So, change it to this? -A PREROUTING -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -j DNAT --to-ports 1194 I had udp open as I was planning to change the vpn to udp in the near future. ---------------------------------------- > Date: Wed, 7 Jul 2010 16:51:04 +0200 > From: pascal.mail@xxxxxxxxxxxxxxx > To: webster_jack@xxxxxxxxxxx > CC: netfilter@xxxxxxxxxxxxxxx > Subject: Re: iptables not forwarding port 443 > > Hello, > > J. Webster a écrit : >> I have an openvpn server running on port 1194 successfuly. >> The box is 1 server split into 2 IP addresses xx.xx.xx.198 and xx.xx.xx.199. >> A proxy server runs on the 198 server and the VPN on 199. >> I have been trying to set up a port forward from port 443 on the 199 server to 1194 so that users cn use the VPN when they are in hotels or behind work firewalls. Althought the packets are reaching the server, the VPN will not connect on port 443. >> I have tried the OpenVPN mailing list and after extensive testing, they cannot see why the packets are not being received so something must be wrong with the routing. >> Any ideas on what the problem could be? >> I have included the iptables rules below. >> >> # Generated by iptables-save v1.3.5 on Wed Jun 30 16:44:05 2010 >> *filter > [...] >> -A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1194 -m state --state NEW -j ACCEPT > [...] >> *nat > [...] >> -A PREROUTING -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 1194 > > Just a thought : the iptables manpage says that REDIRECT changes the > destination address to the *primary* address of the incoming interface. > If the primary address is xx.xxx.xxx.198 while the openvpn server > listens on xx.xxx.xxx.199, I'm afraid it won't do what you expect. I'd > suggest to replace REDIRECT with DNAT and specify the new destination > address explicitly. > >> -A PREROUTING -d xx.xxx.xxx.199 -p udp -m udp --dport 443 -j REDIRECT --to-ports 1194 > > (Why redirect UDP if you don't accept it ?) > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html _________________________________________________________________ http://clk.atdmt.com/UKM/go/197222280/direct/01/ Do you have a story that started on Hotmail? Tell us now-- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html