[wplug] Port Forwarding assistance to port 443

Albert Whale aewhale at ABS-CompTech.com
Fri Oct 31 08:15:56 EST 2003 

Follow-up below.

Albert Whale wrote:

> I am using Linux Mandrake, and running the Bastille-firewall project, 
> and till now have been quite pleased in the flexibility and 
> functionality of the tools.
> Now I need to forward the public address (port 443 - https) to an 
> internal machine, however the portforward.sh tool attempts to make two 
> additions to the iptables rules, of which only one works.
>
> /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d 0.0.0.0/0 
> --dport 443 -j DNAT --to 192.168.99.247:443
> /sbin/iptables -A FORWARD -p tcp -i eth0 -d 192.168.99.247 --dport 443 
> -j ACCEPT
>
> The problem is that there is no Chain named PREROUTING in the bastille 
> project (even though the tool references it, I know, don't go there).
>
> Here are the valid chains:
>
> iptables -nL | grep Chain
> Chain INPUT (policy DROP)
> Chain FORWARD (policy DROP)
> Chain OUTPUT (policy ACCEPT)
> Chain INT_IN (1 references)
> Chain INT_OUT (1 references)
> Chain PAROLE (28 references)
> Chain PUB_IN (2 references)
> Chain PUB_OUT (2 references)
>
> My question is, what rule or chain do I need to add to the iptables 
> configuration to promote the forwarding of port 443 to the internal 
> network?
>
I've  found some additional resources (still attempting to connect with 
bastille), ok so the first rule in the portforward.sh script is working 
(I did not know how to correctly examine the NAT Table), here it is:

iptables -t nat -n -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:443 
to:192.168.99.247:443

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  192.168.99.0/24      0.0.0.0/0
MASQUERADE  all  --  192.168.99.0/24      0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


I'm still not getting a return on the connection.

Any Assistance is Appreciated.






-- 
Albert E. Whale, CISSP - Sr. Security, Network, and Systems Consultant
--------------------------------------------------------------------------------
http://www.abs-comptech.com & http://www.No-JunkMail.com 
ABS Computer Technology, Inc. - ESM, Computer & Networking Specialists
SPAM Zapper - www.No-JunkMail.com - SPAM Stops Here.
Founding Board of Directors of Pittsburgh FBI - InfraGard

More information about the wplug mailing list