Results 1 to 2 of 2

Thread: Firewall Machine not connecting to port443

  1. #1

    Firewall Machine not connecting to port443

    Hii,
    I am stuck, I think i have tryed every combo but cant get my "FIREWALL" computer to connect to REMOTE SERVERS 443 Port (HTTPS). The windows machines on my LAN have no problem connecting to HTTPS websites...Can you give me an idea why i cant connect from the firewall machine itself...Is the rules for port 443 wrong...Any help? or something i can try? Here are my rules:
    RedHat 7.2
    Kernel 2.4.19
    Iptables 1.2.7a

    #!/bin/bash

    # Enable broadcast echo protection
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

    # Disable source routed packets
    for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
    echo 0 > $f
    done

    # Enable syn cookie protection.
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies

    # Disable ICMP Redirect Acceptence
    for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
    echo 0 > $f
    done

    # Drop spoofed packets comeing in on an interface, ehich if replied
    # to,would result the reply going out another interface.
    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 > $f
    done

    # Dont't send Redirect Messages
    for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
    echo 0 > $f
    done

    # Log packets with impossiable addreses.
    for f in /proc/sys/net/ipv4/conf/*/log_martians; do
    echo 1 > $f
    done

    # This will also update my ipaddress.
    IP_INET=`/sbin/ifconfig eth0 | grep inet | cut -d: -f2 | cut -d\ -f1`

    # Remove any existing rules from all chains.
    iptables --flush
    iptables -t nat --flush
    iptables -t mangle --flush

    # Unlimited access on the loopback interface.
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT

    # Set the default policy to drop.
    iptables --policy INPUT DROP
    iptables --policy FORWARD DROP
    iptables --policy OUTPUT DROP

    iptables -t nat --policy PREROUTING ACCEPT
    iptables -t nat --policy OUTPUT ACCEPT
    iptables -t nat --policy POSTROUTING ACCEPT

    iptables -t mangle --policy PREROUTING ACCEPT
    iptables -t mangle --policy OUTPUT ACCEPT

    # All of the bits are cleared
    #iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
    #iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
    #iptables -A INPUT -p tcp --tcp-flags ALL NONE -j LOG
    # SYN and FIN are both set
    #iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
    #iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
    #iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG
    # SYN and RST are both set.
    #iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
    #iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
    #iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG
    # FIN and RST are both set
    #iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j REJECT
    #iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
    #iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG
    # FIN is the only bit set, without the expected accompanyuing ACK
    #iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
    #iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j REJECT
    #iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG
    # PSH is the only bit set, without the expected accompaying ACK
    #iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
    #iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j REJECT
    #iptables -I INPUT -p tcp --tcp-flags ACK,PSH PSH -j LOG
    # URG is the only bit set, without the expected accompayning ACK
    #iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
    #iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP
    #iptables -I INPUT -p tcp --tcp-flags ACK,URG URG -j LOG

    # Allow stateful connections
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Drop Invalid connection
    iptables -A INPUT -m state --state INVALID -j LOG \
    --log-prefix "Invalid input: "
    iptables -A INPUT -m state --state INVALID -j DROP

    iptables -A OUTPUT -m state --state INVALID -j LOG \
    --log-prefix "Invalid output: "
    iptables -A OUTPUT -m state --state INVALID -j DROP

    iptables -A FORWARD -m state --state INVALID -j LOG \
    --log-prefix "Invalid forward: "
    iptables -A FORWARD -m state --state INVALID -j DROP

    # Dropped packets that pretend to be coming in from PRIVATE ADDRESSes.
    iptables -A INPUT -i eth0 -s 10.0.0.1/8 -j DROP
    iptables -A FORWARD -i eth0 -s 10.0.0.1/8 -j DROP
    iptables -A INPUT -i eth0 -s 169.254.0.0/16 -j DROP
    iptables -A FORWARD -i eth0 -s 169.254.0.0/16 -j DROP
    iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
    iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
    iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
    iptables -A FORWARD -i eth0 -s 192.168.0.0/24 -j DROP
    # iptables -A INPUT -i eth0 -s 127.0.0.1/8 -j DROP
    iptables -A FORWARD -i eth0 -s 127.0.0.1/8 -j DROP

    # Allow Access for DNS UDP for my ISP DNS server.
    if [ "$CONNECTION_TRACKING" = "1" ]; then
    iptables -A OUTPUT -o eth0 -p udp \
    -s $IP_INET --sport 1024:65535 \
    -d 229.53.4.130 --dport 53 \
    -m state --state NEW -j ACCEPT
    fi

    iptables -A OUTPUT -o eth0 -p udp \
    -s $IP_INET --sport 1024:65535 \
    -d 229.53.4.130 --dport 53 -j ACCEPT


    if [ "$CONNECTION_TRACKING" = "1" ]; then
    iptables -A OUTPUT -o eth0 -p udp \
    -s $IP_INET --sport 1024:65535 \
    -d 229.53.4.150 --dport 53 \
    -m state --state NEW -j ACCEPT
    fi

    iptables -A OUTPUT -o eth0 -p udp \
    -s $IP_INET --sport 1024:65535 \
    -d 229.53.4.150 --dport 53 -j ACCEPT

