Would these rules be better, rewrote the OUTPUT sections. Should I remove this line completely? -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT Reworked iptables script: # Generated by iptables-save v1.3.5 on Wed Jun 30 16:44:05 2010 *filter :INPUT DROP [340:25253] :FORWARD DROP [0:0] :OUTPUT ACCEPT [157:7792] :RH-Firewall-1-INPUT - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --set --name SSH --rsource -A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j DROP -A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1057 -m state --state NEW -j ACCEPT -A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 5555 -m state --state NEW -j ACCEPT -A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1194 -m state --state NEW -j ACCEPT -A INPUT -i tun+ -j ACCEPT -A INPUT -i tap+ -j ACCEPT -A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 8002 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 9001 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT -A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT -A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 1935 -j ACCEPT -A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -d xx.xxx.xxx.199 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -p icmp -m limit --limit 1/sec --limit-burst 1 -j ACCEPT -A INPUT -d xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i tun+ -j ACCEPT -A FORWARD -i tap+ -j ACCEPT -A OUTPUT -s xx.xxx.xxx.199 -p tcp -m tcp --dport 1194 -m state --state NEW -j ACCEPT -A OUTPUT -s xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT -A OUTPUT -s xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT COMMIT # Completed on Wed Jun 30 16:44:05 2010 # Generated by iptables-save v1.3.5 on Wed Jun 30 16:44:05 2010 *nat :PREROUTING ACCEPT [374:37633] :POSTROUTING ACCEPT [1391:87497] :OUTPUT ACCEPT [1391:87497] -A PREROUTING -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 1194 -A PREROUTING -d xx.xxx.xxx.199 -p udp -m udp --dport 443 -j REDIRECT --to-ports 1194 -A POSTROUTING -s 172.16.0.0/255.255.255.0 -o eth0 -j MASQUERADE -A POSTROUTING -s 172.16.0.0/255.255.255.0 -o eth0 -j MASQUERADE COMMIT # Completed on Wed Jun 30 16:44:05 2010 ---------------------------------------- > Date: Tue, 6 Jul 2010 20:08:29 +0200 > From: swifty@xxxxxxxxxxx > To: webster_jack@xxxxxxxxxxx > CC: netfilter@xxxxxxxxxxxxxxx > Subject: Re: iptables not forwarding port 443 > > >> Hi >> Thanks. >> No, there is no proxy in the middle in this testing case, I believe that's why the packets are received at port 443 on the server but then somehow dropped. >> > Could you check it??? iptraf or tcpdump??? (Just to get sure!) >> Is there anything wrong with the iptables rules that might stop this? >> >> > > I do not understand these rules: > > #filter: > > -A OUTPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1194 -m state --state NEW -j ACCEPT > -A OUTPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT > > OUTPUT is generated on localhost... > > Destination xx.xxx.xxx.198 and xx.xxx.xxx.199... Hmm... Do you really want to send the VPN packets back to yourself??? > > -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT > > ACCEPT everything? > > > #nat > > -A OUTPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 1194 > -A OUTPUT -d xx.xxx.xxx.199 -p udp -m udp --dport 443 -j REDIRECT --to-ports 1194 > > What do you expect from these rules? > > >>> It is a bit dangerous to use 443/tcp for vpn... >>> >> It was recommended by the OpenVPN users list. >> > Interesting... :D >>> But you can >>> >> set up 2 services on the same host... >> Yes, I could but that makes an administration problem to do with status logs and other stuff I think. >> > It depends on you... I have 5 vpn services on the same host. (LDAP/PAM > authentication integrated.) > > Swifty > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html _________________________________________________________________ http://clk.atdmt.com/UKM/go/195013117/direct/01/ -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
