iptables not forwarding port 443

iptables not forwarding port 443

[J. Webster]

I have an openvpn server running on port 1194 successfuly.
The box is 1 server split into 2 IP addresses xx.xx.xx.198 and xx.xx.xx.199.
A proxy server runs on the 198 server and the VPN on 199.
I have been trying to set up a port forward from port 443 on the 199 server to 1194 so that users cn use the VPN when they are in hotels or behind work firewalls. Althought the packets are reaching the server, the VPN will not connect on port 443. 
I have tried the OpenVPN mailing list and after extensive testing, they cannot see why the packets are not being received so something must be wrong with the routing.
Any ideas on what the problem could be?
I have included the iptables rules below.

# Generated by iptables-save v1.3.5 on Wed Jun 30 16:44:05 2010
*filter
:INPUT DROP [340:25253]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [157:7792]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j DROP
-A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1057 -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 5555 -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1194 -m state --state NEW -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i tap+ -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8002 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9001 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 1935 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -d xx.xxx.xxx.199 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 1 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tap+ -j ACCEPT
-A OUTPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1194 -m state --state NEW -j ACCEPT
-A OUTPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A OUTPUT -s xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Jun 30 16:44:05 2010
# Generated by iptables-save v1.3.5 on Wed Jun 30 16:44:05 2010
*nat
:PREROUTING ACCEPT [374:37633]
:POSTROUTING ACCEPT [1391:87497]
:OUTPUT ACCEPT [1391:87497]
-A PREROUTING -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 1194
-A PREROUTING -d xx.xxx.xxx.199 -p udp -m udp --dport 443 -j REDIRECT --to-ports 1194
-A POSTROUTING -s 172.16.0.0/255.255.255.0 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.16.0.0/255.255.255.0 -o eth0 -j MASQUERADE
-A OUTPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 1194
-A OUTPUT -d xx.xxx.xxx.199 -p udp -m udp --dport 443 -j REDIRECT --to-ports 1194
COMMIT
# Completed on Wed Jun 30 16:44:05 2010
 		 	   		  
_________________________________________________________________
http://clk.atdmt.com/UKM/go/197222280/direct/01/
Do you have a story that started on Hotmail? Tell us now

Re: iptables not forwarding port 443

[Gáspár Lajos]

Just a few questions:
Why do you redirect the incoming packets?
Why do not you set up the VPN server to accept connections on port 443?
Is it UDP or TCP the protocol you are using with VPN?

Swifty

RE: iptables not forwarding port 443

[J. Webster]

Hi
It is a TCP connection.
I could set up the server on port 443 but there are existing clients with 1194 configurations so I had hoped instead to only use 443 when necessary and avoid resending out new client configurations. 
OpenVPN can only listne on 1 port.

----------------------------------------
> Date: Tue, 6 Jul 2010 19:05:12 +0200
> From: swifty@freemail.hu
> To: webster_jack@hotmail.com
> CC: netfilter@vger.kernel.org
> Subject: Re: iptables not forwarding port 443
>
> Just a few questions:
> Why do you redirect the incoming packets?
> Why do not you set up the VPN server to accept connections on port 443?
> Is it UDP or TCP the protocol you are using with VPN?
>
> Swifty
>
 		 	   		  
_________________________________________________________________
http://clk.atdmt.com/UKM/go/195013117/direct/01/

Re: iptables not forwarding port 443

[Gáspár Lajos]

Hi,
> Hi
> It is a TCP connection.
>    
I prefer UDP... :D
It is usually not filtered...
Maybe your problem is that a "proxy-in-the-middle" tries to set up an 
https connection...
Or just simply drops the "unknown"/"not-https" packets...
It is a bit dangerous to use 443/tcp for vpn...
> I could set up the server on port 443 but there are existing clients with 1194 configurations so I had hoped instead to only use 443 when necessary and avoid resending out new client configurations.
> OpenVPN can only listne on 1 port.
>    
But you can set up 2 services on the same host...

RE: iptables not forwarding port 443

[J. Webster]

Hi
Thanks.
No, there is no proxy in the middle in this testing case, I believe that's why the packets are received at port 443 on the server but then somehow dropped.
Is there anything wrong with the iptables rules that might stop this?

> It is a bit dangerous to use 443/tcp for vpn...
It was recommended by the OpenVPN users list.

> But you can
 set up 2 services on the same host...
Yes, I could but that makes an administration problem to do with status logs and other stuff I think.



----------------------------------------
> Date: Tue, 6 Jul 2010 19:26:47 +0200
> From: swifty@freemail.hu
> To: webster_jack@hotmail.com
> CC: netfilter@vger.kernel.org
> Subject: Re: iptables not forwarding port 443
>
> Hi,
>> Hi
>> It is a TCP connection.
>>
> I prefer UDP... :D
> It is usually not filtered...
> Maybe your problem is that a "proxy-in-the-middle" tries to set up an
> https connection...
> Or just simply drops the "unknown"/"not-https" packets...
> It is a bit dangerous to use 443/tcp for vpn...
>> I could set up the server on port 443 but there are existing clients with 1194 configurations so I had hoped instead to only use 443 when necessary and avoid resending out new client configurations.
>> OpenVPN can only listne on 1 port.
>>
> But you can set up 2 services on the same host...
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
 		 	   		  
_________________________________________________________________
http://clk.atdmt.com/UKM/go/197222280/direct/01/
Do you have a story that started on Hotmail? Tell us now

Re: iptables not forwarding port 443

[Grant Taylor]

On 07/06/10 12:40, J. Webster wrote:
> No, there is no proxy in the middle in this testing case, I believe 
> that's why the packets are received at port 443 on the server but 
> then somehow dropped.

Do you show OpenVPN log entries indicating that connections are being 
attempted?  Or is this failing during the TCP three-way-handshake?

Have you tried running TCPDump (or the likes) to watch the traffic?

> Is there anything wrong with the iptables rules that might stop this?

I don't see any thing glaringly obvious.

I do question what the source port is on the reply traffic.  It may be 
(a modified version of) what I call the TCP-Triangle (1) that is causing 
things to break.

> It was recommended by the OpenVPN users list.

I've also read that OpenVPN can run over port 443, but I've not messed 
with it my self to know how well it will work.

> Yes, I could but that makes an administration problem to do with 
> status logs and other stuff I think.

Can you do it lone enough to test?

1:  TCP-Triangle is when traffic from a client (C) is directed to a 
front end server (F) which then redirects to a back end (B) server and 
because of various situations the back end (B) server replies directly 
to the client (C).  So what you end up with is C talks to F but replies 
come from B back to C causing C to reject / reset the reply all the 
while timing out the initial outgoing packet.

C -> F
      C -> B
      C <- B
C <- B
C -> B        (RESET I'm not talking to you.)
     ...
C -> F        (Timeout)



Grant. . . .

Re: iptables not forwarding port 443

[Gáspár Lajos]

> Hi
> Thanks.
> No, there is no proxy in the middle in this testing case, I believe that's why the packets are received at port 443 on the server but then somehow dropped.
>    
Could you check it??? iptraf or tcpdump??? (Just to get sure!)
> Is there anything wrong with the iptables rules that might stop this?
>
>    

I do not understand these rules:

#filter:

-A OUTPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1194 -m state --state NEW -j ACCEPT
-A OUTPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT

OUTPUT is generated on localhost...

Destination xx.xxx.xxx.198 and xx.xxx.xxx.199... Hmm... Do you really want to send the VPN packets back to yourself???

-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

ACCEPT everything?


#nat

-A OUTPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 1194
-A OUTPUT -d xx.xxx.xxx.199 -p udp -m udp --dport 443 -j REDIRECT --to-ports 1194

What do you expect from these rules?


>> It is a bit dangerous to use 443/tcp for vpn...
>>      
> It was recommended by the OpenVPN users list.
>    
Interesting... :D
>> But you can
>>      
>   set up 2 services on the same host...
> Yes, I could but that makes an administration problem to do with status logs and other stuff I think.
>    
It depends on you... I have 5 vpn services on the same host. (LDAP/PAM 
authentication integrated.)

