[Firewall] Having trouble with https port forwarding

Arno van Amersfoort arnova at rocky.eld.leidenuniv.nl
Tue Mar 30 10:46:52 CEST 2010


Again, the manual way of getting it to work doesn't look right:

iptables -t nat -A PREROUTING -s ! 10.120.132.0/23 -m tcp -p tcp --dport 
443 -j DNAT --to-destination 10.120.132.105:8543

-m tcp is surely incorrect

and there is no source interface so if this works you surely have a 
weird setup of your routing....



Romy Roma wrote:
> Hi Gustin,
> 
> I just update mu AIF with the release Arno just posted today!
> 
> I am testing using browser in external machine.
> 
>  
> 
> On Mon, Mar 29, 2010 at 10:07 PM, Gustin Johnson <gustin at meganerd.ca 
> <mailto:gustin at meganerd.ca>> wrote:
> 
>     How are you testing this?   Are you trying to connect from inside your
>     NAT'd network to the external IP which then gets port forwarded back
>     in or do you have an external machine that you are testing with?
> 
>     Also, have you tried a more recent version of AIF?
> 
>     On Mon, Mar 29, 2010 at 9:04 AM, Romy Roma <bouroy at googlemail.com
>     <mailto:bouroy at googlemail.com>> wrote:
>      > Sorry it is a typo error from me. I had correctly written in my
>     custom-rules
>      > as you mentioned. Anyway double checked again and restart your
>     AIF,  but
>      > still does not work.
>      >
>      > NAT_FORWARD_TCP="25,143>10.120.132.6
>     eth0#0/0~443>10.120.132.105~8543"
>      >
>      > thanks for your attention.
>      > Romy
>      >
>      > On Mon, Mar 29, 2010 at 4:49 PM, Arno van Amersfoort
>      > <arnova at rocky.eld.leidenuniv.nl
>     <mailto:arnova at rocky.eld.leidenuniv.nl>> wrote:
>      >>
>      >> I'm surprised that the script doesn't spit out an error since
>     the syntax
>      >> is wrong. It should be:
>      >>
>      >> "eth0#0/0~443>10.120.132.105~8543"
>      >>
>      >> And you may want to use an up-2-date stable version of my
>     firewall....
>      >>
>      >> a.
>      >>
>      >> Romy Roma wrote:
>      >>>
>      >>> thanks for your reply
>      >>>
>      >>> I changed it as you suggested in my custom-rules the forward to:
>      >>> NAT_FORWARD_TCP="eth0#0/0~443>10.120.132.105:8543
>     <http://10.120.132.105:8543>
>      >>> <http://10.120.132.105:8543>"
>      >>>
>      >>> But still does not work. Here now the output of the arno start
>     script
>      >>>
>      >>> Enabling SNAT via external interface(s): eth0
>      >>>  Adding (internal) host(s): 10.120.132.0/23
>     <http://10.120.132.0/23> <http://10.120.132.0/23>
>      >>> 10.120.131.0/24 <http://10.120.131.0/24> <http://10.120.131.0/24>
>      >>> (eth0) Forwarding(NAT) TCP port(s) 0/0:25,143 to 10.120.132.6
>      >>> (eth0) Forwarding(NAT) TCP port(s) 0/0:443 to
>     10.120.132.105:8543 <http://10.120.132.105:8543>
>      >>> <http://10.120.132.105:8543>
>      >>> Security is ENFORCED for external interface(s) in the FORWARD chain
>      >>>
>      >>> Strange is that when I set a wrong destination port in the
>     forward, the
>      >>> browser gets a connection failed as expected, However when the
>     right port is
>      >>> set the browser get connected but get timeout and no reply.
>      >>>
>      >>> When I disable AIF (bad idea, it is the only firewall I am
>     using now) and
>      >>> execute just this line it works fine:
>      >>> iptables -t nat -A PREROUTING -s ! 10.120.132.0/23
>     <http://10.120.132.0/23>
>      >>> <http://10.120.132.0/23> -m tcp -p tcp --dport 443 -j DNAT
>     --to-destination
>      >>> 10.120.132.105:8543 <http://10.120.132.105:8543>
>     <http://10.120.132.105:8543>
>      >>>
>      >>> No idea what is blocking the forwarding when enable AIF
>      >>>
>      >>> Many thanks
>      >>> Romy
>      >>>
>      >>> On Mon, Mar 29, 2010 at 2:13 PM, Gustin Johnson
