From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pascal Hambourg Subject: Re: iptables not forwarding port 443 Date: Wed, 07 Jul 2010 16:51:04 +0200 Message-ID: <4C349458.6010202@plouf.fr.eu.org> References: Mime-Version: 1.0 Content-Transfer-Encoding: QUOTED-PRINTABLE Return-path: In-Reply-To: Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="iso-8859-1" To: "J. Webster" Cc: netfilter@vger.kernel.org Hello, J. Webster a =E9crit : > I have an openvpn server running on port 1194 successfuly. > The box is 1 server split into 2 IP addresses xx.xx.xx.198 and xx.xx.= xx.199. > A proxy server runs on the 198 server and the VPN on 199. > I have been trying to set up a port forward from port 443 on the 199 = server to 1194 so that users cn use the VPN when they are in hotels or = behind work firewalls. Althought the packets are reaching the server, t= he VPN will not connect on port 443.=20 > I have tried the OpenVPN mailing list and after extensive testing, th= ey cannot see why the packets are not being received so something must = be wrong with the routing. > Any ideas on what the problem could be? > I have included the iptables rules below. >=20 > # Generated by iptables-save v1.3.5 on Wed Jun 30 16:44:05 2010 > *filter [...] > -A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1194 -m state --stat= e NEW -j ACCEPT [...] > *nat [...] > -A PREROUTING -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -j REDIRECT= --to-ports 1194 Just a thought : the iptables manpage says that REDIRECT changes the destination address to the *primary* address of the incoming interface. If the primary address is xx.xxx.xxx.198 while the openvpn server listens on xx.xxx.xxx.199, I'm afraid it won't do what you expect. I'd suggest to replace REDIRECT with DNAT and specify the new destination address explicitly. > -A PREROUTING -d xx.xxx.xxx.199 -p udp -m udp --dport 443 -j REDIRECT= --to-ports 1194 (Why redirect UDP if you don't accept it ?)