Swifty

RE: iptables not forwarding port 443

[J. Webster]

[root ~]# tcpdump -i eth0 -p tcp and port 443

tcpdump: verbose output suppressed, use -v or -vv for full protocol 
decode

listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

03:30:59.514704 IP modemcable1xx.xxx-81-70.mc.videotron.ca.24682> 
serverxx-xxx-xxx-199.live-servers.net.https: S 204510893:204510893(0) 
win 65535 <mss 1460,nop,nop,sackOK>

03:31:02.556916 IP modemcable1xx.xxx-81-70.mc.videotron.ca.24682> 
serverxx-xxx-xxx-199.live-servers.net.https: S 204510893:204510893(0) 
win 65535 <mss 1460,nop,nop,sackOK>

03:31:08.566818 IP modemcable1xx.xxx-81-70.mc.videotron.ca.24682> 
serverxx-xxx-xxx-199.live-servers.net.https: S 204510893:204510893(0) 
win 65535 <mss 1460,nop,nop,sackOK>

03:31:25.538953 IP modemcable1xx.xxx-81-70.mc.videotron.ca.24683> 
serverxx-xxx-xxx-199.live-servers.net.https: S 1489105891:1489105891(0) 
win 65535 <mss 1460,nop,nop,sackOK>

03:31:28.383241 IP modemcable1xx.xxx-81-70.mc.videotron.ca.24683> 
serverxx-xxx-xxx-199.live-servers.net.https: S 1489105891:1489105891(0) 
win 65535 <mss 1460,nop,nop,sackOK>

The OUTPUT are to allow traffic to go out from the server on certain ports.
I guess it should be source not -d?

-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
ACCEPT everything?
Isn't it blocked in the rules above? I think I have a drop all packets apart from those in the list.
>
>
> -A 
OUTPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -j REDIRECT 
--to-ports 1194
> -A OUTPUT -d xx.xxx.xxx.199 -p udp -m udp 
--dport 443 -j REDIRECT --to-ports 1194
> What do you 
expect from these rules?
To allow out tcp or udp traffic from the VPN server. I guess it's not needed.


----------------------------------------
> Date: Tue, 6 Jul 2010 20:08:29 +0200
> From: swifty@freemail.hu
> To: webster_jack@hotmail.com
> CC: netfilter@vger.kernel.org
> Subject: Re: iptables not forwarding port 443
>
>
>> Hi
>> Thanks.
>> No, there is no proxy in the middle in this testing case, I believe that's why the packets are received at port 443 on the server but then somehow dropped.
>>
> Could you check it??? iptraf or tcpdump??? (Just to get sure!)
>> Is there anything wrong with the iptables rules that might stop this?
>>
>>
>
> I do not understand these rules:
>
> #filter:
>
> -A OUTPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1194 -m state --state NEW -j ACCEPT
> -A OUTPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
>
> OUTPUT is generated on localhost...
>
> Destination xx.xxx.xxx.198 and xx.xxx.xxx.199... Hmm... Do you really want to send the VPN packets back to yourself???
>
> -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
>
> ACCEPT everything?
>
>
> #nat
>
> -A OUTPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 1194
> -A OUTPUT -d xx.xxx.xxx.199 -p udp -m udp --dport 443 -j REDIRECT --to-ports 1194
>
> What do you expect from these rules?
>
>
>>> It is a bit dangerous to use 443/tcp for vpn...
>>>
>> It was recommended by the OpenVPN users list.
>>
> Interesting... :D
>>> But you can
>>>
>> set up 2 services on the same host...
>> Yes, I could but that makes an administration problem to do with status logs and other stuff I think.
>>
> It depends on you... I have 5 vpn services on the same host. (LDAP/PAM
> authentication integrated.)
>
> Swifty
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
 		 	   		  
_________________________________________________________________
http://clk.atdmt.com/UKM/go/197222280/direct/01/
Do you have a story that started on Hotmail? Tell us now

RE: iptables not forwarding port 443

[J. Webster]

Would these rules be better, rewrote the OUTPUT sections.
Should I remove this line completely?
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
Reworked iptables script:
# Generated by iptables-save v1.3.5 on Wed Jun 30 16:44:05 2010
*filter
:INPUT DROP [340:25253]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [157:7792]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j DROP
-A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1057 -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 5555 -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1194 -m state --state NEW -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i tap+ -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8002 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9001 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 1935 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -d xx.xxx.xxx.199 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 1 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tap+ -j ACCEPT
-A OUTPUT -s xx.xxx.xxx.199 -p tcp -m tcp --dport 1194 -m state --state NEW -j ACCEPT
-A OUTPUT -s xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A OUTPUT -s xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Jun 30 16:44:05 2010
# Generated by iptables-save v1.3.5 on Wed Jun 30 16:44:05 2010
*nat
:PREROUTING ACCEPT [374:37633]
:POSTROUTING ACCEPT [1391:87497]
:OUTPUT ACCEPT [1391:87497]
-A PREROUTING -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 1194
-A PREROUTING -d xx.xxx.xxx.199 -p udp -m udp --dport 443 -j REDIRECT --to-ports 1194
-A POSTROUTING -s 172.16.0.0/255.255.255.0 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.16.0.0/255.255.255.0 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Jun 30 16:44:05 2010

----------------------------------------
> Date: Tue, 6 Jul 2010 20:08:29 +0200
> From: swifty@freemail.hu
> To: webster_jack@hotmail.com
> CC: netfilter@vger.kernel.org
> Subject: Re: iptables not forwarding port 443
>
>
>> Hi
>> Thanks.
>> No, there is no proxy in the middle in this testing case, I believe that's why the packets are received at port 443 on the server but then somehow dropped.
>>
> Could you check it??? iptraf or tcpdump??? (Just to get sure!)
>> Is there anything wrong with the iptables rules that might stop this?
>>
>>
>
> I do not understand these rules:
>
> #filter:
>
> -A OUTPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1194 -m state --state NEW -j ACCEPT
> -A OUTPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
>
> OUTPUT is generated on localhost...
>
> Destination xx.xxx.xxx.198 and xx.xxx.xxx.199... Hmm... Do you really want to send the VPN packets back to yourself???
>
> -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
>
> ACCEPT everything?
>
>
> #nat
>
> -A OUTPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 1194
> -A OUTPUT -d xx.xxx.xxx.199 -p udp -m udp --dport 443 -j REDIRECT --to-ports 1194
>
> What do you expect from these rules?
>
>
>>> It is a bit dangerous to use 443/tcp for vpn...
>>>
>> It was recommended by the OpenVPN users list.
>>
> Interesting... :D
>>> But you can
>>>
>> set up 2 services on the same host...
>> Yes, I could but that makes an administration problem to do with status logs and other stuff I think.
>>
> It depends on you... I have 5 vpn services on the same host. (LDAP/PAM
> authentication integrated.)
>
> Swifty
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
 		 	   		  
_________________________________________________________________
http://clk.atdmt.com/UKM/go/195013117/direct/01/

Re: iptables not forwarding port 443

[Pascal Hambourg]

Hello,

J. Webster a écrit :
> I have an openvpn server running on port 1194 successfuly.
> The box is 1 server split into 2 IP addresses xx.xx.xx.198 and xx.xx.xx.199.
> A proxy server runs on the 198 server and the VPN on 199.
> I have been trying to set up a port forward from port 443 on the 199 server to 1194 so that users cn use the VPN when they are in hotels or behind work firewalls. Althought the packets are reaching the server, the VPN will not connect on port 443. 
> I have tried the OpenVPN mailing list and after extensive testing, they cannot see why the packets are not being received so something must be wrong with the routing.
> Any ideas on what the problem could be?
> I have included the iptables rules below.
> 
> # Generated by iptables-save v1.3.5 on Wed Jun 30 16:44:05 2010
> *filter
[...]
> -A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1194 -m state --state NEW -j ACCEPT
[...]
> *nat
[...]
> -A PREROUTING -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 1194

Just a thought : the iptables manpage says that REDIRECT changes the
destination address to the *primary* address of the incoming interface.
If the primary address is xx.xxx.xxx.198 while the openvpn server
listens on xx.xxx.xxx.199, I'm afraid it won't do what you expect. I'd
suggest to replace REDIRECT with DNAT and specify the new destination
address explicitly.

> -A PREROUTING -d xx.xxx.xxx.199 -p udp -m udp --dport 443 -j REDIRECT --to-ports 1194

(Why redirect UDP if you don't accept it ?)

RE: iptables not forwarding port 443

[J. Webster]

So, change it to this?
-A PREROUTING -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -j DNAT --to-ports 1194

I had udp open as I was planning to change the vpn to udp in the near future.


