[ale] iptables ruleset blocks external traffic... OUTPUT policy is ACCEPT

Brian Mathis brian.mathis+ale at betteradmin.com
Fri May 16 17:09:38 EDT 2014


The problem you will run into here is that the web browser does not know it
needs to use TLS, so it will try to send a plain HTTP request, and apache
will return the Bad Request, since *it* is expecting to receive HTTPS.


❧ Brian Mathis
@orev


On Fri, May 16, 2014 at 4:36 PM, Adrya Stembridge <
adrya.stembridge at gmail.com> wrote:

> Quick follow-up.   Is there a way in iptables to redirect traffic from
> non-ssl to ssl (such as 80 to 443)?  I'm already handling this with Apache,
> but wondered if I could safely cut off all non-encrypted traffic this way,
> or if this even makes sense.
>
> I'm getting Bad Request after adding
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 443
> and accessing content over http.
>
>
> On Fri, May 16, 2014 at 3:00 PM, Jim Kinney <jim.kinney at gmail.com> wrote:
>
>> yep! blocking the gateway will do that as well :-)
>>
>> Glad it's working.
>>
>>
>> On Fri, May 16, 2014 at 2:51 PM, Adrya Stembridge <
>> adrya.stembridge at gmail.com> wrote:
>>
>>> Got it sorted out and feel like a total newb for not seeing this
>>> earlier.   I only obtain content from a single external machine. Once I
>>> added that machine's IP to the INPUT ruleset, my system is able to
>>> reach/retrieve info as before.
>>>
>>> Thanks for the help.
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>>
>>>
>>
>>
>> --
>> --
>> James P. Kinney III
>>
>>
>>
>>
>>
>> *Every time you stop a school, you will have to build a jail. What you
>> gain at one end you lose at the other. It's like feeding a dog on his own
>> tail. It won't fatten the dog. - Speech 11/23/1900 Mark
>> Twainhttp://heretothereideas.blogspot.com/
>> <http://heretothereideas.blogspot.com/>*
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20140516/554a029a/attachment.html>


More information about the Ale mailing list