LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 09-11-2004, 02:20 PM   #1
john8675309
Member
 
Registered: Oct 2003
Location: Spencer, Iowa
Distribution: Slackware (of course)
Posts: 67

Rep: Reputation: 16
Iptables not allowing outbound https


I am trying to replace my exsisting firewall with an iptables firewall but I am having problems getting my https working it works great on the firewall I can telnet to any https server such as telnet loginnet.passport.com 443 it connects no problem but if I attempt this from any client on my network it just times out. here is my rc.iptables

eth0 = external
eth1 = internal

Code:
#!/bin/bash
iptables=/usr/sbin/iptables
echo "Starting iptables"
echo "Setting Default Policys"
$iptables -P INPUT DROP
$iptables -P FORWARD DROP
$iptables -P OUTPUT DROP

echo "Flushing All Rules"
$iptables -F INPUT 
$iptables -F OUTPUT
$iptables -F FORWARD
$iptables -F -t nat



echo "Allowing Established,Related Connections"
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "Port Forwards"

echo "Web Inbound"
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 0/0 --dport 80 -j DNAT --to 192.168.1.108:80
iptables -A FORWARD -p tcp -i eth0 -d 192.168.1.108 --dport 80 -j ACCEPT


echo "SMTP Inbound"
$iptables -t nat -A PREROUTING -p tcp -i eth0 -d 0/0 --dport 25 -j DNAT --to 192.168.1.108:25
$iptables -A FORWARD -p tcp -i eth0 -d 192.168.1.108 --dport 25 -j ACCEPT

echo "pop3 Inbound"
$iptables -t nat -A PREROUTING -p tcp -i eth0 -d 0/0 --dport 110 -j DNAT --to 192.168.1.108:110
$iptables -A FORWARD -p tcp -i eth0 -d 192.168.1.108 --dport 110 -j ACCEPT

echo "ftp Inbound"
$iptables -t nat -A PREROUTING -p tcp -i eth0 -d 0/0 --dport 21 -j DNAT --to 192.168.1.108:21
$iptables -A FORWARD -p tcp -i eth0 -d 192.168.1.108 --dport 21 -j ACCEPT



echo "Allowing 127 traffic"
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT

echo "Allowing all inbound traffic"
$iptables -A INPUT -p all -s 0/0 -i eth1 -j ACCEPT
$iptables -A OUTPUT -p all -d 0/0 -o eth1 -j ACCEPT

echo "Allowing DNS Inbound"
$iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT
$iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT

echo "Allowing HTTP:80 Inbound"
#$iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
#$iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
$iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128


echo "Allowing HTTP Connections for trusted users"
$iptables -A OUTPUT -d 0/0 -m state --state NEW -p tcp --dport http -o eth0 -j ACCEPT
$iptables -A FORWARD -d 0/0 -m state --state NEW -p tcp --dport http -o eth0 -i eth1 -j ACCEPT


$iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
$iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
$iptables -A FORWARD -d 0/0 -m state --state NEW -p tcp --dport 443 -o eth0 -i eth1 -j ACCEPT 





echo "Allowing inbound SSH"
$iptables -A INPUT -d 0/0 -m state --state NEW -p tcp --dport 22 -j ACCEPT

echo "Allowing managment ip"
$iptables -A INPUT -d 0/0 -i eth1 -m state --state NEW -p tcp --dport 8080 -j ACCEPT
$iptables -A INPUT -d 0/0 -i eth0 -m state --state NEW -p tcp --dport 8080 -j ACCEPT

#echo "Logging Set"
$iptables -A OUTPUT -j LOG --log-prefix "JKcool Log Output: "
$iptables -A FORWARD -j LOG --log-prefix "JKcool Log Forward: "
$iptables -A INPUT -j LOG --log-prefix "JKcool Log Input:
 
Old 09-11-2004, 05:30 PM   #2
john8675309
Member
 
Registered: Oct 2003
Location: Spencer, Iowa
Distribution: Slackware (of course)
Posts: 67

Original Poster
Rep: Reputation: 16
*bump*
 
Old 09-11-2004, 05:38 PM   #3
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 22,983
Blog Entries: 11

Rep: Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879
*slap*


Per the LQ Rules, please do not bump your own thread until at least 24 hours have elapsed without a reply. Because the LQ membership is global, people in other time zones may not have seen this post yet, and thus it may take some time before a response is received.

http://www.linuxquestions.org/rules.php
 
Old 09-13-2004, 10:41 PM   #4
scottman
Member
 
Registered: Jul 2004
Location: USA
Distribution: Slackware, FreeBSD, LFS
Posts: 72

Rep: Reputation: 15
Have you been able to capture anything in your logs that may give
you any hints?

Are you trying to set up a https server, or use a client from your
network?

I see PREROUTING rules for routing inbound connections to servers,
but I don't see any rules allowing outbound MASQUERADING, which
is needed if you are sharing the IP on eth0.

Can you connect to external http web sights?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables allowing a range adm1329 Linux - Networking 2 02-01-2005 01:04 PM
iptables allowing all LAN traffic tebucky Linux - Security 1 11-04-2004 11:27 AM
Problem with https connections - iptables Suse9.0 mschna Linux - Networking 2 02-12-2004 01:54 AM
iptables - allowing hostnames from ip addresses chrisfirestar Linux - Security 13 01-20-2004 09:42 PM
Iptables and https sturla69 Linux - Security 6 09-16-2003 10:13 PM


All times are GMT -5. The time now is 04:28 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration