LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page iptables: cannot access HTTPS sites
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 08-17-2009, 03:41 AM   #1
socceroos
Member
 
Registered: Aug 2005
Location: Australia
Distribution: Ubuntu, FreeBSD, Fedora
Posts: 125

Rep: Reputation: 16
Question iptables: cannot access HTTPS sites

Hello all,

I have an IPCop box that has been working flawlessly, until today, when I came in to work to discover that an electrical storm had fried one of the routers ethernet cards.

After I had (5 hours later) finally figured out how to get IPCOP on the internet again (stupid thing refused to connect via PPPOE).

Everything seemed to be working fine - emails and URIs were being filtered.

But, when trying to connect to any site that is HTTPS, or even just SSH or FTP - it refuses to connect.

I'm positive that its an IPTABLES issue, but I can't figure out where.

Here is the output of `iptables -t nat -L`:

Code:
Chain PREROUTING (policy ACCEPT)         
target     prot opt source               destination         
CUSTOMPREROUTING  all  --  anywhere             anywhere            
SQUID      all  --  anywhere             anywhere                   
PORTFW     all  --  anywhere             anywhere                   
SCAN_POP3_PREROUTING  all  --  anywhere             anywhere            
SCAN_SMTP_PREROUTING  all  --  anywhere             anywhere            

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SCAN_SMTP_POSTROUTINGI  all  --  anywhere             anywhere            
CUSTOMPOSTROUTING  all  --  anywhere             anywhere                 
REDNAT     all  --  anywhere             anywhere                         
SNAT       all  --  anywhere             anywhere            MARK match 0x1 to:192.168.1.1 
SCAN_SMTP_POSTROUTING  all  --  anywhere             anywhere                              

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
SCAN_SMTP_OUTPUT  all  --  anywhere             anywhere

Chain CUSTOMPOSTROUTING (1 references)
target     prot opt source               destination
SNAT       all  --  192.168.1.253        anywhere            to:203.xxx.xxx.xx1
SNAT       all  --  mail.my.domain  anywhere            to:203.xxx.xxx.xx2
SNAT       all  --  192.168.1.0/24       anywhere            to:165.xxx.xxx.xx0

Chain CUSTOMPREROUTING (1 references)
target     prot opt source               destination

Chain PORTFW (1 references)
target     prot opt source               destination

Chain REDNAT (1 references)
target     prot opt source               destination

Chain SCAN_FTP_OUTPUT (0 references)
target     prot opt source               destination

Chain SCAN_FTP_PREROUTING (0 references)
target     prot opt source               destination

Chain SCAN_IM_PREROUTING (0 references)
target     prot opt source               destination

Chain SCAN_POP3_PREROUTING (1 references)
target     prot opt source               destination
REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:pop3 redir ports 8110
REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:pop3s redir ports 8110

Chain SCAN_SMTP_OUTPUT (1 references)
target     prot opt source               destination
DNAT       tcp  --  my.domain            my.domain tcp dpt:smtp to:192.168.1.254:25
DNAT       tcp  --  mail.my.domain       mail.my.domain tcp dpt:smtp to:192.168.1.254:25

Chain SCAN_SMTP_POSTROUTING (1 references)
target     prot opt source               destination
SNAT       tcp  --  192.168.1.0/24       mail.my.domain tcp dpt:smtp to:192.168.1.1

Chain SCAN_SMTP_POSTROUTINGI (1 references)
target     prot opt source               destination
SNAT       tcp  --  my.domain  anywhere            tcp dpt:smtp to:203.xxx.xxx.xx2

Chain SCAN_SMTP_PREROUTING (1 references)
target     prot opt source               destination
REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:smtp redir ports 10025
REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:smtp redir ports 10025

Chain SQUID (1 references)
target     prot opt source               destination
REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:http redir ports 800
and here is the output of `iptables - L`:

Code:
Chain BADTCP (2 references)                                                                                                                                                                       
target     prot opt source               destination                                                                                                                                              
PSCAN      tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG                                                                                        
PSCAN      tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE                                                                                               
PSCAN      tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN                                                                                                
PSCAN      tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN,RST                                                                                                            
PSCAN      tcp  --  anywhere             anywhere            tcp flags:FIN,SYN/FIN,SYN                                                                                                            
NEWNOTSYN  tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW                                                                                             

Chain CUSTOMFORWARD (1 references)
target     prot opt source               destination         

Chain CUSTOMINPUT (1 references)
target     prot opt source               destination         
SCAN_SMTP_INPUT  all  --  anywhere             anywhere            

Chain CUSTOMOUTPUT (1 references)
target     prot opt source               destination         

Chain DHCPBLUEINPUT (1 references)
target     prot opt source               destination         

Chain DMZHOLES (0 references)
target     prot opt source               destination         

Chain GUIINPUT (1 references)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 

Chain INPUT (policy DROP)
target     prot opt source               destination         
ipac~o     all  --  anywhere             anywhere            
BADTCP     all  --  anywhere             anywhere            
CUSTOMINPUT  all  --  anywhere             anywhere            
GUIINPUT   all  --  anywhere             anywhere              
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
IPSECVIRTUAL  all  --  anywhere             anywhere                                   
OPENSSLVIRTUAL  all  --  anywhere             anywhere                                 
ACCEPT     all  --  anywhere             anywhere            state NEW                 
DROP       all  --  127.0.0.0/8          anywhere            state NEW                 
DROP       all  --  anywhere             127.0.0.0/8         state NEW                 
ACCEPT    !icmp --  anywhere             anywhere            state NEW                 
DHCPBLUEINPUT  all  --  anywhere             anywhere                                  
IPSECPHYSICAL  all  --  anywhere             anywhere                                  
OPENSSLPHYSICAL  all  --  anywhere             anywhere                                
WIRELESSINPUT  all  --  anywhere             anywhere            state NEW             
REDINPUT   all  --  anywhere             anywhere                                      
XTACCESS   all  --  anywhere             anywhere            state NEW                 
LOG        all  --  anywhere             anywhere            limit: avg 10/min burst 5 LOG level warning prefix `INPUT ' 

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ipac~fi    all  --  anywhere             anywhere            
ipac~fo    all  --  anywhere             anywhere            
BADTCP     all  --  anywhere             anywhere            
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 
CUSTOMFORWARD  all  --  anywhere             anywhere                                                   
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED                  
IPSECVIRTUAL  all  --  anywhere             anywhere                                                    
OPENSSLVIRTUAL  all  --  anywhere             anywhere                                                  
ACCEPT     all  --  anywhere             anywhere            state NEW                                  
DROP       all  --  127.0.0.0/8          anywhere            state NEW                                  
DROP       all  --  anywhere             127.0.0.0/8         state NEW                                  
ACCEPT     all  --  anywhere             anywhere            state NEW                                  
WIRELESSFORWARD  all  --  anywhere             anywhere            state NEW                            
REDFORWARD  all  --  anywhere             anywhere                                                      
PORTFWACCESS  all  --  anywhere             anywhere            state NEW                               
LOG        all  --  anywhere             anywhere            limit: avg 10/min burst 5 LOG level warning prefix `OUTPUT ' 

Chain IPSECPHYSICAL (1 references)
target     prot opt source               destination         

Chain IPSECVIRTUAL (2 references)
target     prot opt source               destination         

Chain LOG_DROP (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere            limit: avg 10/min burst 5 LOG level warning 
DROP       all  --  anywhere             anywhere                                                        

Chain LOG_REJECT (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere            limit: avg 10/min burst 5 LOG level warning 
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable           

Chain NEWNOTSYN (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere            limit: avg 10/min burst 5 LOG level warning prefix `NEW not SYN? ' 
DROP       all  --  anywhere             anywhere                                                                               

Chain OPENSSLPHYSICAL (1 references)
target     prot opt source               destination

Chain OPENSSLVIRTUAL (2 references)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ipac~i     all  --  anywhere             anywhere
CUSTOMOUTPUT  all  --  anywhere             anywhere

Chain PORTFWACCESS (1 references)
target     prot opt source               destination

Chain PSCAN (5 references)
target     prot opt source               destination
LOG        tcp  --  anywhere             anywhere            limit: avg 10/min burst 5 LOG level warning prefix `TCP Scan? '
LOG        udp  --  anywhere             anywhere            limit: avg 10/min burst 5 LOG level warning prefix `UDP Scan? '
LOG        icmp --  anywhere             anywhere            limit: avg 10/min burst 5 LOG level warning prefix `ICMP Scan? '
LOG        all  -f  anywhere             anywhere            limit: avg 10/min burst 5 LOG level warning prefix `FRAG Scan? '
DROP       all  --  anywhere             anywhere

Chain REDFORWARD (1 references)
target     prot opt source               destination

Chain REDINPUT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain SCAN_SMTP_INPUT (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:10025

Chain WIRELESSFORWARD (1 references)
target     prot opt source               destination

Chain WIRELESSINPUT (1 references)
target     prot opt source               destination

Chain XTACCESS (1 references)
target     prot opt source               destination

Chain ipac~fi (1 references)
target     prot opt source               destination
           all  --  anywhere             anywhere

Chain ipac~fo (1 references)
target     prot opt source               destination
           all  --  anywhere             anywhere

Chain ipac~i (1 references)
target     prot opt source               destination
           all  --  anywhere             anywhere

Chain ipac~o (1 references)
target     prot opt source               destination
           all  --  anywhere             anywhere
Any help would be greatly appreciated!
Last edited by socceroos; 08-17-2009 at 11:52 PM. Reason: Must be curtious!
 
Old 08-17-2009, 04:30 AM   #2
win32sux
Moderator
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,847

Rep: Reputation: 348Reputation: 348Reputation: 348Reputation: 348
Quote:
Originally Posted by socceroos View Post
I'm positive that its an IPTABLES issue
How is it that you are positive? Like, for example, are your log files showing packets getting filtered when you try and start an HTTPS connection? BTW, if you could post the output of -nvL instead of -L it might make things a lot clearer.
Last edited by win32sux; 08-17-2009 at 04:37 AM.
 
Old 08-17-2009, 07:06 PM   #3
socceroos
Member
 
Registered: Aug 2005
Location: Australia
Distribution: Ubuntu, FreeBSD, Fedora
Posts: 125

Original Poster
Rep: Reputation: 16
Thanks for your reply win32sux, below is the output from `iptables -nvL`:

Code:
Chain BADTCP (2 references)                       
 pkts bytes target     prot opt in     out     source               destination         
    0     0 PSCAN      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x29 
    0     0 PSCAN      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00 
    0     0 PSCAN      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x01 
    0     0 PSCAN      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x06 
    0     0 PSCAN      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x03/0x03 
 1236 97823 NEWNOTSYN  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 state NEW 

Chain CUSTOMFORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain CUSTOMINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 546K  307M SCAN_SMTP_INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain CUSTOMOUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DHCPBLUEINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DMZHOLES (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain GUIINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   18   594 ACCEPT     icmp --  !ppp0  *       0.0.0.0/0            0.0.0.0/0           icmp type 8 

Chain INPUT (policy DROP 1463 packets, 80376 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 415K  222M ipac~o     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 692K  397M BADTCP     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 690K  397M CUSTOMINPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 624K  353M GUIINPUT   all  --  *      *       0.0.0.0/0            0.0.0.0/0             
 579K  348M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
44834 4429K IPSECVIRTUAL  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                  
44834 4429K OPENSSLVIRTUAL  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                
21131 1591K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           state NEW                 
    0     0 DROP       all  --  *      *       127.0.0.0/8          0.0.0.0/0           state NEW                 
    0     0 DROP       all  --  *      *       0.0.0.0/0            127.0.0.0/8         state NEW                 
22240 2758K ACCEPT    !icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0           state NEW                 
 1463 80376 DHCPBLUEINPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                 
 1463 80376 IPSECPHYSICAL  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                 
 1463 80376 OPENSSLPHYSICAL  all  --  *      *       0.0.0.0/0            0.0.0.0/0                               
 1463 80376 WIRELESSINPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW             
 1463 80376 REDINPUT   all  --  *      *       0.0.0.0/0            0.0.0.0/0                                     
 1463 80376 XTACCESS   all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW                 
 1219 67329 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `INPUT ' 

Chain FORWARD (policy DROP 187 packets, 11615 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 123K   34M ipac~fi    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 123K   34M ipac~fo    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 289K  169M BADTCP     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
13958  682K TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU 
 289K  169M CUSTOMFORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                
 205K  163M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED                
83552 6513K IPSECVIRTUAL  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                 
83552 6513K OPENSSLVIRTUAL  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                               
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           state NEW                                
    0     0 DROP       all  --  *      *       127.0.0.0/8          0.0.0.0/0           state NEW                                
    0     0 DROP       all  --  *      *       0.0.0.0/0            127.0.0.0/8         state NEW                                
83274 6497K ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state NEW                                
  278 16003 WIRELESSFORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW                          
  278 16003 REDFORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                   
  278 16003 PORTFWACCESS  all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW                             
  187 11615 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `OUTPUT ' 

Chain IPSECPHYSICAL (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IPSECVIRTUAL (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain LOG_DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 LOG flags 0 level 4 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                         

Chain LOG_REJECT (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 LOG flags 0 level 4 
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable             

Chain NEWNOTSYN (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  603 49776 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `NEW not SYN? ' 
 1236 97823 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                

Chain OPENSSLPHYSICAL (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain OPENSSLVIRTUAL (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 750K packets, 401M bytes)
 pkts bytes target     prot opt in     out     source               destination         
 438K  207M ipac~i     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 750K  401M CUSTOMOUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain PORTFWACCESS (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    1    48 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            192.168.1.253       tcp dpt:80
    2    92 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            192.168.1.254       tcp dpt:80
   21  1008 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            192.168.1.254       tcp dpt:443
   63  3048 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            192.168.1.253       tcp dpt:443
    4   192 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            192.168.1.254       tcp dpt:1723
    0     0 ACCEPT     47   --  ppp0   *       0.0.0.0/0            192.168.1.254
    0     0 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            192.168.1.250       tcp dpt:443

Chain PSCAN (5 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `TCP Scan? '
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `UDP Scan? '
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `ICMP Scan? '
    0     0 LOG        all  -f  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `FRAG Scan? '
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain REDFORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain REDINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0

Chain SCAN_SMTP_INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
45548   17M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:10025

Chain WIRELESSFORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain WIRELESSINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain XTACCESS (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            165.xxx.xxx.xx0      tcp dpt:113
    0     0 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            203.xxx.xxx.xx2      tcp dpt:113

Chain ipac~fi (1 references)
 pkts bytes target     prot opt in     out     source               destination
  244 19467            all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
   20  2275            all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0

Chain ipac~fo (1 references)
 pkts bytes target     prot opt in     out     source               destination
   17  2103            all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
  244 19467            all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0

Chain ipac~i (1 references)
 pkts bytes target     prot opt in     out     source               destination
  962  757K            all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
 1116  149K            all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0

Chain ipac~o (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1106  188K            all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
 1121  768K            all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0
The reason I think its a firewall rule is because HTTP sites work fine. Any other services are blocked. I've checked over my urlfilter and proxy settings and cannot find any reason why they'd be blocking it. Is it possible that these applications have failed to load needed rules into iptables?

In IPCOP's firewall connections log I can see that clients are trying to access HTTPS (443) on sites but there is no reply from the server. It almost sounds like a NAT issue.

Code:
Protocol   Expires(Secs)   ConnectionStatus   OriginalSourceIP:Port   OriginalDest.IP:Port   ExpectedSourceIP:Port ExpectedDest.IP:Port   Marked   Use
tcp (6)  	1  	SYN_SENT  	  192.168.1.xxx  :4637  	  75.135.197.184  :443  	  75.135.197.184  :443  	  192.168.1.xxx  :4637  	[UNREPLIED]  	1
Last edited by socceroos; 08-17-2009 at 11:54 PM. Reason: Forgot to actually answer question...
 
Old 08-17-2009, 07:12 PM   #4
shizzles
LQ Newbie
 
Registered: Jun 2005
Location: Chicago
Distribution: Ubuntu 10.10 & CentOS
Posts: 21

Rep: Reputation: 1
I agree with win32sux, please post with -nvL as it will make it a lot easier to read the rules.
 
Old 08-17-2009, 07:14 PM   #5
win32sux
Moderator
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,847

Rep: Reputation: 348Reputation: 348Reputation: 348Reputation: 348
And the NAT table?
 
Old 08-17-2009, 08:15 PM   #6
socceroos
Member
 
Registered: Aug 2005
Location: Australia
Distribution: Ubuntu, FreeBSD, Fedora
Posts: 125

Original Poster
Rep: Reputation: 16
Ah, sorry! Below is the output of `iptables -t nat -nvL:

Code:
Chain PREROUTING (policy ACCEPT 20319 packets, 1704K bytes)
 pkts bytes target     prot opt in     out     source               destination         
32977 2359K CUSTOMPREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
32977 2359K SQUID      all  --  *      *       0.0.0.0/0            0.0.0.0/0                  
23722 1891K PORTFW     all  --  *      *       0.0.0.0/0            0.0.0.0/0                  
23302 1870K SCAN_POP3_PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
23103 1857K SCAN_SMTP_PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT 73810 packets, 5175K bytes)
 pkts bytes target     prot opt in     out     source               destination         
74153 5215K SCAN_SMTP_POSTROUTINGI  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
81694 5592K CUSTOMPOSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0                
78321 5366K REDNAT     all  --  *      *       0.0.0.0/0            0.0.0.0/0                        
  170  8160 SNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK match 0x1 to:192.168.xxx.x 
71230 5022K SCAN_SMTP_POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0                             

Chain OUTPUT (policy ACCEPT 69108 packets, 4925K bytes)
 pkts bytes target     prot opt in     out     source               destination         
67765 4852K SCAN_SMTP_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain CUSTOMPOSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       all  --  *      ppp0    192.168.xxx.xx3        0.0.0.0/0           to:203.xxx.xxx.xx1
 2196  148K SNAT       all  --  *      ppp0    192.168.xxx.xx4        0.0.0.0/0           to:203.xxx.xxx.xx2
    0     0 SNAT       all  --  eth0   ppp0    192.168.xxx.0/24       0.0.0.0/0           to:165.xxx.xxx.xx0

Chain CUSTOMPREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain PORTFW (1 references)
 pkts bytes target     prot opt in     out     source               destination
    2   108 DNAT       tcp  --  *      *       0.0.0.0/0            203.xxx.xxx.xx1      tcp dpt:80 to:192.168.1.xx3:80
    2    88 DNAT       tcp  --  *      *       0.0.0.0/0            203.xxx.xxx.xx2      tcp dpt:80 to:192.168.1.xx4:80
  234 11232 DNAT       tcp  --  *      *       0.0.0.0/0            203.xxx.xxx.xx2      tcp dpt:443 to:192.168.1.xx4:443
   63  3048 DNAT       tcp  --  *      *       0.0.0.0/0            203.xxx.xxx.xx1      tcp dpt:443 to:192.168.1.xx3:443
    4   192 DNAT       tcp  --  *      *       0.0.0.0/0            203.xxx.xxx.xx3      tcp dpt:1723 to:192.168.1.xx4:1723
    0     0 DNAT       47   --  *      *       0.0.0.0/0            203.xxx.xxx.xx3      to:192.168.1.254
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            203.xxx.xxx.xx4      tcp dpt:443 to:192.168.1.xx0:443

