Technical Tip

Adjusting IPtables Rule for Server Health Monitoring

Author Info

12 June 2008 - 10:38am
Submitted by: kadennapper

Author Blog
Author Profile

Tags

Tags Map
tip
Reads:

947

Score:
0
0
 
Comments:

0

Kaden Napper

Environment:

  • Identity Server configured for authentication on port 443.
  • Iptables configured with a rule such as:
    "iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443"
    or
    "iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to <<IPADDRESS>>:8443"

PROBLEM: Identity Server Health reports:

SSL Communication is not operating correctly! URL https://<<IPADDRESS>>:443/nidp/app/ping Error: Connection refused
(Required Action) Check SSL connectivity. Possible expired SSL certificate.

The Identity Server is still functioning.

Solution

The existing iptables rule does not work for connections initiated from the Identity Server (such as the Server Health Monitoring).

Add the following iptables rule "iptables -t nat -A OUTPUT -p tcp -d <<IPADDRESS>> --dport 443 -j DNAT --to <<IPADDRESS>>:8443"

EXAMPLE:

The following is my /etc/init.d/idp_8443_redirect file (modified from Mark van Reijn's original)

# All rights reserved.
#
# Author: Mark van Reijn, Novell
#
#! /bin/sh
#! /etc/init.d/idp_8443_redirect
# ### BEGIN INIT INFO
# Provides: idp_8443_redirect
# Required-Start: SuSEfirewall2_setup $network $local_fs
# Required-Stop:
# Default-Start: 2 3 5
# Default-Stop: 0 1 6
# Description: Redirect 8443 to 443 for Novell IdP
### END INIT INFO #

# Environment-specific variables.
IPT_BIN=/usr/sbin/iptables
IDP_IP=10.5.0.31

. /etc/rc.status

# First reset status of this service
rc_reset

case "$1" in
start)
echo -n "Starting IP Port redirection"
$IPT_BIN -t nat --flush

$IPT_BIN -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to  $IDP_IP:8443
$IPT_BIN -t nat -A OUTPUT -p tcp -d $IDP_IP --dport 443 -j DNAT --to  $IDP_IP:8443

rc_status -v
;;
stop)
echo -n "Flushing all IP Port redirection rules"
$IPT_BIN -t nat --flush
rc_status -v
;;
restart)
$0 stop
$0 start
rc_status
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esac
rc_exit

Author Info

12 June 2008 - 10:38am
Submitted by: kadennapper

Author Blog
Author Profile

Tags

Tags Map


Related Articles


User Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <p> <a> <em> <i> <strong> <cite> <code> <img><ul> <ol> <li> <div> <dl> <dt> <dd> <h1> <b> <strong> <h2> <h3> <pre> <table> <td> <tr> <th> <blockquote>
  • Lines and paragraphs break automatically.
  • Glossary terms will be automatically marked with links to their descriptions. If there are certain phrases or sections of text that should be excluded from glossary marking and linking, use the special markup, [no-glossary] ... [/no-glossary]. Additionally, these HTML elements will not be scanned: a, abbr, acronym, code, pre.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
17 + 1 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.

© 2008 Novell, Inc. All Rights Reserved.