[wplug] Resolved - Port Forwarding assistance to port 443

Albert Whale aewhale at ABS-CompTech.com
Fri Oct 31 15:18:18 EST 2003 

Problem resolved.

Albert Whale wrote:

> Follow-up below.
>
> Albert Whale wrote:
>
>> I am using Linux Mandrake, and running the Bastille-firewall project, 
>> and till now have been quite pleased in the flexibility and 
>> functionality of the tools.
>> Now I need to forward the public address (port 443 - https) to an 
>> internal machine, however the portforward.sh tool attempts to make 
>> two additions to the iptables rules, of which only one works.
>>
>> /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d 0.0.0.0/0 
>> --dport 443 -j DNAT --to 192.168.99.247:443
>> /sbin/iptables -A FORWARD -p tcp -i eth0 -d 192.168.99.247 --dport 
>> 443 -j ACCEPT
>>
>> The problem is that there is no Chain named PREROUTING in the 
>> bastille project (even though the tool references it, I know, don't 
>> go there).
>>
>> Here are the valid chains:
>>
>> iptables -nL | grep Chain
>> Chain INPUT (policy DROP)
>> Chain FORWARD (policy DROP)
>> Chain OUTPUT (policy ACCEPT)
>> Chain INT_IN (1 references)
>> Chain INT_OUT (1 references)
>> Chain PAROLE (28 references)
>> Chain PUB_IN (2 references)
>> Chain PUB_OUT (2 references)
>>
>> My question is, what rule or chain do I need to add to the iptables 
>> configuration to promote the forwarding of port 443 to the internal 
>> network?
>>
> I've  found some additional resources (still attempting to connect 
> with bastille), ok so the first rule in the portforward.sh script is 
> working (I did not know how to correctly examine the NAT Table), here 
> it is:
>
> iptables -t nat -n -L
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp 
> dpt:443 to:192.168.99.247:443
>
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> MASQUERADE  all  --  192.168.99.0/24      0.0.0.0/0
> MASQUERADE  all  --  192.168.99.0/24      0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
>
> I'm still not getting a return on the connection.
>
> Any Assistance is Appreciated.
>
>
>
>
>
>

-- 
Albert E. Whale, CISSP - Sr. Security, Network, and Systems Consultant
--------------------------------------------------------------------------------
http://www.abs-comptech.com & http://www.No-JunkMail.com 
ABS Computer Technology, Inc. - ESM, Computer & Networking Specialists
SPAM Zapper - www.No-JunkMail.com - SPAM Stops Here.
Founding Board of Directors of Pittsburgh FBI - InfraGard

More information about the wplug mailing list