[Firewall] Having trouble with https port forwarding

Romy Roma bouroy at googlemail.com
Tue Mar 30 11:03:26 CEST 2010


Hi Arno,

I appreciate and estimate a lot your works. Since I am not an expert in
Firewall area, it has saved me many headache until. I just have to this
right now and your solution was really fit for novice.
I also managed to setup a openVPN and everything work just fine.

Whether the option -m tcp is wrong or not, I executed it and the https port
forwarding just worked (AIF off).

I really want it work with AIF, I therefore really appreciate your help.

You said:
 > and there is no source interface so if this works you surely have a weird
setup of your routing...

Is this the problem of getting it work with AIF?

Regards,
Romy


On Tue, Mar 30, 2010 at 10:46 AM, Arno van Amersfoort <
arnova at rocky.eld.leidenuniv.nl> wrote:

> Again, the manual way of getting it to work doesn't look right:
>
> iptables -t nat -A PREROUTING -s ! 10.120.132.0/23 -m tcp -p tcp --dport
> 443 -j DNAT --to-destination 10.120.132.105:8543
>
> -m tcp is surely incorrect
>
> and there is no source interface so if this works you surely have a weird
> setup of your routing....
>
>
>
> Romy Roma wrote:
>
>> Hi Gustin,
>>
>> I just update mu AIF with the release Arno just posted today!
>>
>> I am testing using browser in external machine.
>>
>>
>> On Mon, Mar 29, 2010 at 10:07 PM, Gustin Johnson <gustin at meganerd.ca<mailto:
>> gustin at meganerd.ca>> wrote:
>>
>>    How are you testing this?   Are you trying to connect from inside your
>>    NAT'd network to the external IP which then gets port forwarded back
>>    in or do you have an external machine that you are testing with?
>>
>>    Also, have you tried a more recent version of AIF?
>>
>>    On Mon, Mar 29, 2010 at 9:04 AM, Romy Roma <bouroy at googlemail.com
>>    <mailto:bouroy at googlemail.com>> wrote:
>>     > Sorry it is a typo error from me. I had correctly written in my
>>    custom-rules
>>     > as you mentioned. Anyway double checked again and restart your
>>    AIF,  but
>>     > still does not work.
>>     >
>>     > NAT_FORWARD_TCP="25,143>10.120.132.6
>>    eth0#0/0~443>10.120.132.105~8543"
>>     >
>>     > thanks for your attention.
>>     > Romy
>>     >
>>     > On Mon, Mar 29, 2010 at 4:49 PM, Arno van Amersfoort
>>     > <arnova at rocky.eld.leidenuniv.nl
>>    <mailto:arnova at rocky.eld.leidenuniv.nl>> wrote:
>>     >>
>>     >> I'm surprised that the script doesn't spit out an error since
>>    the syntax
>>     >> is wrong. It should be:
>>     >>
>>     >> "eth0#0/0~443>10.120.132.105~8543"
>>     >>
>>     >> And you may want to use an up-2-date stable version of my
>>    firewall....
>>     >>
>>     >> a.
>>     >>
>>     >> Romy Roma wrote:
>>     >>>
>>     >>> thanks for your reply
>>     >>>
>>     >>> I changed it as you suggested in my custom-rules the forward to:
>>     >>> NAT_FORWARD_TCP="eth0#0/0~443>10.120.132.105:8543
>>    <http://10.120.132.105:8543>
>>     >>> <http://10.120.132.105:8543>"
>>     >>>
>>     >>> But still does not work. Here now the output of the arno start
>>    script
>>     >>>
>>     >>> Enabling SNAT via external interface(s): eth0
>>     >>>  Adding (internal) host(s): 10.120.132.0/23
>>    <http://10.120.132.0/23> <http://10.120.132.0/23>
>>     >>> 10.120.131.0/24 <http://10.120.131.0/24> <http://10.120.131.0/24>
>>     >>> (eth0) Forwarding(NAT) TCP port(s) 0/0:25,143 to 10.120.132.6
>>     >>> (eth0) Forwarding(NAT) TCP port(s) 0/0:443 to
>>    10.120.132.105:8543 <http://10.120.132.105:8543>
>>     >>> <http://10.120.132.105:8543>
>>     >>> Security is ENFORCED for external interface(s) in the FORWARD
>> chain
>>     >>>
>>     >>> Strange is that when I set a wrong destination port in the
>>    forward, the
>>     >>> browser gets a connection failed as expected, However when the
>>    right port is
>>     >>> set the browser get connected but get timeout and no reply.
>>     >>>
>>     >>> When I disable AIF (bad idea, it is the only firewall I am
>>    using now) and
>>     >>> execute just this line it works fine:
>>     >>> iptables -t nat -A PREROUTING -s ! 10.120.132.0/23
>>    <http://10.120.132.0/23>
>>     >>> <http://10.120.132.0/23> -m tcp -p tcp --dport 443 -j DNAT
