[Firewall] Having trouble with https port forwarding

Gustin Johnson gustin at meganerd.ca
Mon Mar 29 22:07:14 CEST 2010


How are you testing this?   Are you trying to connect from inside your
NAT'd network to the external IP which then gets port forwarded back
in or do you have an external machine that you are testing with?

Also, have you tried a more recent version of AIF?

On Mon, Mar 29, 2010 at 9:04 AM, Romy Roma <bouroy at googlemail.com> wrote:
> Sorry it is a typo error from me. I had correctly written in my custom-rules
> as you mentioned. Anyway double checked again and restart your AIF,  but
> still does not work.
>
> NAT_FORWARD_TCP="25,143>10.120.132.6 eth0#0/0~443>10.120.132.105~8543"
>
> thanks for your attention.
> Romy
>
> On Mon, Mar 29, 2010 at 4:49 PM, Arno van Amersfoort
> <arnova at rocky.eld.leidenuniv.nl> wrote:
>>
>> I'm surprised that the script doesn't spit out an error since the syntax
>> is wrong. It should be:
>>
>> "eth0#0/0~443>10.120.132.105~8543"
>>
>> And you may want to use an up-2-date stable version of my firewall....
>>
>> a.
>>
>> Romy Roma wrote:
>>>
>>> thanks for your reply
>>>
>>> I changed it as you suggested in my custom-rules the forward to:
>>> NAT_FORWARD_TCP="eth0#0/0~443>10.120.132.105:8543
>>> <http://10.120.132.105:8543>"
>>>
>>> But still does not work. Here now the output of the arno start script
>>>
>>> Enabling SNAT via external interface(s): eth0
>>>  Adding (internal) host(s): 10.120.132.0/23 <http://10.120.132.0/23>
>>> 10.120.131.0/24 <http://10.120.131.0/24>
>>> (eth0) Forwarding(NAT) TCP port(s) 0/0:25,143 to 10.120.132.6
>>> (eth0) Forwarding(NAT) TCP port(s) 0/0:443 to 10.120.132.105:8543
>>> <http://10.120.132.105:8543>
>>> Security is ENFORCED for external interface(s) in the FORWARD chain
>>>
>>> Strange is that when I set a wrong destination port in the forward, the
>>> browser gets a connection failed as expected, However when the right port is
>>> set the browser get connected but get timeout and no reply.
>>>
>>> When I disable AIF (bad idea, it is the only firewall I am using now) and
>>> execute just this line it works fine:
>>> iptables -t nat -A PREROUTING -s ! 10.120.132.0/23
>>> <http://10.120.132.0/23> -m tcp -p tcp --dport 443 -j DNAT --to-destination
>>> 10.120.132.105:8543 <http://10.120.132.105:8543>
>>>
>>> No idea what is blocking the forwarding when enable AIF
>>>
>>> Many thanks
>>> Romy
>>>
>>> On Mon, Mar 29, 2010 at 2:13 PM, Gustin Johnson <gustin at meganerd.ca
>>> <mailto:gustin at meganerd.ca>> wrote:
>>>
>>>    Romy Roma wrote:
>>>    <snip>
>>>     >
>>>     > �Adding (internal) host(s): 10.120.132.0/23
>>>    <http://10.120.132.0/23> <http://10.120.132.0/23>
>>>     > 10.120.131.0/24 <http://10.120.131.0/24> <http://10.120.131.0/24>
>>>     > (eth0) Forwarding(NAT) TCP port(s) 0/0:25,143 to 10.120.132.6
>>>     > (eth0) Forwarding(NAT) TCP port(s) 188.40.124.147:443
>>>    <http://188.40.124.147:443> to 10.120.132.105:8543
>>>    <http://10.120.132.105:8543>
>>>
>>>    You are only port forwarding if the source is 188.40.124.147, you
>>> might
>>>    want to change that to 0/0 or to the IP and netmask of the source (if
>>>    you want to lock down access).
>>>
>>>    _______________________________________________
>>>    Firewall mailing list
>>>    Firewall at rocky.eld.leidenuniv.nl
>>>    <mailto:Firewall at rocky.eld.leidenuniv.nl>
>>>    http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>>    Arno's (Linux IPTABLES Firewall) Homepage:
>>>    http://rocky.eld.leidenuniv.nl
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Firewall mailing list
>>> Firewall at rocky.eld.leidenuniv.nl
>>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>> http://rocky.eld.leidenuniv.nl
>>
>> --
>> Arno van Amersfoort
>> E-mail    : arnova at rocky.eld.leidenuniv.nl
>> Donations are welcome through Paypal!
>>
>> ---------------------------------------------------------------------------
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>> _______________________________________________
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.nl
>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>


More information about the Firewall mailing list