Firewall Machine not connecting to port443

**Natasha69** · November 8th, 2002, 07:21 AM

Hii,
I am stuck, I think i have tryed every combo but cant get my "FIREWALL" computer to connect to REMOTE SERVERS 443 Port (HTTPS). The windows machines on my LAN have no problem connecting to HTTPS websites...Can you give me an idea why i cant connect from the firewall machine itself...Is the rules for port 443 wrong...Any help? or something i can try? Here are my rules:
RedHat 7.2
Kernel 2.4.19
Iptables 1.2.7a

#!/bin/bash

# Enable broadcast echo protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable source routed packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done

# Enable syn cookie protection.
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptence
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done

# Drop spoofed packets comeing in on an interface, ehich if replied
# to,would result the reply going out another interface.
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done

# Dont't send Redirect Messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done

# Log packets with impossiable addreses.
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done

# This will also update my ipaddress.
IP_INET=`/sbin/ifconfig eth0 | grep inet | cut -d: -f2 | cut -d\ -f1`

# Remove any existing rules from all chains.
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

# Unlimited access on the loopback interface.
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Set the default policy to drop.
iptables --policy INPUT DROP
iptables --policy FORWARD DROP
iptables --policy OUTPUT DROP

iptables -t nat --policy PREROUTING ACCEPT
iptables -t nat --policy OUTPUT ACCEPT
iptables -t nat --policy POSTROUTING ACCEPT

iptables -t mangle --policy PREROUTING ACCEPT
iptables -t mangle --policy OUTPUT ACCEPT

# All of the bits are cleared
#iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
#iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
#iptables -A INPUT -p tcp --tcp-flags ALL NONE -j LOG
# SYN and FIN are both set
#iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG
# SYN and RST are both set.
#iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
#iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
#iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG
# FIN and RST are both set
#iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j REJECT
#iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
#iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG
# FIN is the only bit set, without the expected accompanyuing ACK
#iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
#iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j REJECT
#iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG
# PSH is the only bit set, without the expected accompaying ACK
#iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
#iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j REJECT
#iptables -I INPUT -p tcp --tcp-flags ACK,PSH PSH -j LOG
# URG is the only bit set, without the expected accompayning ACK
#iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
#iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP
#iptables -I INPUT -p tcp --tcp-flags ACK,URG URG -j LOG

# Allow stateful connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Drop Invalid connection
iptables -A INPUT -m state --state INVALID -j LOG \
--log-prefix "Invalid input: "
iptables -A INPUT -m state --state INVALID -j DROP

iptables -A OUTPUT -m state --state INVALID -j LOG \
--log-prefix "Invalid output: "
iptables -A OUTPUT -m state --state INVALID -j DROP

iptables -A FORWARD -m state --state INVALID -j LOG \
--log-prefix "Invalid forward: "
iptables -A FORWARD -m state --state INVALID -j DROP

# Dropped packets that pretend to be coming in from PRIVATE ADDRESSes.
iptables -A INPUT -i eth0 -s 10.0.0.1/8 -j DROP
iptables -A FORWARD -i eth0 -s 10.0.0.1/8 -j DROP
iptables -A INPUT -i eth0 -s 169.254.0.0/16 -j DROP
iptables -A FORWARD -i eth0 -s 169.254.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
iptables -A FORWARD -i eth0 -s 192.168.0.0/24 -j DROP
# iptables -A INPUT -i eth0 -s 127.0.0.1/8 -j DROP
iptables -A FORWARD -i eth0 -s 127.0.0.1/8 -j DROP

# Allow Access for DNS UDP for my ISP DNS server.
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o eth0 -p udp \
-s $IP_INET --sport 1024:65535 \
-d 229.53.4.130 --dport 53 \
-m state --state NEW -j ACCEPT
fi

iptables -A OUTPUT -o eth0 -p udp \
-s $IP_INET --sport 1024:65535 \
-d 229.53.4.130 --dport 53 -j ACCEPT

if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o eth0 -p udp \
-s $IP_INET --sport 1024:65535 \
-d 229.53.4.150 --dport 53 \
-m state --state NEW -j ACCEPT
fi

iptables -A OUTPUT -o eth0 -p udp \
-s $IP_INET --sport 1024:65535 \
-d 229.53.4.150 --dport 53 -j ACCEPT

# Allow access for my ISP DHCP server.
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o eth0 -p udp \
-s $IP_NET --sport 1024:65535 \
-d 229.53.4.129 --dport 67 \
-m state --state NEW -j ACCEPT
fi

iptables -A OUTPUT -o eth0 -p udp \
-s $IP_INET --sport 1024:65535 \
-d 229.53.4.129 --dport 67 -j ACCEPT

iptables -A INPUT -i eth0 -p udp \
-s 229.53.4.129 --sport 67 \
-d $IP_INET --dport 1024:65535 -j ACCEPT

# Allow access to remote webservers PORT 80.
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o eth0 -p tcp \
-s $IP_INET --sport 1024:65535 \
--dport 80 -m state --state NEW -j ACCEPT
fi

iptables -A OUTPUT -o eth0 -p tcp \
-s $IP_INET --sport 1024:65535 \
--dport 80 -j ACCEPT

iptables -A INPUT -i eth0 -p tcp ! --syn \
--sport 80 \
-d $IP_INET --dport 1024:65535 -j ACCEPT

# Attempt to connect to HHTPS connections.
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o eth0 -p tcp \
-m state --state NEW --dport 443 \
--sport 1024:65535 \
-j ACCEPT
fi

iptables -A OUTPUT -o eth0 -p tcp \
-s $IP_INET --sport 1024:65535 \
--dport 443 -j ACCEPT

iptables -A INPUT -i eth0 -p tcp \
--sport 443 \
-d $IP_INET --dport 1024:65535 -j ACCEPT

# Fragmented ICMP Messages.
iptables -A INPUT -i eth0 --fragment -p icmp -j LOG \
--log-prefix "Fragmented ICMP: "
iptables -A INPUT -i eth0 --fragment -p icmp -j DROP \

# Source Quench Control
iptables -A INPUT -i eth0 -p icmp \
--icmp-type source-quench -d $IP_INET -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp \
-s $IP_INET --icmp-type source-quench -j ACCEPT

# Parameter Problem Status.
iptables -A INPUT -i eth0 -p icmp \
--icmp-type parameter-problem -d $IP_INET -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp \
-s $IP_INET --icmp-type parameter-problem -j ACCEPT

# Destination Unreachable Error.
iptables -A INPUT -i eth0 -p icmp \
--icmp-type destination-unreachable -d $IP_INET -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp \
-s $IP_INET --icmp-type fragmentation-needed -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp \
-s $IP_INET --icmp-type destination-unreachable -j DROP

# Time Exceeded Status
iptables -A INPUT -i eth0 -p icmp \
--icmp-type time-exceeded -d $IP_INET -j ACCEPT

# Allow Outgoing pings to remote hosts
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o eth0 -p icmp \
-s $IP_INET --icmp-type echo-request \
-m state --state NEW -j ACCEPT
fi

iptables -A OUTPUT -o eth0 -p icmp \
-s $IP_INET --icmp-type echo-request -j ACCEPT

# Incoming ping from Remote Hosts.
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -i eth0 -p icmp \
-s 222.54.1.231 --icmp-type echo-request -d $IP_INET \
-m state --state NEW -j ACCEPT
fi

iptables -A INPUT -i eth0 -p icmp \
-s 229.53.1.231 --icmp-type echo-request -d $IP_INET -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp \
-s $IP_INET --icmp-type echo-reply -d 222.54.1.231 -j ACCEPT

# Fowarding is allowed in the direction
iptables -A FORWARD -i eth1 -o eth0 -s 192.168.0.0/24 -j ACCEPT

# Enables Packet Forwarding
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

echo 1 > /proc/sys/net/ipv4/ip_forward

Thread: Firewall Machine not connecting to port443

Thread Tools

Display

Threaded View

Firewall Machine not connecting to port443

Posting Permissions