Iptables – use iptables on the Varnish server to forward HTTPS traffic to a specific server

httpsiisiptablestransparent-proxyvarnish

We use Varnish as our front-end web cache and load balancer, so we have a Linux server in our development environment, running Varnish with some basic caching and load-balancing rules across a pair of Windows 2008 IIS web servers.

We have a wildcard DNS rule that points *.development at this Varnish box, so we can browse http://www.mysite.com.development, http://www.othersite.com.development, etc. The problem is that since Varnish can't handle HTTPS traffic, we can't access https://www.mysite.com.development/

For dev/testing, we don't need any acceleration or load-balancing – all I need is to tell this box to act as a dumb proxy and forward any incoming requests on port 443 to a specific IIS server. I suspect iptables may offer a solution but it's been a long while since I wrote an iptables rule. Some initial hacking has got me as far as

iptables -F
iptables -A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to 10.0.0.241:443
iptables -t nat -A POSTROUTING -p tcp -d 10.0.0.241 --dport 443 -j MASQUERADE
iptables -A INPUT -j LOG --log-level 4 --log-prefix 'PreRouting '
iptables -A OUTPUT -j LOG --log-level 4 --log-prefix 'PostRouting '
iptables-save > /etc/iptables.rules

(where 10.0.0.241 is the IIS box hosting the HTTPS website), but this doesn't appear to be working.

To clarify – I realize there's security implications about HTTPS proxying/caching – all I'm looking for is completely transparent IP traffic forwarding. I don't need to decrypt, cache or inspect any of the packets; I just want anything on port 443 to flow through the Linux box to the IIS box behind it as though the Linux box wasn't even there.

Any help gratefully received…

EDIT: Included full iptables config script.

Best Answer

Here's what you should do to redirect the traffic from one host to another one in a specific port, please note that EVERY request for port 443 will be redirect to the host you are pointing on iptables:

1) Open port 443 to traffic:

iptables -A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT

2) Add specific rules to redirect incoming and outcoming data

iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to ip.listenig.to:443
iptables -t nat -A POSTROUTING -p tcp -d ip.listening.to --dport 443 -j MASQUERADE

3) Alternatively you can redirect the traffic that is coming from a specific host like:

 iptables -t nat -A PREROUTING -s ip._not_.listening -p tcp --dport 443 -j DNAT --to-destination ip.listening.to:443

(This step is specially useful in case you want to handle port 443 in other client under your network)

4) Inform the kernel that you will accept ip forwarding

edit file /etc/sysctl.conf (or the one that suits your distro) and append (or change)

net.ipv4.ip_forward=1

and then issue the command

sysctl -p /etc/sysctl.conf (or the file that suits your distro)

I hope it helped

Related Solutions

Linux – iptables port forward forwarding

You're sending the traffic to 10.52.208.221. Given the config you posted, your problem is the webserver, not the firewall. Your rules look to be correct. FORWARD and INPUT are redirected to RH-Firewall-1-INPUT where your first rule is to allow all traffic. As somebody else pointed out, you could be allowing all traffic on eth1, while the world is actually coming in eth0. Secondary, you have to NAT the traffic as it goes back out to the world

iptables --table nat --append POSTROUTING --proto tcp --dport 80 --jump MASQUERADE -o OUT_INTERFACE

Your traffic originating from the router will never hit the input or forward chains, but instead traverse the output chain on to the webserver. Other systems in that subnet will similarly go directly to the webserver. Systems out on the world at large however will traverse the INPUT / FORWARD chains and need SNAT as well as DNAT so that it appears to the world to be one machine. You still cannot test from within your network. you must test from the opposite interface from the webserver. Get me your IP addresses and I'll point you to the proper configs.

Iptables – ftp tls firewalled :(

In Passive mode, when the client wants to get a file from the server or send a file to the server, the FTP server will pick a random port and send that port to the FTP client.

When you're not using encryption, a properly configured firewall (using the ip_conntrack_ftp helper kernel module, which may be what you're missing for non-TLS connections) would "listen in" on the connection and mark these connections as RELATED. With encryption the firewall can't listen in.

The quick and dirty solution to this is to configure the FTP server to choose a small range of ports for passive connections, and then allow access to all of these ports. For instance, in vsftpd:

pasv_min_port=12000
pasv_max_port=12049

Then in iptables:

iptables -A INPUT -p tcp -m tcp -i eth0 --dport 12000:12049 -j ACCEPT

Allowing anyone to access these ports opens one possible exploit: if someone were to be scanning them over and over they might get lucky and be able to "beat" the real user to the data port and grab the file. Ideally your FTP server would check and make sure the connection is coming from the same place as the original connection, but thanks to things like "FXP" (transferring files from one server to another server by convincing one to make an active connection to the other's passive data port) some servers don't check the connection by default. You should check your configuration file and see if there is an option to disable FXP, and use it. (vsftpd calls this "promiscuous" and is disabled by default.)

Best Answer

Related Solutions

Linux – iptables port forward forwarding

Iptables – ftp tls firewalled :(

Related Topic