LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-10-2014, 02:40 AM   #1
orak
LQ Newbie
 
Registered: Sep 2014
Posts: 2

Rep: Reputation: Disabled
iptables PREROUTING problem


Hello together,
first - it's my first post. My real name is Karsten and I have long but not too deep linux experience, mostly as user sometimes as admin.

I search for a solution to the following problem

Client ------- ServerGateway ------ ServerInDMZ

Client ask for a Webpage, package goes to ServerGateway via port 80/443 ServerGateway has iptables Prerouting rules:
- client not allowed: send a blocked html page
(REDIRECT to a port where apache serves the block page)
- client allowed: DNAT port 80 to Squid on ServerGateway,
Accept port 443 -> Routing

I have the following two problems

1) If a client is forbidden and tries to get a https Page, he is redirected to a port where Apache answers by http - the client Browser shows not the block page, instead it says something like: ssl record to long (I tried to use a second port with https, but it does not work, I have not documented my steps, if somebody think this is the solution I will retry it)

2) I would like to allow access from every client to a tomcat page on ServerInDMZ. The tomcat page is integrated in Apache, so the destination port of the client request is port 443

I tried several attempts in configurating apache on both Servers and using string matching on iptables on the ServerGateway - no success.

Maybe the question is better positioned in the server-forum, but maybe it can be solved on the iptables layer - I just don't know.

Any help would be very nice.

Thanks
Karsten
 
Old 09-10-2014, 03:08 AM   #2
business_kid
LQ Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware, Slarm64 & Android
Posts: 16,827

Rep: Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424
Quote:
I tried several attempts in configurating apache on both Servers and using string matching on iptables on the ServerGateway - no success.
"No success" tells us something is wrong, and we cannot bring any experience to bear. Exact errors "No route to host," "no such file or directory," "Sky fell in," are what we need to fix your problems.
Routing could be an issue. The Server Gateway will need a default route (either the network or the dmz) and a route to the other one - perhaps a static route.

Sounds a simple question - do you need to use a server gateway? Has it other functions in the grand scheme besides security for the DMZ. I would have thought anything in a DMZ needed to be secure enough itself.
 
Old 09-10-2014, 08:42 AM   #3
orak
LQ Newbie
 
Registered: Sep 2014
Posts: 2

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by business_kid View Post
"No success" tells us something is wrong, and we cannot bring any experience to bear. Exact errors "No route to host," "no such file or directory," "Sky fell in," are what we need to fix your problems.
Routing could be an issue. The Server Gateway will need a default route (either the network or the dmz) and a route to the other one - perhaps a static route.

"No success" is related to the second question, for the first question there is the errorcode ssl_error_rx_record_too_long
Second question was:
2) I would like to allow access from every client to a tomcat page on ServerInDMZ. The tomcat page is integrated in Apache, so the destination port of the client request is port 443

I don't mention and I don't know if its obviours, situation is as follows:
Client ------ServerGateway ----- ServerInDMZ ---- Router ---- Internet
(Intranet) DMZ

if a Client is forbidden, he is blocked out from DMZ and From Internet

I tried for 2):
- iptables string matching WebUntis (https://ServerInDMZ/WebUntis is the destination adress which should be allowd) -> using the -j LOG of itpables shows, that matching does not work. I don't search further in this way because I'm not sure if it is the right way to solve the problem

For the next try to solve 2) I have:
REDIRECT tcp -- 0.0.0.0/0 !10.10.1.4 redir ports 8082
(10.10.1.4 is ServerGateway)
and in httpd.conf on Server Gateway:
Listen 8082
<VirtualHost *:8082 >
ServerName ifw.bk-rheinbach.net
RewriteEngine On
RewriteRule (.*/WebUntis.*$) https://schulix.bk-rheinbach.net/WebUntis/$2) [P]
RewriteRule (.*) http://ifw.bk-rheinbach.net/gesperrt/ [R]
</VirtualHost>

If I use from the client browser an url like http://spiegel.de
the client is redirected to ifw.bk-rheinbach.net/gesperrt/

If I use http://schulix.bk-rheinbach.net/WebUntis/#main I see in the
clients adressbar: ifw.bk-rheinbach.net/gesperrt/#main (which I don't understand)

If I use https://schulix.bk-rheinbach.net/WebUntis/#main I get an error message in the browser window which says (badly translated from german :-): Error: Secure connection not possible An Error occurs ... SSL has get an entry, which extends the maximal allowed length, Code ssl_error_rx_record_too_long
-------------------------------------------------
Quote:
Originally Posted by business_kid View Post
Sounds a simple question - do you need to use a server gateway? Has it other functions in the grand scheme besides security for the DMZ. I would have thought anything in a DMZ needed to be secure enough itself.
Yes servergateway is needed because it runs several services to the intranet and blocks clients (in the intranet) from using dmz and internet.

Thanks
Karsten
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables PREROUTING , pswen Linux - Server 2 10-20-2010 03:37 AM
[HELP]IPTables PREROUTING Rules sangprabv Linux - Networking 2 05-22-2010 08:16 PM
IPTables Prerouting Question ALInux Linux - Networking 3 06-11-2009 01:29 PM
IPTABLES prerouting - works sometimes czezz Linux - Networking 1 02-23-2009 06:00 AM
Iptables+prerouting niranjan_mr Linux - Networking 1 04-19-2005 12:23 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:35 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration