LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-02-2010, 12:58 PM   #1
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Rep: Reputation: 30
redirect iptables


I have OpenVPN running successfully on 1194 and clients can connect.
I have some clients who have to use port 443 as 1194 is blocked on their hotel/work firewalls. So, I'd thought I change their openvpn config and redirect traffic on 443 to 1194 on the server. However, the client will not connect on this port. It is as though something is missing onthe firewall side.
Any ideas?
OpenVPN is on the 199 IP address but 198 and 199 are on the same physical server. I turned off httpd so no web server is blocking 443.

Code:
# Generated by iptables-save v1.3.5 on Wed Jun 30 16:44:05 2010
*filter
:INPUT DROP [340:25253]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [157:7792]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j DROP
-A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1057 -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 5555 -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1194 -m state --state NEW -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i tap+ -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8002 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9001 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 1935 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -d xx.xxx.xxx.199 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 1 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tap+ -j ACCEPT
-A OUTPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1194 -m state --state NEW -j ACCEPT
-A OUTPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A OUTPUT -s xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Jun 30 16:44:05 2010
# Generated by iptables-save v1.3.5 on Wed Jun 30 16:44:05 2010
*nat
:PREROUTING ACCEPT [374:37633]
:POSTROUTING ACCEPT [1391:87497]
:OUTPUT ACCEPT [1391:87497]
-A PREROUTING -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 1194
-A PREROUTING -d xx.xxx.xxx.199 -p udp -m udp --dport 443 -j REDIRECT --to-ports 1194
-A POSTROUTING -s 172.16.0.0/255.255.255.0 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.16.0.0/255.255.255.0 -o eth0 -j MASQUERADE
-A OUTPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 1194
-A OUTPUT -d xx.xxx.xxx.199 -p udp -m udp --dport 443 -j REDIRECT --to-ports 1194
COMMIT
# Completed on Wed Jun 30 16:44:05 2010
 
Old 07-03-2010, 01:36 AM   #2
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,066
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Just as an aside: have you considered the possibility that
the proxy/firewall in the hotel does a layer 7 check on the
traffic and drops what isn't https ?



Cheers,
Tink
 
Old 07-03-2010, 08:34 AM   #3
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by Tinkster View Post
Just as an aside: have you considered the possibility that
the proxy/firewall in the hotel does a layer 7 check on the
traffic and drops what isn't https ?



Cheers,
Tink
How can it know, the traffic going through port 443 and is tcp traffic.
The VPN just tunnels it.
Any thoughts on the iptables above and why it won't connect from a normal router?
 
Old 07-03-2010, 04:44 PM   #4
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,066
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Quote:
How can it know, the traffic going through port 443 and is tcp traffic.
The VPN just tunnels it.
Because if it is legitimate https traffic the payload is encrypted,
but the protocol is still http - it has http headers. Would expect
that to look quite different from VPN stuff.



Cheers,
Tink
 
Old 07-03-2010, 06:21 PM   #5
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by Tinkster View Post
Because if it is legitimate https traffic the payload is encrypted,
but the protocol is still http - it has http headers. Would expect
that to look quite different from VPN stuff.



Cheers,
Tink
Doesn't the SSL mean that intermediate things can't see what it is? Proxies handling unencrypted http can look at (and modify) the headers and content, but for https they have to pass everything through blindly.

Does the iptables stuff look ok above? I can't see any mahor issues but still not sure why the traffic isn;t being passed through.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Redirect iptables smart_shell Linux - Networking 2 06-15-2010 11:17 PM
Lipipq(iptables) . How do I redirect captured packet to another address with iptables inet905 Programming 0 05-25-2010 02:20 AM
iptables to redirect ip genderbender Linux - Networking 1 04-06-2008 02:53 AM
iptables redirect sanjibgupta Linux - Networking 3 05-18-2007 04:16 AM
iptables redirect bhartnett Linux - Networking 1 09-26-2001 10:11 PM


All times are GMT -5. The time now is 08:25 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration