[Firewall] Having trouble with https port forwarding

Arno van Amersfoort arnova at rocky.eld.leidenuniv.nl
Tue Mar 30 16:59:49 CEST 2010


Hi Arno,

Do note I'm an extremely busy man so getting this to work before Friday 
isn't something that can be guaranteed.

What I need (to see) is:
- your firewall.conf;
- the output of 'ifconfig';
- your firewall logs. Is there anything relevant in there?;
- enable tracing in firewall.conf and send me the output.

And maybe just maybe we can nail this sucker....


cheers,

Arno


Romy Roma wrote:
> Hi Arno,
> 
> I appreciate and estimate a lot your works. Since I am not an expert in 
> Firewall area, it has saved me many headache until. I just have to this 
> right now and your solution was really fit for novice.
> I also managed to setup a openVPN and everything work just fine.
> 
> Whether the option -m tcp is wrong or not, I executed it and the https 
> port forwarding just worked (AIF off).
> 
> I really want it work with AIF, I therefore really appreciate your help.
> 
> You said:
>  > and there is no source interface so if this works you surely have a 
> weird setup of your routing...
> 
> Is this the problem of getting it work with AIF?
> 
> Regards,
> Romy
> 
> 
> On Tue, Mar 30, 2010 at 10:46 AM, Arno van Amersfoort 
> <arnova at rocky.eld.leidenuniv.nl <mailto:arnova at rocky.eld.leidenuniv.nl>> 
> wrote:
> 
>     Again, the manual way of getting it to work doesn't look right:
> 
>     iptables -t nat -A PREROUTING -s ! 10.120.132.0/23
>     <http://10.120.132.0/23> -m tcp -p tcp --dport 443 -j DNAT
>     --to-destination 10.120.132.105:8543 <http://10.120.132.105:8543>
> 
>     -m tcp is surely incorrect
> 
>     and there is no source interface so if this works you surely have a
>     weird setup of your routing....
> 
> 
> 
>     Romy Roma wrote:
> 
>         Hi Gustin,
> 
>         I just update mu AIF with the release Arno just posted today!
> 
>         I am testing using browser in external machine.
> 
>          
>         On Mon, Mar 29, 2010 at 10:07 PM, Gustin Johnson
>         <gustin at meganerd.ca <mailto:gustin at meganerd.ca>
>         <mailto:gustin at meganerd.ca <mailto:gustin at meganerd.ca>>> wrote:
> 
>            How are you testing this?   Are you trying to connect from
>         inside your
>            NAT'd network to the external IP which then gets port
>         forwarded back
>            in or do you have an external machine that you are testing with?
> 
>            Also, have you tried a more recent version of AIF?
> 
>            On Mon, Mar 29, 2010 at 9:04 AM, Romy Roma
>         <bouroy at googlemail.com <mailto:bouroy at googlemail.com>
>            <mailto:bouroy at googlemail.com
>         <mailto:bouroy at googlemail.com>>> wrote:
>             > Sorry it is a typo error from me. I had correctly written
>         in my
>            custom-rules
>             > as you mentioned. Anyway double checked again and restart your
>            AIF,  but
>             > still does not work.
>             >
>             > NAT_FORWARD_TCP="25,143>10.120.132.6
>            eth0#0/0~443>10.120.132.105~8543"
>             >
>             > thanks for your attention.
>             > Romy
>             >
>             > On Mon, Mar 29, 2010 at 4:49 PM, Arno van Amersfoort
>             > <arnova at rocky.eld.leidenuniv.nl
>         <mailto:arnova at rocky.eld.leidenuniv.nl>
>            <mailto:arnova at rocky.eld.leidenuniv.nl
>         <mailto:arnova at rocky.eld.leidenuniv.nl>>> wrote:
>             >>
>             >> I'm surprised that the script doesn't spit out an error since
>            the syntax
>             >> is wrong. It should be:
>             >>
>             >> "eth0#0/0~443>10.120.132.105~8543"
>             >>
>             >> And you may want to use an up-2-date stable version of my
>            firewall....
>             >>
>             >> a.
>             >>
>             >> Romy Roma wrote:
>             >>>
>             >>> thanks for your reply
>             >>>
>             >>> I changed it as you suggested in my custom-rules the
>         forward to:
>             >>> NAT_FORWARD_TCP="eth0#0/0~443>10.120.132.105:8543
>         <http://10.120.132.105:8543>
>            <http://10.120.132.105:8543>
>             >>> <http://10.120.132.105:8543>"
