I have an openvpn server running on port 1194 successfuly. The box is 1 server split into 2 IP addresses xx.xx.xx.198 and xx.xx.xx.199. A proxy server runs on the 198 server and the VPN on 199. I have been trying to set up a port forward from port 443 on the 199 server to 1194 so that users cn use the VPN when they are in hotels or behind work firewalls. Althought the packets are reaching the server, the VPN will not connect on port 443. I have tried the OpenVPN mailing list and after extensive testing, they cannot see why the packets are not being received so something must be wrong with the routing. Any ideas on what the problem could be? I have included the iptables rules below. # Generated by iptables-save v1.3.5 on Wed Jun 30 16:44:05 2010 *filter :INPUT DROP [340:25253] :FORWARD DROP [0:0] :OUTPUT ACCEPT [157:7792] :RH-Firewall-1-INPUT - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --set --name SSH --rsource -A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j DROP -A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1057 -m state --state NEW -j ACCEPT -A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 5555 -m state --state NEW -j ACCEPT -A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1194 -m state --state NEW -j ACCEPT -A INPUT -i tun+ -j ACCEPT -A INPUT -i tap+ -j ACCEPT -A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 8002 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 9001 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT -A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT -A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 1935 -j ACCEPT -A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -d xx.xxx.xxx.199 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -p icmp -m limit --limit 1/sec --limit-burst 1 -j ACCEPT -A INPUT -d xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i tun+ -j ACCEPT -A FORWARD -i tap+ -j ACCEPT -A OUTPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1194 -m state --state NEW -j ACCEPT -A OUTPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT -A OUTPUT -s xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT COMMIT # Completed on Wed Jun 30 16:44:05 2010 # Generated by iptables-save v1.3.5 on Wed Jun 30 16:44:05 2010 *nat :PREROUTING ACCEPT [374:37633] :POSTROUTING ACCEPT [1391:87497] :OUTPUT ACCEPT [1391:87497] -A PREROUTING -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 1194 -A PREROUTING -d xx.xxx.xxx.199 -p udp -m udp --dport 443 -j REDIRECT --to-ports 1194 -A POSTROUTING -s 172.16.0.0/255.255.255.0 -o eth0 -j MASQUERADE -A POSTROUTING -s 172.16.0.0/255.255.255.0 -o eth0 -j MASQUERADE -A OUTPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 1194 -A OUTPUT -d xx.xxx.xxx.199 -p udp -m udp --dport 443 -j REDIRECT --to-ports 1194 COMMIT # Completed on Wed Jun 30 16:44:05 2010 _________________________________________________________________ http://clk.atdmt.com/UKM/go/197222280/direct/01/ Do you have a story that started on Hotmail? Tell us now-- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