>>    --to-destination
>>     >>> 10.120.132.105:8543 <http://10.120.132.105:8543>
>>    <http://10.120.132.105:8543>
>>     >>>
>>     >>> No idea what is blocking the forwarding when enable AIF
>>     >>>
>>     >>> Many thanks
>>     >>> Romy
>>     >>>
>>     >>> On Mon, Mar 29, 2010 at 2:13 PM, Gustin Johnson
>>    <gustin at meganerd.ca <mailto:gustin at meganerd.ca>
>>     >>> <mailto:gustin at meganerd.ca <mailto:gustin at meganerd.ca>>> wrote:
>>     >>>
>>     >>>    Romy Roma wrote:
>>     >>>    <snip>
>>     >>>     >
>>     >>>     > �Adding (internal) host(s): 10.120.132.0/23
>>    <http://10.120.132.0/23>
>>     >>>    <http://10.120.132.0/23> <http://10.120.132.0/23>
>>     >>>     > 10.120.131.0/24 <http://10.120.131.0/24>
>>    <http://10.120.131.0/24> <http://10.120.131.0/24>
>>     >>>     > (eth0) Forwarding(NAT) TCP port(s) 0/0:25,143 to
>> 10.120.132.6
>>     >>>     > (eth0) Forwarding(NAT) TCP port(s) 188.40.124.147:443
>>    <http://188.40.124.147:443>
>>     >>>    <http://188.40.124.147:443> to 10.120.132.105:8543
>>    <http://10.120.132.105:8543>
>>     >>>    <http://10.120.132.105:8543>
>>     >>>
>>     >>>    You are only port forwarding if the source is
>>    188.40.124.147, you
>>     >>> might
>>     >>>    want to change that to 0/0 or to the IP and netmask of the
>>    source (if
>>     >>>    you want to lock down access).
>>     >>>
>>     >>>    _______________________________________________
>>     >>>    Firewall mailing list
>>     >>>    Firewall at rocky.eld.leidenuniv.nl
>>    <mailto:Firewall at rocky.eld.leidenuniv.nl>
>>     >>>    <mailto:Firewall at rocky.eld.leidenuniv.nl
>>    <mailto:Firewall at rocky.eld.leidenuniv.nl>>
>>     >>>    http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>     >>>    Arno's (Linux IPTABLES Firewall) Homepage:
>>     >>>    http://rocky.eld.leidenuniv.nl
>>     >>>
>>     >>>
>>     >>>
>>     >>>
>>
>>  ------------------------------------------------------------------------
>>     >>>
>>     >>> _______________________________________________
>>     >>> Firewall mailing list
>>     >>> Firewall at rocky.eld.leidenuniv.nl
>>    <mailto:Firewall at rocky.eld.leidenuniv.nl>
>>     >>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>     >>> Arno's (Linux IPTABLES Firewall) Homepage:
>>     >>> http://rocky.eld.leidenuniv.nl
>>     >>
>>     >> --
>>     >> Arno van Amersfoort
>>     >> E-mail    : arnova at rocky.eld.leidenuniv.nl
>>    <mailto:arnova at rocky.eld.leidenuniv.nl>
>>
>>     >> Donations are welcome through Paypal!
>>     >>
>>     >>
>>
>>  ---------------------------------------------------------------------------
>>     >> Arno's (Linux IPTABLES Firewall) Homepage:
>>     >> http://rocky.eld.leidenuniv.nl
>>     >> _______________________________________________
>>     >> Firewall mailing list
>>     >> Firewall at rocky.eld.leidenuniv.nl
>>    <mailto:Firewall at rocky.eld.leidenuniv.nl>
>>     >> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>     >> Arno's (Linux IPTABLES Firewall) Homepage:
>>     >> http://rocky.eld.leidenuniv.nl
>>     >
>>     > _______________________________________________
>>     > Firewall mailing list
>>     > Firewall at rocky.eld.leidenuniv.nl
>>    <mailto:Firewall at rocky.eld.leidenuniv.nl>
>>     > http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>     > Arno's (Linux IPTABLES Firewall) Homepage:
>>     > http://rocky.eld.leidenuniv.nl
>>     >
>>    _______________________________________________
>>    Firewall mailing list
>>    Firewall at rocky.eld.leidenuniv.nl
>>    <mailto:Firewall at rocky.eld.leidenuniv.nl>
>>    http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>    Arno's (Linux IPTABLES Firewall) Homepage:
>>    http://rocky.eld.leidenuniv.nl
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.nl
>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>>
>
> --
> Arno van Amersfoort
> E-mail    : arnova at rocky.eld.leidenuniv.nl
> Donations are welcome through Paypal!
> ---------------------------------------------------------------------------
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20100330/32755b95/attachment-0001.htm>


More information about the Firewall mailing list