    # Allow access for my ISP DHCP server.
    if [ "$CONNECTION_TRACKING" = "1" ]; then
    iptables -A OUTPUT -o eth0 -p udp \
    -s $IP_NET --sport 1024:65535 \
    -d 229.53.4.129 --dport 67 \
    -m state --state NEW -j ACCEPT
    fi

    iptables -A OUTPUT -o eth0 -p udp \
    -s $IP_INET --sport 1024:65535 \
    -d 229.53.4.129 --dport 67 -j ACCEPT

    iptables -A INPUT -i eth0 -p udp \
    -s 229.53.4.129 --sport 67 \
    -d $IP_INET --dport 1024:65535 -j ACCEPT

    # Allow access to remote webservers PORT 80.
    if [ "$CONNECTION_TRACKING" = "1" ]; then
    iptables -A OUTPUT -o eth0 -p tcp \
    -s $IP_INET --sport 1024:65535 \
    --dport 80 -m state --state NEW -j ACCEPT
    fi

    iptables -A OUTPUT -o eth0 -p tcp \
    -s $IP_INET --sport 1024:65535 \
    --dport 80 -j ACCEPT

    iptables -A INPUT -i eth0 -p tcp ! --syn \
    --sport 80 \
    -d $IP_INET --dport 1024:65535 -j ACCEPT

    # Attempt to connect to HHTPS connections.
    if [ "$CONNECTION_TRACKING" = "1" ]; then
    iptables -A OUTPUT -o eth0 -p tcp \
    -m state --state NEW --dport 443 \
    --sport 1024:65535 \
    -j ACCEPT
    fi

    iptables -A OUTPUT -o eth0 -p tcp \
    -s $IP_INET --sport 1024:65535 \
    --dport 443 -j ACCEPT

    iptables -A INPUT -i eth0 -p tcp \
    --sport 443 \
    -d $IP_INET --dport 1024:65535 -j ACCEPT

    # Fragmented ICMP Messages.
    iptables -A INPUT -i eth0 --fragment -p icmp -j LOG \
    --log-prefix "Fragmented ICMP: "
    iptables -A INPUT -i eth0 --fragment -p icmp -j DROP \

    # Source Quench Control
    iptables -A INPUT -i eth0 -p icmp \
    --icmp-type source-quench -d $IP_INET -j ACCEPT
    iptables -A OUTPUT -o eth0 -p icmp \
    -s $IP_INET --icmp-type source-quench -j ACCEPT

    # Parameter Problem Status.
    iptables -A INPUT -i eth0 -p icmp \
    --icmp-type parameter-problem -d $IP_INET -j ACCEPT
    iptables -A OUTPUT -o eth0 -p icmp \
    -s $IP_INET --icmp-type parameter-problem -j ACCEPT

    # Destination Unreachable Error.
    iptables -A INPUT -i eth0 -p icmp \
    --icmp-type destination-unreachable -d $IP_INET -j ACCEPT
    iptables -A OUTPUT -o eth0 -p icmp \
    -s $IP_INET --icmp-type fragmentation-needed -j ACCEPT
    iptables -A OUTPUT -o eth0 -p icmp \
    -s $IP_INET --icmp-type destination-unreachable -j DROP

    # Time Exceeded Status
    iptables -A INPUT -i eth0 -p icmp \
    --icmp-type time-exceeded -d $IP_INET -j ACCEPT

    # Allow Outgoing pings to remote hosts
    if [ "$CONNECTION_TRACKING" = "1" ]; then
    iptables -A OUTPUT -o eth0 -p icmp \
    -s $IP_INET --icmp-type echo-request \
    -m state --state NEW -j ACCEPT
    fi

    iptables -A OUTPUT -o eth0 -p icmp \
    -s $IP_INET --icmp-type echo-request -j ACCEPT

    # Incoming ping from Remote Hosts.
    if [ "$CONNECTION_TRACKING" = "1" ]; then
    iptables -A INPUT -i eth0 -p icmp \
    -s 222.54.1.231 --icmp-type echo-request -d $IP_INET \
    -m state --state NEW -j ACCEPT
    fi

    iptables -A INPUT -i eth0 -p icmp \
    -s 229.53.1.231 --icmp-type echo-request -d $IP_INET -j ACCEPT
    iptables -A OUTPUT -o eth0 -p icmp \
    -s $IP_INET --icmp-type echo-reply -d 222.54.1.231 -j ACCEPT

    # Fowarding is allowed in the direction
    iptables -A FORWARD -i eth1 -o eth0 -s 192.168.0.0/24 -j ACCEPT

    # Enables Packet Forwarding
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    echo 1 > /proc/sys/net/ipv4/ip_forward

  2. #2
    Ohh yah and here is all the things i have tryed to find a solution but still can fix it....just soo i dont waste threads posting all over here again

    http://www.experts-exchange.com/Secu..._20391217.html

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •