[BlueOnyx:23159] Re: Redirection and forwarding, needing to redirect to a different server to a different port, can this be done easily?

Fungal Style wayin at hotmail.com
Fri Aug 23 21:21:52 -05 2019 

Roy,

Thanks for the reply…

I agree, I do not believe DNS can do it (although I know there are some funky things that can be done).

Port 80 would be open on the carrier for outbound traffic, but this particular carrier has blocked unsolicited inbound traffic of specific ports like port 25 and port 80 in the past (to block phishing sites, spam, etc).
Although when I enquired they advised that it was open, although they were not specific and <rant> this is what I hate about technical roles outsourced to developing countries </rant> (ironically I personally know people who work for some of the BPOs who handle contact for this particular carrier, so I am VERY sceptical they really know).

I have reviewed their firewall and to me with enough knowledge to be dangerous, copied the same rules which worked for port 443 and applied them to port 80, changed order and various other ways to place a priority, but to null effect, hence my suspicion for the provider blocking, regardless of their claims.

I am let to believe the service is a “business grade” service, which is more about SLAs than anything else. (it is a fixed wireless connection on the nbn in Australia)

I did find references to others having the port blocked and others not with the same provider for port 80, however no one ever raised any issues over port 443 or other obscure ports (mainly seen 25 and 80 being reported as blocked).

I have got another reply from Michael which I need to look at closely and test, so I will post here again once I have looked at it also.

But as for IP tables, unless I wanted to pass ALL traffic to the external server, from what I am finding/reading it will not do it.

Regards
Brian


From: Roy Urick <rurick at usa.net>
Date: Saturday, 24 August 2019 at 1:09 am
To: Brian Carter <wayin at hotmail.com>
Subject: Re: [BlueOnyx:23157] Redirection and forwarding, needing to redirect to a different server to a different port, can this be done easily?


Pretty sure DNS cannot add a port number to a query response, or even know what port the subsequent traffic is going to use. It just is asked "what is the IP of this host" and the DNS server responds.

I'd guess that if 443 is open, 80 is also open at the carrier level. I dont know of any non business service providers that block inbound 80  dont also block inbound 443 as well.

My gut says the firewall is misconfigured. You can always call the ISP and ask if they are blocking any inbound ports. In my experience they will all tell you whether they are or not. If its not business class service they are probably blocking it. But I cant imagine them not blocking both.
On 8/23/2019 10:02 AM, Fungal Style wrote:
Hi all,

Here is the situation, a website is hosted with an on-premise server (I know, stupid idea, but these guys are raised on *stoopid*, as in I bet their parents took a double helping thing more is better), they have port 80 blocked and port 443 open, so if you access their site via HTTPS, it works fine, but drop the HTTPS and use just HTTP, it fails, as port 80 is blocked.

Simple solution would be to change their firewall right? Well I am not certain the issue is with the firewall but the provider of the link to their server, and the firewall is part of a fairly high end router that you may need some additional training to understand all of the features (I think it is one of the Vanguards from memory, been a little bit since I last looked at the configs).

So here is what I am thinking, having a BO server handle the DNS requests, change the port to port 443 and then forward the traffic to the IP address of their on prem server, but I cannot think of a good way to do this as I am thinking iptables but surely there must be a better, (read as “easier way”) to do this that I am just not seeing, as even with iptables I am not sure I would be able to (could be a skills shortage on my side if it is possible).

Anyway, any thoughts or ideas on how to do this are warmly received.

Regards
Brian



_______________________________________________

Blueonyx mailing list

Blueonyx at mail.blueonyx.it<mailto:Blueonyx at mail.blueonyx.it>

http://mail.blueonyx.it/mailman/listinfo/blueonyx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20190824/aedae390/attachment.html>

More information about the Blueonyx mailing list