I need help in the configuration of the following scenario: The web browsing of a small institutional network is done through a proxy server with authentication configured in a Debian as proxy / firewall (using iptables rules) and connected to a parent proxy. The clients of the LAN do not make any type of DNS query to the outside because all the web browsing is through the proxy and some other type of access to external service was not needed. Now: we must access a jitsi server at the specific IP address xxx.xxx.xxx.xxx. The web access to that jitsi server is fine in the sense that the proxy takes care of it, but the packets to UDP ports 10000 and TCP 4443 respectively, I have not managed to handle them in the iptables rules.
The network scheme is as follows:
LAN on eth0 (192.168.0.0/24) ---- (192.168.0.1 ens18)debian proxy/firewall(192.168.1.2 ens19) -- (192.168.1.1)MODEM ROUTER---->ISP
The iptables rules are as follows:
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
# ##### INPUT chain ###### Accept relate or stablished connections
-A INPUT -m conntrack ! -i lo
-A INPUT -p icmp -m icmp
-A INPUT -p udp -m udp -m conntrack
# Anti spoofing rule
-A INPUT ! -s 192.168.0.0/24 -i ens18 -j LOG
-A INPUT ! -s 192.168.0.0/24 -i ens18 -j DROP
# LAN TO PROXY LOCAL
-A INPUT -p tcp -m state -s 192.168.0.0/24 -i ens18
# ACCESS TO WEB REPORTS
-A INPUT -p tcp -m state -s 192.168.0.2/24 -i ens18
# ACCESS TO SSH
-A INPUT -p tcp -m state -s 192.168.0.2/24 -i ens18
# TIME SYNC FOR LAN
-A INPUT -p udp -i ens18 -m state
# WEBMIN ACCESS
-A INPUT -p tcp -m state -s 192.168.0.2/24 -i ens18
# LOG the rest and drop by default input chain
-A INPUT ! -i lo -j LOG
-A OUTPUT -m state
-A OUTPUT -m state
-A OUTPUT -m state
# ##### OUTPUT chain ###### ## ACCEPT rules for allowing connections out
-A OUTPUT -p tcp -m state
-A OUTPUT -p tcp -m state
-A OUTPUT -p tcp -m state
-A OUTPUT -p udp -m state
# external DNS servers (only reachable, no recursion enabled)
-A OUTPUT -p udp -m state -d XXX.XXX.XXY.131
-A OUTPUT -p tcp -m state -d XXX.XXX.XXX.132
-A OUTPUT -m state -d XXX.XXX.XXX.68
**# TRYING TO REACH JITSI SERVER
-A OUTPUT -m state -d XXX.XXX.ZXX.XXX
-A OUTPUT -p icmp
# ##### FORWARD chain ###### Accept relate or stablished connections
-A FORWARD -m state
-A FORWARD -m state
-A FORWARD -m state
-A FORWARD ! -s 192.168.0.0/24 -i ens18 -j LOG
-A FORWARD ! -s 192.168.0.0/24 -i ens18 -j DROP
# prevent forwarding packets for connections initiated from the outside (spoofing)
-A FORWARD -m state -i ens19
# ## default log rule
-A FORWARD ! -i lo -j LOG
COMMIT
# Completed
# Generated by webmin
*mangle
:OUTPUT ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:OUTPUT ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# SOURCE NAT FOR LAN NETWORK ON
-A POSTROUTING -o ens19 -j SNAT
# MASQUERADE (FOR DYNAMIC IP ADDRESSS IN CASE OF DHCP MODEM)
-A POSTROUTING -s 192.168.0.0/24 -o ens19 -j MASQUERADE
COMMIT
# Completed
**** something interesting with these same firewall rules: we can access to videoconferences on the server https://meet.jit.si without problems.
The jitsi server administrator at xxx.xxx.xxx.xxx argues that only need access to ports UDP 10000 and TCP 4443 as i explained, and of course 443 (which is handled by the network proxy)