Home / server / Questions / 442708
Accepted
Dylan Beattie
Asked: 2012-10-27 06:33:08 +0800 CST

Can I use iptables on my Varnish server to forward HTTPS traffic to a specific server?

  • 772

We use Varnish as our front-end web cache and load balancer, so we have a Linux server in our development environment, running Varnish with some basic caching and load-balancing rules across a pair of Windows 2008 IIS web servers.

We have a wildcard DNS rule that points *.development at this Varnish box, so we can browse http://www.mysite.com.development, http://www.othersite.com.development, etc. The problem is that since Varnish can't handle HTTPS traffic, we can't access https://www.mysite.com.development/

For dev/testing, we don't need any acceleration or load-balancing - all I need is to tell this box to act as a dumb proxy and forward any incoming requests on port 443 to a specific IIS server. I suspect iptables may offer a solution but it's been a long while since I wrote an iptables rule. Some initial hacking has got me as far as

iptables -F
iptables -A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to 10.0.0.241:443
iptables -t nat -A POSTROUTING -p tcp -d 10.0.0.241 --dport 443 -j MASQUERADE
iptables -A INPUT -j LOG --log-level 4 --log-prefix 'PreRouting '
iptables -A OUTPUT -j LOG --log-level 4 --log-prefix 'PostRouting '
iptables-save > /etc/iptables.rules

(where 10.0.0.241 is the IIS box hosting the HTTPS website), but this doesn't appear to be working.

To clarify - I realize there's security implications about HTTPS proxying/caching - all I'm looking for is completely transparent IP traffic forwarding. I don't need to decrypt, cache or inspect any of the packets; I just want anything on port 443 to flow through the Linux box to the IIS box behind it as though the Linux box wasn't even there.

Any help gratefully received...

EDIT: Included full iptables config script.

iis

2 Answers

  1. Best Answer

    Here's what you should do to redirect the traffic from one host to another one in a specific port, please note that EVERY request for port 443 will be redirect to the host you are pointing on iptables:

    1) Open port 443 to traffic:

    iptables -A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT

    2) Add specific rules to redirect incoming and outcoming data

    iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to ip.listenig.to:443
iptables -t nat -A POSTROUTING -p tcp -d ip.listening.to --dport 443 -j MASQUERADE

    3) Alternatively you can redirect the traffic that is coming from a specific host like:

     iptables -t nat -A PREROUTING -s ip._not_.listening -p tcp --dport 443 -j DNAT --to-destination ip.listening.to:443

    (This step is specially useful in case you want to handle port 443 in other client under your network)

    4) Inform the kernel that you will accept ip forwarding

    edit file /etc/sysctl.conf (or the one that suits your distro) and append (or change)

    net.ipv4.ip_forward=1

    and then issue the command

    sysctl -p /etc/sysctl.conf (or the file that suits your distro)

    I hope it helped

    • 3

  2. Ok, here's the full solution - this is on 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64)

    First, I had to enable ip4 port forwarding by editing /etc/sysctl.conf and uncommenting the line:

    net.ipv4.ip_forward=1

    Then I had to run /sbin/sysctl -p to make this change take effect.

    Next to configure (and capture) the iptables rules script:

    # flush any existing rules 
iptables -F
# Configure iptables to allow incoming traffic on port 443
iptables -A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
# Configure iptables to allow outgoing traffic on port 443
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
# Configure iptables to NAT incoming 443 traffic to 10.0.0.241:443
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to 10.0.0.241:443
# Configure iptables to route responses from these requests back to the original requester
iptables -t nat -A POSTROUTING -p tcp -d 10.0.0.241 --dport 443 -j MASQUERADE
# Dump the ruleset and save it into the file /etc/iptables.rules
iptables-save > /etc/iptables.rules

    Finally, to make the change persist across reboots, I had to edit /etc/network/interfaces:

    # This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
    address 10.0.0.240
    netmask 255.255.255.0
    network 10.0.0.0
    broadcast 10.0.0.255
    gateway 10.0.0.1
    # dns-* options are implemented by the resolvconf package, if installed
    dns-nameservers 192.168.0.11
    dns-search spotmain.com

    # The next line was added to enable iptables rules on system restart
    pre-up iptables-restore < /etc/iptables.rules
    • 3