[Firehol-support] transparent proxy with UNROUTABLE_IPS

Max Kutny mkutny at gmail.com
Thu Jan 19 18:52:07 GMT 2006


On 1/18/06, Costa Tsaousis <costa at tsaousis.gr> wrote:
> Max Kutny wrote:
>
> >I read from groups that CONFIG_IP_NF_NAT_LOCAL should be set in kernel
> >(http://wiki.debian.org/Firewalls-local-port-redirection). If it's
> >really the case (I'm not sure it's applicable for 2.6) it would be nice
> >to mention it in firehol documentation.
> >
> Thanks for identifying this. It seems however, that there is no such
> variable in 2.6.14.
> I have added a note in the documentation.

Well.. As I understand it was removed since 2.6.14 so there is no need
to set it up now.

Although, the problem still persists (on 2.6.15): REDIRECT rule
doesn't change outgoing interface (and interface is determined
_bofore_ nat table is processed as opposite to official documentation
http://l7-filter.sourceforge.net/PacketFlow.png).

I tried to workaround it quickly but it didn't work at the first run
so I'll investigate this workaround later:
blues:~# iptables -A OUTPUT -t mangle -o world -d 127.0.0.1 -p tcp
--dport 80 -j ROUTE --iif lo
iptables: No chain/target/match by that name

Reverting back to the problem: could you be so kind to confirm that on
your kernel & iptables configuration interface name is set to 'lo'
before nat table is processed? What kernel/iptables do you use?

Could it be possible to add 'trace' helper to firehol configurations
that inserts 'LOG'  target at the beginning of every chain so it's
easy to see how packets travers tables and chains? It would simplify
root cause analysis of such problems.

Thanks.

-- Max




More information about the Firehol-support mailing list