[Firewall] Having trouble with https port forwarding

Romy Roma bouroy at googlemail.com
Mon Mar 29 23:11:04 CEST 2010


Hi Gustin,

I just update mu AIF with the release Arno just posted today!

I am testing using browser in external machine.



On Mon, Mar 29, 2010 at 10:07 PM, Gustin Johnson <gustin at meganerd.ca> wrote:

> How are you testing this?   Are you trying to connect from inside your
> NAT'd network to the external IP which then gets port forwarded back
> in or do you have an external machine that you are testing with?
>
> Also, have you tried a more recent version of AIF?
>
> On Mon, Mar 29, 2010 at 9:04 AM, Romy Roma <bouroy at googlemail.com> wrote:
> > Sorry it is a typo error from me. I had correctly written in my
> custom-rules
> > as you mentioned. Anyway double checked again and restart your AIF,  but
> > still does not work.
> >
> > NAT_FORWARD_TCP="25,143>10.120.132.6 eth0#0/0~443>10.120.132.105~8543"
> >
> > thanks for your attention.
> > Romy
> >
> > On Mon, Mar 29, 2010 at 4:49 PM, Arno van Amersfoort
> > <arnova at rocky.eld.leidenuniv.nl> wrote:
> >>
> >> I'm surprised that the script doesn't spit out an error since the syntax
> >> is wrong. It should be:
> >>
> >> "eth0#0/0~443>10.120.132.105~8543"
> >>
> >> And you may want to use an up-2-date stable version of my firewall....
> >>
> >> a.
> >>
> >> Romy Roma wrote:
> >>>
> >>> thanks for your reply
> >>>
> >>> I changed it as you suggested in my custom-rules the forward to:
> >>> NAT_FORWARD_TCP="eth0#0/0~443>10.120.132.105:8543
> >>> <http://10.120.132.105:8543>"
> >>>
> >>> But still does not work. Here now the output of the arno start script
> >>>
> >>> Enabling SNAT via external interface(s): eth0
> >>>  Adding (internal) host(s): 10.120.132.0/23 <http://10.120.132.0/23>
> >>> 10.120.131.0/24 <http://10.120.131.0/24>
> >>> (eth0) Forwarding(NAT) TCP port(s) 0/0:25,143 to 10.120.132.6
> >>> (eth0) Forwarding(NAT) TCP port(s) 0/0:443 to 10.120.132.105:8543
> >>> <http://10.120.132.105:8543>
> >>> Security is ENFORCED for external interface(s) in the FORWARD chain
> >>>
> >>> Strange is that when I set a wrong destination port in the forward, the
> >>> browser gets a connection failed as expected, However when the right
> port is
> >>> set the browser get connected but get timeout and no reply.
> >>>
> >>> When I disable AIF (bad idea, it is the only firewall I am using now)
> and
> >>> execute just this line it works fine:
> >>> iptables -t nat -A PREROUTING -s ! 10.120.132.0/23
> >>> <http://10.120.132.0/23> -m tcp -p tcp --dport 443 -j DNAT
> --to-destination
> >>> 10.120.132.105:8543 <http://10.120.132.105:8543>
> >>>
> >>> No idea what is blocking the forwarding when enable AIF
> >>>
> >>> Many thanks
> >>> Romy
> >>>
> >>> On Mon, Mar 29, 2010 at 2:13 PM, Gustin Johnson <gustin at meganerd.ca
> >>> <mailto:gustin at meganerd.ca>> wrote:
> >>>
> >>>    Romy Roma wrote:
> >>>    <snip>
> >>>     >
> >>>     > �Adding (internal) host(s): 10.120.132.0/23
> >>>    <http://10.120.132.0/23> <http://10.120.132.0/23>
> >>>     > 10.120.131.0/24 <http://10.120.131.0/24> <http://10.120.131.0/24
> >
> >>>     > (eth0) Forwarding(NAT) TCP port(s) 0/0:25,143 to 10.120.132.6
> >>>     > (eth0) Forwarding(NAT) TCP port(s) 188.40.124.147:443
> >>>    <http://188.40.124.147:443> to 10.120.132.105:8543
> >>>    <http://10.120.132.105:8543>
> >>>
> >>>    You are only port forwarding if the source is 188.40.124.147, you
> >>> might
> >>>    want to change that to 0/0 or to the IP and netmask of the source
> (if
> >>>    you want to lock down access).
> >>>
> >>>    _______________________________________________
> >>>    Firewall mailing list
> >>>    Firewall at rocky.eld.leidenuniv.nl
> >>>    <mailto:Firewall at rocky.eld.leidenuniv.nl>
> >>>    http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> >>>    Arno's (Linux IPTABLES Firewall) Homepage:
> >>>    http://rocky.eld.leidenuniv.nl
> >>>
> >>>
> >>>
> >>>
> ------------------------------------------------------------------------
> >>>
> >>> _______________________________________________
> >>> Firewall mailing list
> >>> Firewall at rocky.eld.leidenuniv.nl
> >>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> >>> Arno's (Linux IPTABLES Firewall) Homepage:
> >>> http://rocky.eld.leidenuniv.nl
> >>
> >> --
> >> Arno van Amersfoort
> >> E-mail    : arnova at rocky.eld.leidenuniv.nl
> >> Donations are welcome through Paypal!
> >>
> >>
> ---------------------------------------------------------------------------
> >> Arno's (Linux IPTABLES Firewall) Homepage:
> >> http://rocky.eld.leidenuniv.nl
> >> _______________________________________________
> >> Firewall mailing list
> >> Firewall at rocky.eld.leidenuniv.nl
> >> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> >> Arno's (Linux IPTABLES Firewall) Homepage:
> >> http://rocky.eld.leidenuniv.nl
> >
> > _______________________________________________
> > Firewall mailing list
> > Firewall at rocky.eld.leidenuniv.nl
> > http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> > Arno's (Linux IPTABLES Firewall) Homepage:
> > http://rocky.eld.leidenuniv.nl
> >
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20100329/6d2df76a/attachment.htm>


More information about the Firewall mailing list