[Firehol-support] transparent proxy with UNROUTABLE_IPS
Max Kutny
mkutny at gmail.com
Thu Jan 19 18:52:07 GMT 2006
On 1/18/06, Costa Tsaousis <costa at tsaousis.gr> wrote:
> Max Kutny wrote:
>
> >I read from groups that CONFIG_IP_NF_NAT_LOCAL should be set in kernel
> >(http://wiki.debian.org/Firewalls-local-port-redirection). If it's
> >really the case (I'm not sure it's applicable for 2.6) it would be nice
> >to mention it in firehol documentation.
> >
> Thanks for identifying this. It seems however, that there is no such
> variable in 2.6.14.
> I have added a note in the documentation.
Well.. As I understand it was removed since 2.6.14 so there is no need
to set it up now.
Although, the problem still persists (on 2.6.15): REDIRECT rule
doesn't change outgoing interface (and interface is determined
_bofore_ nat table is processed as opposite to official documentation
http://l7-filter.sourceforge.net/PacketFlow.png).
I tried to workaround it quickly but it didn't work at the first run
so I'll investigate this workaround later:
blues:~# iptables -A OUTPUT -t mangle -o world -d 127.0.0.1 -p tcp
--dport 80 -j ROUTE --iif lo
iptables: No chain/target/match by that name
Reverting back to the problem: could you be so kind to confirm that on
your kernel & iptables configuration interface name is set to 'lo'
before nat table is processed? What kernel/iptables do you use?
Could it be possible to add 'trace' helper to firehol configurations
that inserts 'LOG' target at the beginning of every chain so it's
easy to see how packets travers tables and chains? It would simplify
root cause analysis of such problems.
Thanks.
-- Max
More information about the Firehol-support
mailing list