From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re: iptables not forwarding port 443
Date: Tue, 06 Jul 2010 13:03:21 -0500 [thread overview]
Message-ID: <4C336FE9.3080403@riverviewtech.net> (raw)
In-Reply-To: <BAY145-w19572F836A9A64C0737FC2F3B20@phx.gbl>
On 07/06/10 12:40, J. Webster wrote:
> No, there is no proxy in the middle in this testing case, I believe
> that's why the packets are received at port 443 on the server but
> then somehow dropped.
Do you show OpenVPN log entries indicating that connections are being
attempted? Or is this failing during the TCP three-way-handshake?
Have you tried running TCPDump (or the likes) to watch the traffic?
> Is there anything wrong with the iptables rules that might stop this?
I don't see any thing glaringly obvious.
I do question what the source port is on the reply traffic. It may be
(a modified version of) what I call the TCP-Triangle (1) that is causing
things to break.
> It was recommended by the OpenVPN users list.
I've also read that OpenVPN can run over port 443, but I've not messed
with it my self to know how well it will work.
> Yes, I could but that makes an administration problem to do with
> status logs and other stuff I think.
Can you do it lone enough to test?
1: TCP-Triangle is when traffic from a client (C) is directed to a
front end server (F) which then redirects to a back end (B) server and
because of various situations the back end (B) server replies directly
to the client (C). So what you end up with is C talks to F but replies
come from B back to C causing C to reject / reset the reply all the
while timing out the initial outgoing packet.
C -> F
C -> B
C <- B
C <- B
C -> B (RESET I'm not talking to you.)
...
C -> F (Timeout)
Grant. . . .
next prev parent reply other threads:[~2010-07-06 18:03 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-06 16:39 iptables not forwarding port 443 J. Webster
2010-07-06 17:05 ` Gáspár Lajos
2010-07-06 17:10 ` J. Webster
2010-07-06 17:26 ` Gáspár Lajos
2010-07-06 17:40 ` J. Webster
2010-07-06 18:03 ` Grant Taylor [this message]
2010-07-06 18:08 ` Gáspár Lajos
2010-07-06 18:23 ` J. Webster
2010-07-07 1:54 ` J. Webster
2010-07-07 14:51 ` Pascal Hambourg
2010-07-07 14:53 ` J. Webster
2010-07-07 15:00 ` Pascal Hambourg
2010-07-07 15:20 ` J. Webster
2010-07-07 15:50 ` Pascal Hambourg
2010-07-08 16:12 ` J. Webster
2010-07-08 17:34 ` Jan Engelhardt
2010-07-08 18:56 ` Pascal Hambourg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C336FE9.3080403@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox