m tcp -p tcp --dport 443 -j DNAT 
> --to-destination 10.120.132.105:8543 <http://10.120.132.105:8543>
> 
> No idea what is blocking the forwarding when enable AIF
> 
> Many thanks
> Romy
> 
> On Mon, Mar 29, 2010 at 2:13 PM, Gustin Johnson <gustin at meganerd.ca 
> <mailto:gustin at meganerd.ca>> wrote:
> 
>     Romy Roma wrote:
>     <snip>
>      >
>      > �Adding (internal) host(s): 10.120.132.0/23
>     <http://10.120.132.0/23> <http://10.120.132.0/23>
>      > 10.120.131.0/24 <http://10.120.131.0/24> <http://10.120.131.0/24>
>      > (eth0) Forwarding(NAT) TCP port(s) 0/0:25,143 to 10.120.132.6
>      > (eth0) Forwarding(NAT) TCP port(s) 188.40.124.147:443
>     <http://188.40.124.147:443> to 10.120.132.105:8543
>     <http://10.120.132.105:8543>
> 
>     You are only port forwarding if the source is 188.40.124.147, you might
>     want to change that to 0/0 or to the IP and netmask of the source (if
>     you want to lock down access).
> 
>     _______________________________________________
>     Firewall mailing list
>     Firewall at rocky.eld.leidenuniv.nl
>     <mailto:Firewall at rocky.eld.leidenuniv.nl>
>     http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>     Arno's (Linux IPTABLES Firewall) Homepage:
>     http://rocky.eld.leidenuniv.nl
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl

-- 
Arno van Amersfoort
E-mail    : arnova at rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
---------------------------------------------------------------------------
Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl


More information about the Firewall mailing list