[Firewall] Having trouble with https port forwarding

Romy Roma bouroy at googlemail.com
Mon Mar 29 17:04:07 CEST 2010


Sorry it is a typo error from me. I had correctly written in my custom-rules
as you mentioned. Anyway double checked again and restart your AIF,  but
still does not work.

NAT_FORWARD_TCP="25,143>10.120.132.6 eth0#0/0~443>10.120.132.105~8543"

thanks for your attention.
Romy

On Mon, Mar 29, 2010 at 4:49 PM, Arno van Amersfoort <
arnova at rocky.eld.leidenuniv.nl> wrote:

> I'm surprised that the script doesn't spit out an error since the syntax is
> wrong. It should be:
>
>
> "eth0#0/0~443>10.120.132.105~8543"
>
> And you may want to use an up-2-date stable version of my firewall....
>
> a.
>
> Romy Roma wrote:
>
>> thanks for your reply
>>
>> I changed it as you suggested in my custom-rules the forward to:
>> NAT_FORWARD_TCP="eth0#0/0~443>10.120.132.105:8543 <
>> http://10.120.132.105:8543>"
>>
>>
>> But still does not work. Here now the output of the arno start script
>>
>> Enabling SNAT via external interface(s): eth0
>>  Adding (internal) host(s): 10.120.132.0/23 <http://10.120.132.0/23>
>> 10.120.131.0/24 <http://10.120.131.0/24>
>> (eth0) Forwarding(NAT) TCP port(s) 0/0:25,143 to 10.120.132.6
>> (eth0) Forwarding(NAT) TCP port(s) 0/0:443 to 10.120.132.105:8543 <
>> http://10.120.132.105:8543>
>>
>> Security is ENFORCED for external interface(s) in the FORWARD chain
>>
>> Strange is that when I set a wrong destination port in the forward, the
>> browser gets a connection failed as expected, However when the right port is
>> set the browser get connected but get timeout and no reply.
>>
>> When I disable AIF (bad idea, it is the only firewall I am using now) and
>> execute just this line it works fine:
>> iptables -t nat -A PREROUTING -s ! 10.120.132.0/23 <
>> http://10.120.132.0/23> -m tcp -p tcp --dport 443 -j DNAT
>> --to-destination 10.120.132.105:8543 <http://10.120.132.105:8543>
>>
>>
>> No idea what is blocking the forwarding when enable AIF
>>
>> Many thanks
>> Romy
>>
>> On Mon, Mar 29, 2010 at 2:13 PM, Gustin Johnson <gustin at meganerd.ca<mailto:
>> gustin at meganerd.ca>> wrote:
>>
>>    Romy Roma wrote:
>>    <snip>
>>     >
>>     > �Adding (internal) host(s): 10.120.132.0/23
>>    <http://10.120.132.0/23> <http://10.120.132.0/23>
>>     > 10.120.131.0/24 <http://10.120.131.0/24> <http://10.120.131.0/24>
>>
>>     > (eth0) Forwarding(NAT) TCP port(s) 0/0:25,143 to 10.120.132.6
>>     > (eth0) Forwarding(NAT) TCP port(s) 188.40.124.147:443
>>    <http://188.40.124.147:443> to 10.120.132.105:8543
>>    <http://10.120.132.105:8543>
>>
>>
>>    You are only port forwarding if the source is 188.40.124.147, you might
>>    want to change that to 0/0 or to the IP and netmask of the source (if
>>    you want to lock down access).
>>
>>    _______________________________________________
>>    Firewall mailing list
>>    Firewall at rocky.eld.leidenuniv.nl
>>    <mailto:Firewall at rocky.eld.leidenuniv.nl>
>>
>>    http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>    Arno's (Linux IPTABLES Firewall) Homepage:
>>    http://rocky.eld.leidenuniv.nl
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>>
>> _______________________________________________
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.nl
>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>>
>
> --
> Arno van Amersfoort
> E-mail    : arnova at rocky.eld.leidenuniv.nl
> Donations are welcome through Paypal!
> ---------------------------------------------------------------------------
>
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20100329/740e6f21/attachment-0001.htm>


More information about the Firewall mailing list