[wplug] Port Forwarding assistance to port 443
Albert Whale
aewhale at ABS-CompTech.com
Fri Oct 31 08:15:56 EST 2003
Follow-up below.
Albert Whale wrote:
> I am using Linux Mandrake, and running the Bastille-firewall project,
> and till now have been quite pleased in the flexibility and
> functionality of the tools.
> Now I need to forward the public address (port 443 - https) to an
> internal machine, however the portforward.sh tool attempts to make two
> additions to the iptables rules, of which only one works.
>
> /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d 0.0.0.0/0
> --dport 443 -j DNAT --to 192.168.99.247:443
> /sbin/iptables -A FORWARD -p tcp -i eth0 -d 192.168.99.247 --dport 443
> -j ACCEPT
>
> The problem is that there is no Chain named PREROUTING in the bastille
> project (even though the tool references it, I know, don't go there).
>
> Here are the valid chains:
>
> iptables -nL | grep Chain
> Chain INPUT (policy DROP)
> Chain FORWARD (policy DROP)
> Chain OUTPUT (policy ACCEPT)
> Chain INT_IN (1 references)
> Chain INT_OUT (1 references)
> Chain PAROLE (28 references)
> Chain PUB_IN (2 references)
> Chain PUB_OUT (2 references)
>
> My question is, what rule or chain do I need to add to the iptables
> configuration to promote the forwarding of port 443 to the internal
> network?
>
I've found some additional resources (still attempting to connect with
bastille), ok so the first rule in the portforward.sh script is working
(I did not know how to correctly examine the NAT Table), here it is:
iptables -t nat -n -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
to:192.168.99.247:443
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.99.0/24 0.0.0.0/0
MASQUERADE all -- 192.168.99.0/24 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I'm still not getting a return on the connection.
Any Assistance is Appreciated.
--
Albert E. Whale, CISSP - Sr. Security, Network, and Systems Consultant
--------------------------------------------------------------------------------
http://www.abs-comptech.com & http://www.No-JunkMail.com
ABS Computer Technology, Inc. - ESM, Computer & Networking Specialists
SPAM Zapper - www.No-JunkMail.com - SPAM Stops Here.
Founding Board of Directors of Pittsburgh FBI - InfraGard
More information about the wplug
mailing list