Chain REDNAT (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain SCAN_FTP_OUTPUT (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain SCAN_FTP_PREROUTING (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain SCAN_IM_PREROUTING (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain SCAN_POP3_PREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REDIRECT   tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:110 redir ports 8110
    0     0 REDIRECT   tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:995 redir ports 8110

Chain SCAN_SMTP_OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
  673 29612 DNAT       tcp  --  *      *       165.xxx.xxx.xx0       165.xxx.xxx.xx0      tcp dpt:25 to:192.168.x.xx4:25
 1198 52712 DNAT       tcp  --  *      *       203.xxx.xxx.xx2       203.xxx.xxx.xx2      tcp dpt:25 to:192.168.x.xx4:25

Chain SCAN_SMTP_POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination
 3684  155K SNAT       tcp  --  *      *       192.168.x.0/24       192.168.x.xx4       tcp dpt:25 to:192.168.x.x

Chain SCAN_SMTP_POSTROUTINGI (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       tcp  --  *      *       165.xxx.xxx.xx0       0.0.0.0/0           tcp dpt:25 to:203.xxx.xxx.xx2

Chain SCAN_SMTP_PREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination
 2801  156K REDIRECT   tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 redir ports 10025
    0     0 REDIRECT   tcp  --  eth1:1 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 redir ports 10025

Chain SQUID (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     tcp  --  eth0   *       0.0.0.0/0            165.228.231.90      tcp dpt:80
 2771  143K REDIRECT   tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 800
Last edited by socceroos; 08-17-2009 at 11:45 PM.
 
Old 08-17-2009, 11:34 PM   #7
socceroos
Member
 
Registered: Aug 2005
Location: Australia
Distribution: Ubuntu, FreeBSD, Fedora
Posts: 125

Original Poster
Rep: Reputation: 16
I have resolved the issue.

In the NAT table of iptables, under the REDNAT chain, there was a missing rule:

Code:
Chain REDNAT (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1607  108K MASQUERADE  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
This meant that all my traffic from inside the network that wasn't on port 80 was not being properly NATed. This applied not just to HTTPS, but all other protocols.

Why then wasn't this being added by IPCOP on boot? Well, the offending addon was SNATGUI, its custom firewall script failed to load this rule on startup. Needless to say, I've uninstalled it and set up my IP Address aliases manually.

Thanks for your help guys.
Last edited by socceroos; 08-17-2009 at 11:36 PM. Reason: Clarification
 
Old 08-17-2009, 11:38 PM   #8
win32sux
Moderator
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,847

Rep: Reputation: 348Reputation: 348Reputation: 348Reputation: 348
Quote:
Originally Posted by socceroos View Post
I have resolved the issue.

In the NAT table of iptables, under the REDNAT chain, there was a missing rule:

Code:
Chain REDNAT (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1607  108K MASQUERADE  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
This meant that all my traffic from inside the network that wasn't on port 80 was not being properly NATed. This applied not just to HTTPS, but all other protocols.

Why then wasn't this being added by IPCOP on boot? Well, the offending addon was SNATGUI, its custom firewall script failed to load this rule on startup. Needless to say, I've uninstalled it and set up my IP Address aliases manually.

Thanks for your help guys.
On the contrary, thank you for taking the time to let us know how you resolved this.
 
  


Reply

Tags
firewall, https, ipcop, iptables, rules


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Squid 2.6 not accessing https sites unixashoke Linux - Newbie 2 04-04-2008 08:52 AM
http > https for 1 of 6 sites hivtop Fedora 1 03-11-2008 02:27 PM
Squid and https sites 2buck56 Linux - Security 6 06-14-2007 04:06 AM
Can't access https sites in Firefox, fresh Ubuntu 6.10 install Gnewb Linux - Newbie 10 12-05-2006 10:07 PM
Client cannot open few https://.. sites i.e. secure sites rajeshghy Linux - General 1 11-02-2006 07:30 AM


All times are GMT -5. The time now is 02:31 PM.

Contact Us - Advertising Info - Rules - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
 
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: @linuxquestions
Open Source Consulting | Domain Registration