Iptables not allowing outbound https

john8675309 · 09-11-2004, 02:20 PM

I am trying to replace my exsisting firewall with an iptables firewall but I am having problems getting my https working it works great on the firewall I can telnet to any https server such as telnet loginnet.passport.com 443 it connects no problem but if I attempt this from any client on my network it just times out. here is my rc.iptables

eth0 = external
eth1 = internal

Code:

#!/bin/bash
iptables=/usr/sbin/iptables
echo "Starting iptables"
echo "Setting Default Policys"
$iptables -P INPUT DROP
$iptables -P FORWARD DROP
$iptables -P OUTPUT DROP

echo "Flushing All Rules"
$iptables -F INPUT 
$iptables -F OUTPUT
$iptables -F FORWARD
$iptables -F -t nat



echo "Allowing Established,Related Connections"
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "Port Forwards"

echo "Web Inbound"
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 0/0 --dport 80 -j DNAT --to 192.168.1.108:80
iptables -A FORWARD -p tcp -i eth0 -d 192.168.1.108 --dport 80 -j ACCEPT


echo "SMTP Inbound"
$iptables -t nat -A PREROUTING -p tcp -i eth0 -d 0/0 --dport 25 -j DNAT --to 192.168.1.108:25
$iptables -A FORWARD -p tcp -i eth0 -d 192.168.1.108 --dport 25 -j ACCEPT

echo "pop3 Inbound"
$iptables -t nat -A PREROUTING -p tcp -i eth0 -d 0/0 --dport 110 -j DNAT --to 192.168.1.108:110
$iptables -A FORWARD -p tcp -i eth0 -d 192.168.1.108 --dport 110 -j ACCEPT

echo "ftp Inbound"
$iptables -t nat -A PREROUTING -p tcp -i eth0 -d 0/0 --dport 21 -j DNAT --to 192.168.1.108:21
$iptables -A FORWARD -p tcp -i eth0 -d 192.168.1.108 --dport 21 -j ACCEPT



echo "Allowing 127 traffic"
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT

echo "Allowing all inbound traffic"
$iptables -A INPUT -p all -s 0/0 -i eth1 -j ACCEPT
$iptables -A OUTPUT -p all -d 0/0 -o eth1 -j ACCEPT

echo "Allowing DNS Inbound"
$iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT
$iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT

echo "Allowing HTTP:80 Inbound"
#$iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
#$iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
$iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128


echo "Allowing HTTP Connections for trusted users"
$iptables -A OUTPUT -d 0/0 -m state --state NEW -p tcp --dport http -o eth0 -j ACCEPT
$iptables -A FORWARD -d 0/0 -m state --state NEW -p tcp --dport http -o eth0 -i eth1 -j ACCEPT


$iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
$iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
$iptables -A FORWARD -d 0/0 -m state --state NEW -p tcp --dport 443 -o eth0 -i eth1 -j ACCEPT 





echo "Allowing inbound SSH"
$iptables -A INPUT -d 0/0 -m state --state NEW -p tcp --dport 22 -j ACCEPT

echo "Allowing managment ip"
$iptables -A INPUT -d 0/0 -i eth1 -m state --state NEW -p tcp --dport 8080 -j ACCEPT
$iptables -A INPUT -d 0/0 -i eth0 -m state --state NEW -p tcp --dport 8080 -j ACCEPT

#echo "Logging Set"
$iptables -A OUTPUT -j LOG --log-prefix "JKcool Log Output: "
$iptables -A FORWARD -j LOG --log-prefix "JKcool Log Forward: "
$iptables -A INPUT -j LOG --log-prefix "JKcool Log Input:

john8675309 · 09-11-2004, 05:30 PM

*bump*

Tinkster · 09-11-2004, 05:38 PM

*slap*

Per the LQ Rules, please do not bump your own thread until at least 24 hours have elapsed without a reply. Because the LQ membership is global, people in other time zones may not have seen this post yet, and thus it may take some time before a response is received.

http://www.linuxquestions.org/rules.php

scottman · 09-13-2004, 10:41 PM

Have you been able to capture anything in your logs that may give
you any hints?

Are you trying to set up a https server, or use a client from your
network?

I see PREROUTING rules for routing inbound connections to servers,
but I don't see any rules allowing outbound MASQUERADING, which
is needed if you are sharing the IP on eth0.

Can you connect to external http web sights?