port forward 443 to 1194

qwertyjjj · 06-23-2010, 09:53 PM

I have an OpenVPN server running but some users have problems connecting to port 1194 when they are in hotels or behind proxy server firewalls.

I was advised to change the openvpn client to use port 443 as that would bypass these problems but I can't send out new client.ovpn files for every client so need to forward port 443 on the server to 1194.

How can I do this in iptables for any source address.
Is it just:

-A FORWARD -p tcp -m state --state NEW -sport 443 --dport 1194 -j ACCEPT

These are the current openvpn rules:
...
-A INPUT -d xx.xxx.xxx.xx9 -p tcp -m tcp --dport 1194 -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.xx9 -p udp -m udp --dport 1194 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tap+ -j ACCEPT
-A OUTPUT -d xx.xxx.xxx.xx9 -p tcp -m tcp --dport 1194 -m state --state NEW -j ACCEPT
-A OUTPUT -d xx.xxx.xxx.xx9 -p udp -m udp --dport 1194 -m state --state NEW -j ACCEPT
...

vikas027 · 06-24-2010, 05:37 AM

Try this

Code:

iptables -t nat -A PREROUTING -p tcp --dport 443 -i eth0 -j REDIRECT --to-port 1194

qwertyjjj · 06-28-2010, 08:06 AM

Quote:

Originally Posted by vikas027

Try this

Code:

iptables -t nat -A PREROUTING -p tcp --dport 443 -i eth0 -j REDIRECT --to-port 1194

Do I need to forward the tun and tap?
Also, I only want to forward traffic arriveing at port 443 on the xx.xxx.xxx.xx9 server not the xx.xxx.xxx.xx8 server (respectively the VPN and proxy servers)

ALso if I ttype that command into the prompt, will it rewrite my /etc/sysconfig/iptables file?

qwertyjjj · 06-30-2010, 10:39 AM

For some reason, the openvpn will still not connect even when I reset the iptables and restart.
This is the current iptables - any ideas?

Code:

Hmm - triedd that with no luck.
Current iptables:

# Generated by iptables-save v1.3.5 on Wed Jun 30 16:09:29 2010
*nat
:PREROUTING ACCEPT [303:34846]
:POSTROUTING ACCEPT [177:19845]
:OUTPUT ACCEPT [177:19845]
-A PREROUTING -d xx.xxx.xxx.199 -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 1194
-A POSTROUTING -s 172.16.0.0/255.255.255.0 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.16.0.0/255.255.255.0 -o eth0 -j MASQUERADE
-A OUTPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 1194
COMMIT
# Completed on Wed Jun 30 16:09:29 2010
# Generated by iptables-save v1.3.5 on Wed Jun 30 16:09:29 2010
*filter
:INPUT DROP [369:23358]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [157:7864]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j DROP
-A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1057 -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 5555 -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1194 -m state --state NEW -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i tap+ -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8002 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9001 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 1935 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -d xx.xxx.xxx.199 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 1 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tap+ -j ACCEPT
-A OUTPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1194 -m state --state NEW -j ACCEPT
-A OUTPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A OUTPUT -s xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Jun 30 16:09:29 2010

qwertyjjj · 06-30-2010, 04:57 PM

I've tried wireshark to see if the packet is received but I do not have a GUI so the dumpfile from wireshark is almost impossible to read.
tethereal -i eth0 -w /usr/local/sbin/myscripts/mycapture.pcap
tcpick -C -yP -r mycapture.pcap

I tried using iptraf and found that port 443 was already in use, which seemed strange unless the proxy server on xx.xxx.xxx.198 was already using it but that shouldn't matter.
I'm trying to access xx.xxx.xxx.199:443

Wed Jun 30 17:54:55 2010 us=375000 Expected Remote Options hash (VER=V4): '3dc0591a'
Wed Jun 30 17:54:55 2010 us=375000 Attempting to establish TCP connection with xx.xxx.xxx.199:443
Wed Jun 30 17:55:16 2010 us=328000 TCP: connect to xx.xxx.xxx.199:443 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)