What to do, outgoing port 80 stopped working in IPtables?

S

stufa2014-08-21 09:12:40

linux

stufa, 2014-08-21 09:12:40

everything worked, at one point
IPtables stopped working 80 outgoing port
a lot of rules for programs are laid down, it’s
a whole problem to remake from scratch, especially since I didn’t insist all this ...
A transparent proxy from the server without iptables telnet is configured through IPtables
on port 80 works, with iptables, iptables timeout
redirects all requests through a proxy, without it, the proxy
on port 3128 starts working on the Internet from client PCs, when
iptables is turned on, everything is blocked, there is no Internet, although sites go through https
iptables-save

# 
*mangle
:PREROUTING ACCEPT [14795:4192357]
:INPUT ACCEPT [6797:1406093]
:FORWARD ACCEPT [7775:2710008]
:OUTPUT ACCEPT [8217:1778537]
:POSTROUTING ACCEPT [15997:4489921]
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A OUTPUT -p tcp -m tcp --dport 80 -j CONNMARK --set-xmark 0x10/0xffffffff
-A OUTPUT -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
COMMIT
# Completed on Thu Aug 21 09:56:23 2014
# Generated by iptables-save v1.4.9.1 on Thu Aug 21 09:56:23 2014
*nat
:PREROUTING ACCEPT [449:127920]
:OUTPUT ACCEPT [271:30719]
:POSTROUTING ACCEPT [273:30823]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -s 212.98.168.58/32 -d 62.133.173.51/32 -p tcp -m tcp --dport 3391 -j DNAT --to-destination 192.168.0.193:3389
-A PREROUTING -s 212.98.162.58/32 -d 62.133.173.51/32 -p tcp -m tcp --dport 3391 -j DNAT --to-destination 192.168.0.193:3389
-A PREROUTING -s 195.239.152.122/32 -d 62.133.173.51/32 -p tcp -m tcp --dport 3391 -j DNAT --to-destination 192.168.0.193:3389
-A PREROUTING -s 89.207.91.70/32 -d 62.133.173.51/32 -p tcp -m tcp --dport 3391 -j DNAT --to-destination 192.168.0.193:3389
-A PREROUTING -s 212.98.168.58/32 -d 62.133.173.51/32 -p tcp -m tcp --dport 3394 -j DNAT --to-destination 192.168.0.194:3389
-A PREROUTING -s 212.98.162.58/32 -d 62.133.173.51/32 -p tcp -m tcp --dport 3394 -j DNAT --to-destination 192.168.0.194:3389
-A PREROUTING -s 195.239.152.122/32 -d 62.133.173.51/32 -p tcp -m tcp --dport 3394 -j DNAT --to-destination 192.168.0.194:3389
-A PREROUTING -s 89.207.91.70/32 -d 62.133.173.51/32 -p tcp -m tcp --dport 3394 -j DNAT --to-destination 192.168.0.194:3389
-A PREROUTING -d 62.133.173.51/32 -p tcp -m tcp --dport 42022 -j DNAT --to-destination 192.168.0.254:22
-A PREROUTING -d 62.133.173.51/32 -p tcp -m tcp --dport 42253 -j DNAT --to-destination 192.168.0.253:22
-A POSTROUTING -s 192.168.0.0/24 -d 192.168.2.0/24 -j ACCEPT
-A POSTROUTING -s 192.168.0.0/24 -d 192.168.7.0/24 -j ACCEPT
-A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j SNAT --to-source 62.133.173.51
-A POSTROUTING -d 192.168.0.193/32 -p tcp -m tcp --dport 3389 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -s 10.8.0.0/24 -o ppp0 -j SNAT --to-source 62.133.173.51
-A POSTROUTING -s 10.10.0.0/24 -o ppp0 -j SNAT --to-source 62.133.173.51
COMMIT
# Completed on Thu Aug 21 09:56:23 2014
# Generated by iptables-save v1.4.9.1 on Thu Aug 21 09:56:23 2014
*filter
:INPUT ACCEPT [6797:1406093]
:FORWARD ACCEPT [3896:477240]
:OUTPUT ACCEPT [8213:1778247]
:fail2ban-ASTERISK - [0:0]
-A INPUT -p udp -m multiport --dports 5060 -j fail2ban-ASTERISK
-A INPUT -p udp -m multiport --dports 5060 -j fail2ban-ASTERISK
-A INPUT -p udp -m multiport --dports 5060 -j fail2ban-ASTERISK
-A INPUT -p udp -m multiport --dports 5060 -j fail2ban-ASTERISK
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth1 -o ppp0 -j ACCEPT
-A fail2ban-ASTERISK -s 182.140.241.10/32 -j DROP
-A fail2ban-ASTERISK -s 178.33.63.79/32 -j DROP
-A fail2ban-ASTERISK -s 85.25.109.9/32 -j DROP
-A fail2ban-ASTERISK -s 85.25.108.22/32 -j DROP
-A fail2ban-ASTERISK -s 108.59.12.149/32 -j DROP
-A fail2ban-ASTERISK -s 85.17.26.196/32 -j DROP
-A fail2ban-ASTERISK -j RETURN
-A fail2ban-ASTERISK -j RETURN
-A fail2ban-ASTERISK -j RETURN
-A fail2ban-ASTERISK -j RETURN
COMMIT
# Completed on Thu Aug 21 09:56:23 2014

iptables -L -n -t nat

target     prot opt source               destination
ACCEPT     all  --  192.168.0.0/24       192.168.2.0/24
ACCEPT     all  --  192.168.0.0/24       192.168.7.0/24
SNAT       all  --  192.168.0.0/24       0.0.0.0/0           to:62.133.173.51
SNAT       tcp  --  0.0.0.0/0            192.168.0.193       tcp dpt:3389 to:192.168.0.1
SNAT       all  --  10.8.0.0/24          0.0.0.0/0           to:62.133.173.51
SNAT       all  --  10.10.0.0/24         0.0.0.0/0           to:62.133.173.51

iptables -L -n -t mangle

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
CONNMARK   all  --  0.0.0.0/0            0.0.0.0/0           CONNMARK restore

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
CONNMARK   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 CONNMARK set 0x10
CONNMARK   all  --  0.0.0.0/0            0.0.0.0/0           CONNMARK restore

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

nmap for some reason passes
nmap -sS -p 80 ya.ru

Starting Nmap 5.21 ( http://nmap.org ) at 2014-08-21 10:07 MSD
Nmap scan report for ya.ru (93.158.134.3)
Host is up (0.022s latency).
Hostname ya.ru resolves to 3 IPs. Only scanned 93.158.134.3
rDNS record for 93.158.134.3: www.yandex.ru
PORT   STATE    SERVICE
80/tcp filtered http

netstat -tulpn

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

E

ERiC, 2014-08-22
@typ6o0jiehb

still it is possible here an output of ip rule show. ?
well, immediately then ip rst all - you never know which table the traffic is sent to ...
my assumption is
that the one who set it up set iptables -t manlge -A OUTPUT -p tcp -m tcp --dport 80 -j CONNMARK --set -xmark 0x10/0xffffffff
- this is traffic marking, the question is why mark traffic if it is not processed in a special way, maybe there is a rule for this?

A

Alexey, 2014-08-21
@zlyoha

Check the proxy logs, it probably won't let you go any further.
Maybe a banal option, but check the interface name that eth1 exactly matches that

-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

A

Alexey Cheremisin, 2014-08-21
@leahch

A little off topic. Wow, what a canvas ... It turns out that someone else writes these rules on their own.
I recommend not to do this anymore, but to switch to shorewall or firehol (or equivalents). I myself use the latter, although the product is no longer being developed, each of them has the ability to add its own rules, a bunch of rules are already ready out of the box., I only have about 50 lines of code for 6 subnets with masquerading, DMZ, port forwarding, VPN, policies where and what subnet to go, protection against various kinds of SYN / SYNC and other attacks, logging ...
Firehol and Shorewall - generators of rules for iptables and not only. Firehol is no longer being developed, but is very easy to use. Shorewall is a powerful tool with active communities and a life cycle, a little more complex.