That seems to work, the VPN now connects on port 443. However, when I go to whatsmyip instead of giving me the xx.xx.xx.199 address, it gives me the xx.xx.xx.198 address. Not a massive problem in itself but something in the routing must be incoming on 199 and outgoing on 198. Current iptables: # Generated by iptables-save v1.3.5 on Wed Jul 7 16:06:49 2010 *nat :PREROUTING ACCEPT [29:10687] :POSTROUTING ACCEPT [27:8372] :OUTPUT ACCEPT [27:8372] -A PREROUTING -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -j DNAT --to-destination xx.xxx.xxx.199:1194 -A POSTROUTING -s 172.16.0.0/255.255.255.0 -o eth0 -j MASQUERADE -A POSTROUTING -s 172.16.0.0/255.255.255.0 -o eth0 -j MASQUERADE COMMIT # Completed on Wed Jul 7 16:06:49 2010 # Generated by iptables-save v1.3.5 on Wed Jul 7 16:06:49 2010 *filter :INPUT DROP [28:2114] :FORWARD DROP [0:0] :OUTPUT ACCEPT [14:728] :RH-Firewall-1-INPUT - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --set --name SSH --rsource -A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j DROP -A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1057 -m state --state NEW -j ACCEPT -A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 5555 -m state --state NEW -j ACCEPT -A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1194 -m state --state NEW -j ACCEPT -A INPUT -i tun+ -j ACCEPT -A INPUT -i tap+ -j ACCEPT -A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 8002 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 9001 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT -A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT -A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 1935 -j ACCEPT -A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -d xx.xxx.xxx.199 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -p icmp -m limit --limit 1/sec --limit-burst 1 -j ACCEPT -A INPUT -d xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i tun+ -j ACCEPT -A FORWARD -i tap+ -j ACCEPT -A OUTPUT -s xx.xxx.xxx.199 -p tcp -m tcp --dport 1194 -m state --state NEW -j ACCEPT -A OUTPUT -s xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT -A OUTPUT -s xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT COMMIT # Completed on Wed Jul 7 16:06:49 2010 ---------------------------------------- > Date: Wed, 7 Jul 2010 17:00:38 +0200 > From: pascal.mail@xxxxxxxxxxxxxxx > To: webster_jack@xxxxxxxxxxx > CC: netfilter@xxxxxxxxxxxxxxx > Subject: Re: iptables not forwarding port 443 > > (Please don't top post) > > J. Webster a écrit : >> So, change it to this? >> -A PREROUTING -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -j DNAT --to-ports 1194 > > man iptables. DNAT expects "--to-destination :". > >> I had udp open as I was planning to change the vpn to udp in the near future. > > AFAICS you don't have UDP open in your filter rules, you just redirect > it (useless as it will be dropped). _________________________________________________________________ http://clk.atdmt.com/UKM/go/195013117/direct/01/ -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