----------------------------------------
> Date: Wed, 7 Jul 2010 16:51:04 +0200
> From: pascal.mail@plouf.fr.eu.org
> To: webster_jack@hotmail.com
> CC: netfilter@vger.kernel.org
> Subject: Re: iptables not forwarding port 443
>
> Hello,
>
> J. Webster a écrit :
>> I have an openvpn server running on port 1194 successfuly.
>> The box is 1 server split into 2 IP addresses xx.xx.xx.198 and xx.xx.xx.199.
>> A proxy server runs on the 198 server and the VPN on 199.
>> I have been trying to set up a port forward from port 443 on the 199 server to 1194 so that users cn use the VPN when they are in hotels or behind work firewalls. Althought the packets are reaching the server, the VPN will not connect on port 443.
>> I have tried the OpenVPN mailing list and after extensive testing, they cannot see why the packets are not being received so something must be wrong with the routing.
>> Any ideas on what the problem could be?
>> I have included the iptables rules below.
>>
>> # Generated by iptables-save v1.3.5 on Wed Jun 30 16:44:05 2010
>> *filter
> [...]
>> -A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1194 -m state --state NEW -j ACCEPT
> [...]
>> *nat
> [...]
>> -A PREROUTING -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 1194
>
> Just a thought : the iptables manpage says that REDIRECT changes the
> destination address to the *primary* address of the incoming interface.
> If the primary address is xx.xxx.xxx.198 while the openvpn server
> listens on xx.xxx.xxx.199, I'm afraid it won't do what you expect. I'd
> suggest to replace REDIRECT with DNAT and specify the new destination
> address explicitly.
>
>> -A PREROUTING -d xx.xxx.xxx.199 -p udp -m udp --dport 443 -j REDIRECT --to-ports 1194
>
> (Why redirect UDP if you don't accept it ?)
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
 		 	   		  
_________________________________________________________________
http://clk.atdmt.com/UKM/go/197222280/direct/01/
Do you have a story that started on Hotmail? Tell us now

Re: iptables not forwarding port 443

[Pascal Hambourg]

(Please don't top post)

J. Webster a écrit :
> So, change it to this?
> -A PREROUTING -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -j DNAT --to-ports 1194

man iptables. DNAT expects "--to-destination <address>:<port>".

> I had udp open as I was planning to change the vpn to udp in the near future.

AFAICS you don't have UDP open in your filter rules, you just redirect
it (useless as it will be dropped).

RE: iptables not forwarding port 443

[J. Webster]

That seems to work, the VPN now connects on port 443.
However, when I go to whatsmyip instead of giving me the xx.xx.xx.199 address, it gives me the xx.xx.xx.198 address. Not a massive problem in itself but something in the routing must be incoming on 199 and outgoing on 198.

Current iptables:
# Generated by iptables-save v1.3.5 on Wed Jul  7 16:06:49 2010
*nat
:PREROUTING ACCEPT [29:10687]
:POSTROUTING ACCEPT [27:8372]
:OUTPUT ACCEPT [27:8372]
-A PREROUTING -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -j DNAT --to-destination xx.xxx.xxx.199:1194
-A POSTROUTING -s 172.16.0.0/255.255.255.0 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.16.0.0/255.255.255.0 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Jul  7 16:06:49 2010
# Generated by iptables-save v1.3.5 on Wed Jul  7 16:06:49 2010
*filter
:INPUT DROP [28:2114]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [14:728]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j DROP
-A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1057 -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 5555 -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1194 -m state --state NEW -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i tap+ -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8002 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9001 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 1935 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -d xx.xxx.xxx.199 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 1 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tap+ -j ACCEPT
-A OUTPUT -s xx.xxx.xxx.199 -p tcp -m tcp --dport 1194 -m state --state NEW -j ACCEPT
-A OUTPUT -s xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A OUTPUT -s xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Jul  7 16:06:49 2010


----------------------------------------
> Date: Wed, 7 Jul 2010 17:00:38 +0200
> From: pascal.mail@plouf.fr.eu.org
> To: webster_jack@hotmail.com
> CC: netfilter@vger.kernel.org
> Subject: Re: iptables not forwarding port 443
>
> (Please don't top post)
>
> J. Webster a écrit :
>> So, change it to this?
>> -A PREROUTING -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -j DNAT --to-ports 1194
>
> man iptables. DNAT expects "--to-destination :".
>
>> I had udp open as I was planning to change the vpn to udp in the near future.
>
> AFAICS you don't have UDP open in your filter rules, you just redirect
> it (useless as it will be dropped).
 		 	   		  
_________________________________________________________________
http://clk.atdmt.com/UKM/go/195013117/direct/01/

Re: iptables not forwarding port 443

[Pascal Hambourg]

J. Webster a écrit :
> That seems to work, the VPN now connects on port 443.
> However, when I go to whatsmyip instead of giving me the xx.xx.xx.199
> address, it gives me the xx.xx.xx.198 address. Not a massive problem in
> itself but something in the routing must be incoming on 199 and outgoing
> on 198.