>             >>>
>             >>> But still does not work. Here now the output of the arno
>         start
>            script
>             >>>
>             >>> Enabling SNAT via external interface(s): eth0
>             >>>  Adding (internal) host(s): 10.120.132.0/23
>         <http://10.120.132.0/23>
>            <http://10.120.132.0/23> <http://10.120.132.0/23>
>             >>> 10.120.131.0/24 <http://10.120.131.0/24>
>         <http://10.120.131.0/24> <http://10.120.131.0/24>
>             >>> (eth0) Forwarding(NAT) TCP port(s) 0/0:25,143 to
>         10.120.132.6
>             >>> (eth0) Forwarding(NAT) TCP port(s) 0/0:443 to
>            10.120.132.105:8543 <http://10.120.132.105:8543>
>         <http://10.120.132.105:8543>
>             >>> <http://10.120.132.105:8543>
>             >>> Security is ENFORCED for external interface(s) in the
>         FORWARD chain
>             >>>
>             >>> Strange is that when I set a wrong destination port in the
>            forward, the
>             >>> browser gets a connection failed as expected, However
>         when the
>            right port is
>             >>> set the browser get connected but get timeout and no reply.
>             >>>
>             >>> When I disable AIF (bad idea, it is the only firewall I am
>            using now) and
>             >>> execute just this line it works fine:
>             >>> iptables -t nat -A PREROUTING -s ! 10.120.132.0/23
>         <http://10.120.132.0/23>
>            <http://10.120.132.0/23>
>             >>> <http://10.120.132.0/23> -m tcp -p tcp --dport 443 -j DNAT
>            --to-destination
>             >>> 10.120.132.105:8543 <http://10.120.132.105:8543>
>         <http://10.120.132.105:8543>
>            <http://10.120.132.105:8543>
>             >>>
>             >>> No idea what is blocking the forwarding when enable AIF
>             >>>
>             >>> Many thanks
>             >>> Romy
>             >>>
>             >>> On Mon, Mar 29, 2010 at 2:13 PM, Gustin Johnson
>            <gustin at meganerd.ca <mailto:gustin at meganerd.ca>
>         <mailto:gustin at meganerd.ca <mailto:gustin at meganerd.ca>>
>             >>> <mailto:gustin at meganerd.ca <mailto:gustin at meganerd.ca>
>         <mailto:gustin at meganerd.ca <mailto:gustin at meganerd.ca>>>> wrote:
>             >>>
>             >>>    Romy Roma wrote:
>             >>>    <snip>
>             >>>     >
>             >>>     > �Adding (internal) host(s): 10.120.132.0/23
>         <http://10.120.132.0/23>
>            <http://10.120.132.0/23>
>             >>>    <http://10.120.132.0/23> <http://10.120.132.0/23>
>             >>>     > 10.120.131.0/24 <http://10.120.131.0/24>
>         <http://10.120.131.0/24>
>            <http://10.120.131.0/24> <http://10.120.131.0/24>
>             >>>     > (eth0) Forwarding(NAT) TCP port(s) 0/0:25,143 to
>         10.120.132.6
>             >>>     > (eth0) Forwarding(NAT) TCP port(s)
>         188.40.124.147:443 <http://188.40.124.147:443>
>            <http://188.40.124.147:443>
>             >>>    <http://188.40.124.147:443> to 10.120.132.105:8543
>         <http://10.120.132.105:8543>
>            <http://10.120.132.105:8543>
>             >>>    <http://10.120.132.105:8543>
>             >>>
>             >>>    You are only port forwarding if the source is
>            188.40.124.147, you
>             >>> might
>             >>>    want to change that to 0/0 or to the IP and netmask
>         of the
>            source (if
>             >>>    you want to lock down access).
>             >>>
>             >>>    _______________________________________________
>             >>>    Firewall mailing list
>             >>>    Firewall at rocky.eld.leidenuniv.nl
>         <mailto:Firewall at rocky.eld.leidenuniv.nl>
>            <mailto:Firewall at rocky.eld.leidenuniv.nl
>         <mailto:Firewall at rocky.eld.leidenuniv.nl>>
>             >>>    <mailto:Firewall at rocky.eld.leidenuniv.nl
>         <mailto:Firewall at rocky.eld.leidenuniv.nl>
>            <mailto:Firewall at rocky.eld.leidenuniv.nl
>         <mailto:Firewall at rocky.eld.leidenuniv.nl>>>
>             >>>    http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>             >>>    Arno's (Linux IPTABLES Firewall) Homepage:
>             >>>    http://rocky.eld.leidenuniv.nl
>             >>>
>             >>>
>             >>>
>             >>>
>          
>          ------------------------------------------------------------------------
>             >>>
>             >>> _______________________________________________
>             >>> Firewall mailing list
>             >>> Firewall at rocky.eld.leidenuniv.nl
>         <mailto:Firewall at rocky.eld.leidenuniv.nl>
>            <mailto:Firewall at rocky.eld.leidenuniv.nl
>         <mailto:Firewall at rocky.eld.leidenuniv.nl>>
>             >>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>             >>> Arno's (Linux IPTABLES Firewall) Homepage:
>             >>> http://rocky.eld.leidenuniv.nl
>             >>
>             >> --
>             >> Arno van Amersfoort
>             >> E-mail    : arnova at rocky.eld.leidenuniv.nl
>         <mailto:arnova at rocky.eld.leidenuniv.nl>
>            <mailto:arnova at rocky.eld.leidenuniv.nl
>         <mailto:arnova at rocky.eld.leidenuniv.nl>>
> 
>             >> Donations are welcome through Paypal!
>             >>
>             >>
>          
>          ---------------------------------------------------------------------------
>             >> Arno's (Linux IPTABLES Firewall) Homepage:
>             >> http://rocky.eld.leidenuniv.nl
>             >> _______________________________________________
>             >> Firewall mailing list
>             >> Firewall at rocky.eld.leidenuniv.nl
>         <mailto:Firewall at rocky.eld.leidenuniv.nl>
>            <mailto:Firewall at rocky.eld.leidenuniv.nl
>         <mailto:Firewall at rocky.eld.leidenuniv.nl>>
>             >> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>             >> Arno's (Linux IPTABLES Firewall) Homepage:
>             >> http://rocky.eld.leidenuniv.nl
>             >
>             > _______________________________________________
>             > Firewall mailing list
>             > Firewall at rocky.eld.leidenuniv.nl
>         <mailto:Firewall at rocky.eld.leidenuniv.nl>
>            <mailto:Firewall at rocky.eld.leidenuniv.nl
>         <mailto:Firewall at rocky.eld.leidenuniv.nl>>
>             > http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>             > Arno's (Linux IPTABLES Firewall) Homepage:
>             > http://rocky.eld.leidenuniv.nl
>             >
>            _______________________________________________
>            Firewall mailing list
>            Firewall at rocky.eld.leidenuniv.nl
>         <mailto:Firewall at rocky.eld.leidenuniv.nl>
>            <mailto:Firewall at rocky.eld.leidenuniv.nl
>         <mailto:Firewall at rocky.eld.leidenuniv.nl>>
>            http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>            Arno's (Linux IPTABLES Firewall) Homepage:
>            http://rocky.eld.leidenuniv.nl
> 
> 
> 
>         ------------------------------------------------------------------------
> 
>         _______________________________________________
>         Firewall mailing list
>         Firewall at rocky.eld.leidenuniv.nl
>         <mailto:Firewall at rocky.eld.leidenuniv.nl>
>         http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>         Arno's (Linux IPTABLES Firewall) Homepage:
>         http://rocky.eld.leidenuniv.nl
> 
> 
>     -- 
>     Arno van Amersfoort
>     E-mail    : arnova at rocky.eld.leidenuniv.nl
>     <mailto:arnova at rocky.eld.leidenuniv.nl>
>     Donations are welcome through Paypal!
>     ---------------------------------------------------------------------------
>     Arno's (Linux IPTABLES Firewall) Homepage:
>     http://rocky.eld.leidenuniv.nl
>     _______________________________________________
>     Firewall mailing list
>     Firewall at rocky.eld.leidenuniv.nl
>     <mailto:Firewall at rocky.eld.leidenuniv.nl>
>     http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>     Arno's (Linux IPTABLES Firewall) Homepage:
>     http://rocky.eld.leidenuniv.nl
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl

-- 
Arno van Amersfoort
E-mail    : arnova at rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
---------------------------------------------------------------------------
Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl


More information about the Firewall mailing list