[sslh] IPTables configuration
Yves Rutschle
yves at naryves.com
Tue Aug 6 23:16:58 CEST 2013
On Tue, Aug 06, 2013 at 10:52:39AM -0700, Eamon Doyle wrote:
> Hi all. I'm running sslh listening on port 443 with https listening on 444
> and ssh on 22. I have iptables set up to block everything but 22, 80, and
> 443. When I start iptables, I can ssh through port 443 as expected but I
> can no longer access my HTTPS on port 443 unless I unblock port 444, at
> which point sslh successfully forwards the traffic.
It's important to realise that the machine's IP address
(e.g. 192.168.0.1) and the machine's loopback address
(127.0.0.1) are two totally distinct network interfaces.
My guess: you have sslh forwarding to 192.168.0.1:444. If
you don't unblock 444, it's, well, blocked. You should see
logs of sslh trying to forward to 444 and failing.
> Does anyone know what I need to do to IPtables to not have port 444 exposed
> externally but allow sslh to forward the traffic correctly?
- Set iptables to reject traffic to 444 coming from outside
but accept it coming from inside: I have no idea how to do
that.
- More simply: set httpd to listen to localhost:444 instead
of 444 (which typically binds to all IP addresses, i.e.
192.168.0.1 AND 127.0.0.1), and sslh to forward to
localhost:444, which I *think* doesn't go through
iptable's INPUT table.
> As a followup, why does this behavior occur? I may not
> understand exactly how sslh is forwarding the traffic.
If my suggestions work, then my explanation hopefully
clarifies the behaviour. If my suggestions don't work, my
explanations are still valid, but we'll need to investigate
the behaviour more thoroughly :-)
Cheers,
Y.
More information about the sslh
mailing list