I guess this is again because xx.xx.xx.198 is the primary address on
eth0 and is preferred over xx.xx.xx.199 by default source address
selection and MASQUERADE. If the openvpn client TUN/TAP interface
address is in the 172.16.0.0/24 range, then instead of MASQUERADE you
can use SNAT with explicit source address (-j SNAT --to-source <address>).

> Current iptables:
> # Generated by iptables-save v1.3.5 on Wed Jul  7 16:06:49 2010
> *nat
> :PREROUTING ACCEPT [29:10687]
> :POSTROUTING ACCEPT [27:8372]
> :OUTPUT ACCEPT [27:8372]
> -A PREROUTING -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -j DNAT --to-destination xx.xxx.xxx.199:1194
> -A POSTROUTING -s 172.16.0.0/255.255.255.0 -o eth0 -j MASQUERADE
> -A POSTROUTING -s 172.16.0.0/255.255.255.0 -o eth0 -j MASQUERADE

Why twice the same rule ?

RE: iptables not forwarding port 443

[J. Webster]

Is it a postrouting issue?
So,
-A POSTROUTING -s 172.16.0.0/255.255.255.0 -o eth0 -j SNAT --to-source xx.xxx.xxx.199

As an aside, when I open up iptraf, it gives me a network called lo, which I don't seem to be able to get rid of. I think I created it by accident a while back.


----------------------------------------
> Date: Wed, 7 Jul 2010 17:50:53 +0200
> From: pascal.mail@plouf.fr.eu.org
> To: webster_jack@hotmail.com
> CC: netfilter@vger.kernel.org
> Subject: Re: iptables not forwarding port 443
>
> J. Webster a écrit :
>> That seems to work, the VPN now connects on port 443.
>> However, when I go to whatsmyip instead of giving me the xx.xx.xx.199
>> address, it gives me the xx.xx.xx.198 address. Not a massive problem in
>> itself but something in the routing must be incoming on 199 and outgoing
>> on 198.
>
> I guess this is again because xx.xx.xx.198 is the primary address on
> eth0 and is preferred over xx.xx.xx.199 by default source address
> selection and MASQUERADE. If the openvpn client TUN/TAP interface
> address is in the 172.16.0.0/24 range, then instead of MASQUERADE you
> can use SNAT with explicit source address (-j SNAT --to-source ).
>
>> Current iptables:
>> # Generated by iptables-save v1.3.5 on Wed Jul 7 16:06:49 2010
>> *nat
>> :PREROUTING ACCEPT [29:10687]
>> :POSTROUTING ACCEPT [27:8372]
>> :OUTPUT ACCEPT [27:8372]
>> -A PREROUTING -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -j DNAT --to-destination xx.xxx.xxx.199:1194
>> -A POSTROUTING -s 172.16.0.0/255.255.255.0 -o eth0 -j MASQUERADE
>> -A POSTROUTING -s 172.16.0.0/255.255.255.0 -o eth0 -j MASQUERADE
>
> Why twice the same rule ?
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
 		 	   		  
_________________________________________________________________
http://clk.atdmt.com/UKM/go/197222280/direct/01/
We want to hear all your funny, exciting and crazy Hotmail stories. Tell us now

RE: iptables not forwarding port 443

[Jan Engelhardt]

On Thursday 2010-07-08 18:12, J. Webster wrote:

>
>Is it a postrouting issue?
>So,
>-A POSTROUTING -s 172.16.0.0/255.255.255.0 -o eth0 -j SNAT --to-source xx.xxx.xxx.199
>
>As an aside, when I open up iptraf, it gives me a network called lo, which I don't seem to be able to get rid of. I think I created it by accident a while back.


Haha, good one.

Re: iptables not forwarding port 443

[Pascal Hambourg]

J. Webster a écrit :
> Is it a postrouting issue?

Only you can tell. You did not provide enough details.

> As an aside, when I open up iptraf, it gives me a network called lo,
> which I don't seem to be able to get rid of. I think I created it by
> accident a while back.

lo is the loopback interface used for network communication between
local processes. It is created by the IP stack at startup and AFAIK
cannot be removed. It can be deactivated, but be aware that this may
cause issues.