>     <gustin at meganerd.ca <mailto:gustin at meganerd.ca>
>      >>> <mailto:gustin at meganerd.ca <mailto:gustin at meganerd.ca>>> wrote:
>      >>>
>      >>>    Romy Roma wrote:
>      >>>    <snip>
>      >>>     >
>      >>>     > �Adding (internal) host(s): 10.120.132.0/23
>     <http://10.120.132.0/23>
>      >>>    <http://10.120.132.0/23> <http://10.120.132.0/23>
>      >>>     > 10.120.131.0/24 <http://10.120.131.0/24>
>     <http://10.120.131.0/24> <http://10.120.131.0/24>
>      >>>     > (eth0) Forwarding(NAT) TCP port(s) 0/0:25,143 to 10.120.132.6
>      >>>     > (eth0) Forwarding(NAT) TCP port(s) 188.40.124.147:443
>     <http://188.40.124.147:443>
>      >>>    <http://188.40.124.147:443> to 10.120.132.105:8543
>     <http://10.120.132.105:8543>
>      >>>    <http://10.120.132.105:8543>
>      >>>
>      >>>    You are only port forwarding if the source is
>     188.40.124.147, you
>      >>> might
>      >>>    want to change that to 0/0 or to the IP and netmask of the
>     source (if
>      >>>    you want to lock down access).
>      >>>
>      >>>    _______________________________________________
>      >>>    Firewall mailing list
>      >>>    Firewall at rocky.eld.leidenuniv.nl
>     <mailto:Firewall at rocky.eld.leidenuniv.nl>
>      >>>    <mailto:Firewall at rocky.eld.leidenuniv.nl
>     <mailto:Firewall at rocky.eld.leidenuniv.nl>>
>      >>>    http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>      >>>    Arno's (Linux IPTABLES Firewall) Homepage:
>      >>>    http://rocky.eld.leidenuniv.nl
>      >>>
>      >>>
>      >>>
>      >>>
>     ------------------------------------------------------------------------
>      >>>
>      >>> _______________________________________________
>      >>> Firewall mailing list
>      >>> Firewall at rocky.eld.leidenuniv.nl
>     <mailto:Firewall at rocky.eld.leidenuniv.nl>
>      >>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>      >>> Arno's (Linux IPTABLES Firewall) Homepage:
>      >>> http://rocky.eld.leidenuniv.nl
>      >>
>      >> --
>      >> Arno van Amersfoort
>      >> E-mail    : arnova at rocky.eld.leidenuniv.nl
>     <mailto:arnova at rocky.eld.leidenuniv.nl>
>      >> Donations are welcome through Paypal!
>      >>
>      >>
>     ---------------------------------------------------------------------------
>      >> Arno's (Linux IPTABLES Firewall) Homepage:
>      >> http://rocky.eld.leidenuniv.nl
>      >> _______________________________________________
>      >> Firewall mailing list
>      >> Firewall at rocky.eld.leidenuniv.nl
>     <mailto:Firewall at rocky.eld.leidenuniv.nl>
>      >> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>      >> Arno's (Linux IPTABLES Firewall) Homepage:
>      >> http://rocky.eld.leidenuniv.nl
>      >
>      > _______________________________________________
>      > Firewall mailing list
>      > Firewall at rocky.eld.leidenuniv.nl
>     <mailto:Firewall at rocky.eld.leidenuniv.nl>
>      > http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>      > Arno's (Linux IPTABLES Firewall) Homepage:
>      > http://rocky.eld.leidenuniv.nl
>      >
>     _______________________________________________
>     Firewall mailing list
>     Firewall at rocky.eld.leidenuniv.nl
>     <mailto:Firewall at rocky.eld.leidenuniv.nl>
>     http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>     Arno's (Linux IPTABLES Firewall) Homepage:
>     http://rocky.eld.leidenuniv.nl
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl

-- 
Arno van Amersfoort
E-mail    : arnova at rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
---------------------------------------------------------------------------
Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl


More information about the Firewall mailing list