[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ale] iptables ruleset blocks external traffic... OUTPUT policy is ACCEPT
- Subject: [ale] iptables ruleset blocks external traffic... OUTPUT policy is ACCEPT
- From: brian.mathis+ale at betteradmin.com (Brian Mathis)
- Date: Fri, 16 May 2014 17:09:38 -0400
- In-reply-to: <CAFCFmQm=9oXqg_KR3yp_s5ERjo9LbwsPpBxc9ck0xQG8=MWY6g@mail.gmail.com>
- References: <CAFCFmQkmR_Jh1eaAvH2K6RhhrTrPU=MHq5NsKBP8wdG8pLnE5w@mail.gmail.com> <CAEo=5PyPW_A-r=0aM9ZTF9mfU39+M990nht31+czGqk=FPp6=Q@mail.gmail.com> <CAFCFmQkob9wk5r4f6kjaYw1bVMpjvhrKvG5WgBi5+hD=+XUQkQ@mail.gmail.com> <CAFCFmQn+Yrpp3xHkw_mTq-XfJbHUy_4YE8JhBQtR7wwA5_cNpw@mail.gmail.com> <CAEo=5PyNxp6bTEBSP9sPHpTpXuZ0sUhgE6mhc3E_cTrS_DnASA@mail.gmail.com> <CAFCFmQm=9oXqg_KR3yp_s5ERjo9LbwsPpBxc9ck0xQG8=MWY6g@mail.gmail.com>
The problem you will run into here is that the web browser does not know it
needs to use TLS, so it will try to send a plain HTTP request, and apache
will return the Bad Request, since *it* is expecting to receive HTTPS.
? Brian Mathis
@orev
On Fri, May 16, 2014 at 4:36 PM, Adrya Stembridge <
adrya.stembridge at gmail.com> wrote:
> Quick follow-up. Is there a way in iptables to redirect traffic from
> non-ssl to ssl (such as 80 to 443)? I'm already handling this with Apache,
> but wondered if I could safely cut off all non-encrypted traffic this way,
> or if this even makes sense.
>
> I'm getting Bad Request after adding
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 443
> and accessing content over http.
>
>
> On Fri, May 16, 2014 at 3:00 PM, Jim Kinney <jim.kinney at gmail.com> wrote:
>
>> yep! blocking the gateway will do that as well :-)
>>
>> Glad it's working.
>>
>>
>> On Fri, May 16, 2014 at 2:51 PM, Adrya Stembridge <
>> adrya.stembridge at gmail.com> wrote:
>>
>>> Got it sorted out and feel like a total newb for not seeing this
>>> earlier. I only obtain content from a single external machine. Once I
>>> added that machine's IP to the INPUT ruleset, my system is able to
>>> reach/retrieve info as before.
>>>
>>> Thanks for the help.
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>>
>>>
>>
>>
>> --
>> --
>> James P. Kinney III
>>
>>
>>
>>
>>
>> *Every time you stop a school, you will have to build a jail. What you
>> gain at one end you lose at the other. It's like feeding a dog on his own
>> tail. It won't fatten the dog. - Speech 11/23/1900 Mark
>> Twainhttp://heretothereideas.blogspot.com/
>> <http://heretothereideas.blogspot.com/>*
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20140516/554a029a/attachment.html>