Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am trying to replace my exsisting firewall with an iptables firewall but I am having problems getting my https working it works great on the firewall I can telnet to any https server such as telnet loginnet.passport.com 443 it connects no problem but if I attempt this from any client on my network it just times out. here is my rc.iptables
eth0 = external
eth1 = internal
Code:
#!/bin/bash
iptables=/usr/sbin/iptables
echo "Starting iptables"
echo "Setting Default Policys"
$iptables -P INPUT DROP
$iptables -P FORWARD DROP
$iptables -P OUTPUT DROP
echo "Flushing All Rules"
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -F FORWARD
$iptables -F -t nat
echo "Allowing Established,Related Connections"
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "Port Forwards"
echo "Web Inbound"
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 0/0 --dport 80 -j DNAT --to 192.168.1.108:80
iptables -A FORWARD -p tcp -i eth0 -d 192.168.1.108 --dport 80 -j ACCEPT
echo "SMTP Inbound"
$iptables -t nat -A PREROUTING -p tcp -i eth0 -d 0/0 --dport 25 -j DNAT --to 192.168.1.108:25
$iptables -A FORWARD -p tcp -i eth0 -d 192.168.1.108 --dport 25 -j ACCEPT
echo "pop3 Inbound"
$iptables -t nat -A PREROUTING -p tcp -i eth0 -d 0/0 --dport 110 -j DNAT --to 192.168.1.108:110
$iptables -A FORWARD -p tcp -i eth0 -d 192.168.1.108 --dport 110 -j ACCEPT
echo "ftp Inbound"
$iptables -t nat -A PREROUTING -p tcp -i eth0 -d 0/0 --dport 21 -j DNAT --to 192.168.1.108:21
$iptables -A FORWARD -p tcp -i eth0 -d 192.168.1.108 --dport 21 -j ACCEPT
echo "Allowing 127 traffic"
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT
echo "Allowing all inbound traffic"
$iptables -A INPUT -p all -s 0/0 -i eth1 -j ACCEPT
$iptables -A OUTPUT -p all -d 0/0 -o eth1 -j ACCEPT
echo "Allowing DNS Inbound"
$iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT
$iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT
echo "Allowing HTTP:80 Inbound"
#$iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
#$iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
$iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
echo "Allowing HTTP Connections for trusted users"
$iptables -A OUTPUT -d 0/0 -m state --state NEW -p tcp --dport http -o eth0 -j ACCEPT
$iptables -A FORWARD -d 0/0 -m state --state NEW -p tcp --dport http -o eth0 -i eth1 -j ACCEPT
$iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
$iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
$iptables -A FORWARD -d 0/0 -m state --state NEW -p tcp --dport 443 -o eth0 -i eth1 -j ACCEPT
echo "Allowing inbound SSH"
$iptables -A INPUT -d 0/0 -m state --state NEW -p tcp --dport 22 -j ACCEPT
echo "Allowing managment ip"
$iptables -A INPUT -d 0/0 -i eth1 -m state --state NEW -p tcp --dport 8080 -j ACCEPT
$iptables -A INPUT -d 0/0 -i eth0 -m state --state NEW -p tcp --dport 8080 -j ACCEPT
#echo "Logging Set"
$iptables -A OUTPUT -j LOG --log-prefix "JKcool Log Output: "
$iptables -A FORWARD -j LOG --log-prefix "JKcool Log Forward: "
$iptables -A INPUT -j LOG --log-prefix "JKcool Log Input:
Per the LQ Rules, please do not bump your own thread until at least 24 hours have elapsed without a reply. Because the LQ membership is global, people in other time zones may not have seen this post yet, and thus it may take some time before a response is received.
Have you been able to capture anything in your logs that may give
you any hints?
Are you trying to set up a https server, or use a client from your
network?
I see PREROUTING rules for routing inbound connections to servers,
but I don't see any rules allowing outbound MASQUERADING, which
is needed if you are sharing the IP on eth0.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.