Port Forwarding OpenVZ

[PanDoreS]

Hi,

I've been trying for the past 3 hours to forward the 443 port from my client to the 20443 port on my server (CentOS 7 on OpenVZ), so i can access it on https://myserver:20443.
I have OpenVPN Acces installed and this is the client config on it :

I use this script to forward.
$1 = Client port (here 443)
$2 = Outside port (here 20443)
172.28.224.30 = Private client (fixed ip)

Code: Select all

#!/bin/bash
iptables -A FORWARD -i eth0 -p tcp --dport $2 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport $2 -j DNAT --to-destination 172.28.224.30:$1 #command
iptables -A FORWARD -i tun0 -p tcp --dport $1 -j ACCEPT
iptables -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport $1 -j DNAT --to-destination 172.28.224.30:$1 #command
iptables -t nat -A PREROUTING -p tcp -d EXTERNAL_IP --dport $2 -j DNAT --to-destination 172.28.224.30:$1
iptables -A FORWARD -p tcp -d 172.28.224.30 --dport $1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 -d 172.28.224.30 --dport $2 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d EXTERNAL_IP --dport $2 -j DNAT --to-destination 172.28.224.30:$1

And when I do on SSH "curl 172.28.224.30:443" I have the result.

When I try access to it, i get a ERR_CONNECTION_TIMED_OUT, (not a CONNECTION_REFUSED). So I think the port 20443 is accepted, but doesn't redirect to 172.28.224.30:443 :/

Is there something I do wrong ?

Thanks in advance !

[driver27]

Could you post the 'Chain net2loc' and the 'Chain net_frwd' sections of the output of an 'iptables -L' command?

[PanDoreS]

Woops ! Sure I didn't find net2loc or net2frwd so their is the complete output of "iptables -L" : http://pastebin.com/TkE61sqP
Thanks for your help

[driver27]

I'm having a bit of difficulty following you here. Your VPN client is at 172.28.224.30 and you want to access https on it via a redirected port or is it the other way around?

There are a bunch of duplicates in your results:

Code: Select all

Chain FORWARD (policy ACCEPT)
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:20443
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
    ACCEPT     tcp  --  anywhere             172.28.224.30        tcp dpt:20443 state NEW,RELATED,ESTABLISHED
    ACCEPT     tcp  --  anywhere             172.28.224.30        tcp dpt:https

Which I think means you are allowing both ports to the target rather than just the one it is listening on
Likewise your script:
I think you need one forwarding rule to accept port 20443 on the one interface (ext) then the prerouting command to forward from that interface or address to the host.

Code: Select all

iptables -A FORWARD -i tun0 -p tcp --dport 20443 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d <ext-address> --dport 20443 -j DNAT --to-destination <your-server>:443

As I say I am having trouble seeing which way around you want this to work.

[PanDoreS]

Hi,
Thanks again for your help
Ok so I understand it's not very clear ^^ I made a schema :

I hope it'll clarify my problem
And when I'm connecting via SSH on my VPS, and I do a "curl -k https://172.28.224.30", i've got my webpage result :/ But the forwarding doesn't work.

I tested your solution and it didn't work :/ I also replaced tun0 by as0t0 (the OpenVPN interface on my server).
Here's my ifconfig :

Code: Select all

as0t0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 172.27.224.1  netmask 255.255.248.0  destination 172.27.224.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 200  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 16436
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 82  bytes 6832 (6.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 82  bytes 6832 (6.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

venet0: flags=211<UP,BROADCAST,POINTOPOINT,RUNNING,NOARP>  mtu 1500
        inet 127.0.0.1  netmask 255.255.255.255  broadcast 0.0.0.0  destination 127.0.0.1
        inet6 2001:41d0:51:1::825  prefixlen 56  scopeid 0x0<global>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 0  (UNSPEC)
        RX packets 2900  bytes 206056 (201.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2637  bytes 364050 (355.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

venet0:0: flags=211<UP,BROADCAST,POINTOPOINT,RUNNING,NOARP>  mtu 1500
        inet EXTERNAL_IP  netmask 255.255.224.0  broadcast EXTERNAL_BROADCAST destination EXTERNAL_IP
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 0  (UNSPEC)

Thank you

[driver27]

I'm still confused. In your illustration, the lower example is where forwarding would be used but in the upper one, when you are connected via the VPN your client will appear to have an address on the local network and so forwarding will not be necessary, you just enter the local address and port which you say works. To test forwarding you would need to connect to your VPS from the internet without connecting the VPN, then the iptables chains on the VPS should listen on 20443 and forward to the internal address with port 443.

[PanDoreS]

Oh sorry yeah ! I want to connect to my home server it without the VPN , directly from the external IP like https://EXTERNAL_VPS_IP:20443

[PanDoreS]

Sorry for the double post, I can't edit my last one :/
Ok, so I wrote on /etc/sysconfig/iptables this : http://puu.sh/cO448/ffac1403dc.png
But i'm still getting "CONNECTION_REFUSED".
But when I'm using this script : http://puu.sh/cO4dQ/db2fb9b1af.png, I'm getting a "CONNECTION_TIMEOUT".
Ok, so I applied rule by rule, this script (I, of course, removed all the same rules from /etc/sysconfig/iptables and my script).
And when I applied this specific rule, the connection https://EXTERNAL_VPS_IP:20443 went from "REFUSED" to "TIMEOUT" :

Code: Select all

iptables -t nat -A PREROUTING -i venet0 -p tcp -m tcp --dport 20443 -j DNAT --to-destination 172.28.224.30:443

Maybe it can help to find a solution.

Thank you a lot for your support !

[driver27]

Oh sorry yeah ! I want to connect to my home server it without the VPN , directly from the external IP like https://EXTERNAL_VPS_IP:20443

So not really an openvpn support issue then?

Are you actually running the VPN server when you do these tests? Is the target server behind it? Before you mentioned setting you forward rule for the VPN server port which unless the host is on that subnet would not work.

From the ifconfig data, you should have an accept rule for port 20443 on venet0:0 and a forward rule to as0t0 to port 443
BUT the server you are trying to hit is 172.28.224.30 and yet your as0t0 port lies in a different subnet 172.27.224.0/20 so that forward rule isn't gonna work.

show an ifconfig both with and without openvpn running, explain what dev 172.28.224.0/? is configured on, if it is behind the vpn send a vpn server.conf etc.

[driver27]

correction 172.27.224.0/21