bugzilla-daemon@bugzilla.netfilter.org
2006-Jan-25 11:00 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From laforge@netfilter.org 2006-01-25 11:00 MET ------- Please specifically tell us about the exact kernel version, any patches that you might have applied, and the iptables version that you're using. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@bugzilla.netfilter.org
2006-Jan-25 11:00 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From laforge@netfilter.org 2006-01-25 11:00 MET ------- Please specifically tell us about the exact kernel version, any patches that you might have applied, and the iptables version that you're using. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-20 18:19 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 netfilter@linuxace.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME ------- Additional Comments From netfilter@linuxace.com 2006-02-20 18:19 MET ------- No response from poster for over a month since original post. REDIRECT works fine for me (and many others). Without more info, impossible to assist, so closing. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-20 18:19 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 netfilter@linuxace.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME ------- Additional Comments From netfilter@linuxace.com 2006-02-20 18:19 MET ------- No response from poster for over a month since original post. REDIRECT works fine for me (and many others). Without more info, impossible to assist, so closing. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-21 03:52 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 James.Schatzman@futurelabusa.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|WORKSFORME | ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-21 03:52 MET ------- Sorry about the delay. All bugzilla e-mails were being classed as spam. I have tested this on two different machines - Fedora 3 and Fedora 4 systems. Same behavior. -j REDIRECT does not work as expected. -j DNAT does work as expected. -j REDIRECT does work as expected when there is only one IP address involved, or (I am 80% sure of this) when all IP addresses are given their own individual rule, instead of using a mix of specific-IP and masked-IP addresses. Are you sure that you have tried this on a machine with multiple IP addresses and address masking in this way? Without multiple IPs, the problem probably cannot be reproduced. Here is my entire iptables config. As I indicated previously, this config works. However, commenting the DNAT lines and uncommenting the correspodning REDIRECT lines results in failure. There are no errors produced. IPTABLES simply fails to cause the proper redirection (of port 80 to 9080 and 443 to 9443). The redirects of port 80 to 8080 and 443 to 8443 do work, on all the machines but <IP1>. -> That is correct behavior The redirect of port 80 and 443 on <IP1> do not seem to work at all. They are not redirected to either ports 8080/9080 or 8443/9443. Those ports appear to be dead. The same behavior is observed for incoming connections (from a system other than this one) and local connections (that is, originating from this server). Here I have suppressed the actual IP addresses. IP1 represents one address from the set <IP BASE>/255.255.255.240. Thanks! Jim *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2222 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9080 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9443 -j ACCEPT # -A RH-Firewall-1-INPUT -p all -m limit --limit 1/second -j LOG --log-level info --log-prefix "FINAL -- REJECT" --log-tcp-sequence\ --log-tcp-options --log-ip-options -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT *nat :PREROUTING ACCEPT :POSTROUTING ACCEPT :OUTPUT ACCEPT -A PREROUTING -p tcp -d <IP1> -m tcp --dport 80 -j DNAT --to-destination <IP1>:9080 -A PREROUTING -p tcp -d <IP1> -m tcp --dport 443 -j DNAT --to-destination <IP1>:9443 #-A PREROUTING -p tcp -d <IP1> -m tcp --dport 80 -j DNAT --to-ports 9080 #-A PREROUTING -p tcp -d <IP1> -m tcp --dport 443 -j DNAT --to-ports 9443 -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443 #-A OUTPUT -p tcp -d <IP1> -m tcp --dport 80 -j REDIRECT --to-ports 9080 #-A OUTPUT -p tcp -d <IP1> -m tcp --dport 443 -j REDIRECT --to-ports 9443 -A OUTPUT -p tcp -d <IP1> -m tcp --dport 80 -j DNAT --to-destination <IP1>:9080 -A OUTPUT -p tcp -d <IP1> -m tcp --dport 443 -j DNAT --to-destination <IP1>:9443 -A OUTPUT -p tcp -d <IP BASE>/255.255.255.240 -m tcp --dport 80 -j REDIRECT --to-ports 8080 -A OUTPUT -p tcp -d <IP BASE>/255.255.255.240 -m tcp --dport 443 -j REDIRECT --to-ports 8443 COMMIT -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-21 03:53 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 James.Schatzman@futurelabusa.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|WORKSFORME | ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-21 03:52 MET ------- Sorry about the delay. All bugzilla e-mails were being classed as spam. I have tested this on two different machines - Fedora 3 and Fedora 4 systems. Same behavior. -j REDIRECT does not work as expected. -j DNAT does work as expected. -j REDIRECT does work as expected when there is only one IP address involved, or (I am 80% sure of this) when all IP addresses are given their own individual rule, instead of using a mix of specific-IP and masked-IP addresses. Are you sure that you have tried this on a machine with multiple IP addresses and address masking in this way? Without multiple IPs, the problem probably cannot be reproduced. Here is my entire iptables config. As I indicated previously, this config works. However, commenting the DNAT lines and uncommenting the correspodning REDIRECT lines results in failure. There are no errors produced. IPTABLES simply fails to cause the proper redirection (of port 80 to 9080 and 443 to 9443). The redirects of port 80 to 8080 and 443 to 8443 do work, on all the machines but <IP1>. -> That is correct behavior The redirect of port 80 and 443 on <IP1> do not seem to work at all. They are not redirected to either ports 8080/9080 or 8443/9443. Those ports appear to be dead. The same behavior is observed for incoming connections (from a system other than this one) and local connections (that is, originating from this server). Here I have suppressed the actual IP addresses. IP1 represents one address from the set <IP BASE>/255.255.255.240. Thanks! Jim *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2222 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9080 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9443 -j ACCEPT # -A RH-Firewall-1-INPUT -p all -m limit --limit 1/second -j LOG --log-level info --log-prefix "FINAL -- REJECT" --log-tcp-sequence\ --log-tcp-options --log-ip-options -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT *nat :PREROUTING ACCEPT :POSTROUTING ACCEPT :OUTPUT ACCEPT -A PREROUTING -p tcp -d <IP1> -m tcp --dport 80 -j DNAT --to-destination <IP1>:9080 -A PREROUTING -p tcp -d <IP1> -m tcp --dport 443 -j DNAT --to-destination <IP1>:9443 #-A PREROUTING -p tcp -d <IP1> -m tcp --dport 80 -j DNAT --to-ports 9080 #-A PREROUTING -p tcp -d <IP1> -m tcp --dport 443 -j DNAT --to-ports 9443 -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443 #-A OUTPUT -p tcp -d <IP1> -m tcp --dport 80 -j REDIRECT --to-ports 9080 #-A OUTPUT -p tcp -d <IP1> -m tcp --dport 443 -j REDIRECT --to-ports 9443 -A OUTPUT -p tcp -d <IP1> -m tcp --dport 80 -j DNAT --to-destination <IP1>:9080 -A OUTPUT -p tcp -d <IP1> -m tcp --dport 443 -j DNAT --to-destination <IP1>:9443 -A OUTPUT -p tcp -d <IP BASE>/255.255.255.240 -m tcp --dport 80 -j REDIRECT --to-ports 8080 -A OUTPUT -p tcp -d <IP BASE>/255.255.255.240 -m tcp --dport 443 -j REDIRECT --to-ports 8443 COMMIT -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-21 03:53 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 James.Schatzman@futurelabusa.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|WORKSFORME | ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-21 03:52 MET ------- Sorry about the delay. All bugzilla e-mails were being classed as spam. I have tested this on two different machines - Fedora 3 and Fedora 4 systems. Same behavior. -j REDIRECT does not work as expected. -j DNAT does work as expected. -j REDIRECT does work as expected when there is only one IP address involved, or (I am 80% sure of this) when all IP addresses are given their own individual rule, instead of using a mix of specific-IP and masked-IP addresses. Are you sure that you have tried this on a machine with multiple IP addresses and address masking in this way? Without multiple IPs, the problem probably cannot be reproduced. Here is my entire iptables config. As I indicated previously, this config works. However, commenting the DNAT lines and uncommenting the correspodning REDIRECT lines results in failure. There are no errors produced. IPTABLES simply fails to cause the proper redirection (of port 80 to 9080 and 443 to 9443). The redirects of port 80 to 8080 and 443 to 8443 do work, on all the machines but <IP1>. -> That is correct behavior The redirect of port 80 and 443 on <IP1> do not seem to work at all. They are not redirected to either ports 8080/9080 or 8443/9443. Those ports appear to be dead. The same behavior is observed for incoming connections (from a system other than this one) and local connections (that is, originating from this server). Here I have suppressed the actual IP addresses. IP1 represents one address from the set <IP BASE>/255.255.255.240. Thanks! Jim *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2222 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9080 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9443 -j ACCEPT # -A RH-Firewall-1-INPUT -p all -m limit --limit 1/second -j LOG --log-level info --log-prefix "FINAL -- REJECT" --log-tcp-sequence\ --log-tcp-options --log-ip-options -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT *nat :PREROUTING ACCEPT :POSTROUTING ACCEPT :OUTPUT ACCEPT -A PREROUTING -p tcp -d <IP1> -m tcp --dport 80 -j DNAT --to-destination <IP1>:9080 -A PREROUTING -p tcp -d <IP1> -m tcp --dport 443 -j DNAT --to-destination <IP1>:9443 #-A PREROUTING -p tcp -d <IP1> -m tcp --dport 80 -j DNAT --to-ports 9080 #-A PREROUTING -p tcp -d <IP1> -m tcp --dport 443 -j DNAT --to-ports 9443 -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443 #-A OUTPUT -p tcp -d <IP1> -m tcp --dport 80 -j REDIRECT --to-ports 9080 #-A OUTPUT -p tcp -d <IP1> -m tcp --dport 443 -j REDIRECT --to-ports 9443 -A OUTPUT -p tcp -d <IP1> -m tcp --dport 80 -j DNAT --to-destination <IP1>:9080 -A OUTPUT -p tcp -d <IP1> -m tcp --dport 443 -j DNAT --to-destination <IP1>:9443 -A OUTPUT -p tcp -d <IP BASE>/255.255.255.240 -m tcp --dport 80 -j REDIRECT --to-ports 8080 -A OUTPUT -p tcp -d <IP BASE>/255.255.255.240 -m tcp --dport 443 -j REDIRECT --to-ports 8443 COMMIT -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-21 06:24 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From netfilter@linuxace.com 2006-02-21 06:24 MET ------- Third request: WHAT KERNEL VERSION? -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-21 06:24 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From netfilter@linuxace.com 2006-02-21 06:24 MET ------- Third request: WHAT KERNEL VERSION? -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-21 07:11 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-21 07:11 MET ------- Fedora 4 kernel version 2.6.14-1.1656_FC4 I am not sure about the Fedora 3 version because I have since upgraded it to Fedora 4. It was an earlier 2.6 kernel version. Exactly the same symptoms. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-21 07:11 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-21 07:11 MET ------- Fedora 4 kernel version 2.6.14-1.1656_FC4 I am not sure about the Fedora 3 version because I have since upgraded it to Fedora 4. It was an earlier 2.6 kernel version. Exactly the same symptoms. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-21 07:11 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-21 07:11 MET ------- Fedora 4 kernel version 2.6.14-1.1656_FC4 I am not sure about the Fedora 3 version because I have since upgraded it to Fedora 4. It was an earlier 2.6 kernel version. Exactly the same symptoms. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-22 01:58 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From netfilter@linuxace.com 2006-02-22 01:58 MET ------- Please try the patch shown here: http://www.kernel.org/git/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=8e249f088131cde5f77fd073bf0b0e8b3e9ea4ac -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-22 01:58 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From netfilter@linuxace.com 2006-02-22 01:58 MET ------- Please try the patch shown here: http://www.kernel.org/git/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=8e249f088131cde5f77fd073bf0b0e8b3e9ea4ac -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-22 02:23 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From kaber@trash.net 2006-02-22 02:23 MET ------- That patch was for a regression introduced in 2.6.16-rc by my IPsec patches, so it won't help (or apply). -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-22 02:23 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From kaber@trash.net 2006-02-22 02:23 MET ------- That patch was for a regression introduced in 2.6.16-rc by my IPsec patches, so it won't help (or apply). -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-22 02:23 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From kaber@trash.net 2006-02-22 02:23 MET ------- That patch was for a regression introduced in 2.6.16-rc by my IPsec patches, so it won't help (or apply). -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-22 02:34 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From netfilter@linuxace.com 2006-02-22 02:34 MET ------- Thanks Patrick, we'll look elsewhere. Jim, could you send along the output from: tcpdump -nni any host <ip1> when you attempt one of the failed 80/443 connections? -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-22 02:34 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From netfilter@linuxace.com 2006-02-22 02:34 MET ------- Thanks Patrick, we'll look elsewhere. Jim, could you send along the output from: tcpdump -nni any host <ip1> when you attempt one of the failed 80/443 connections? -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-22 06:31 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-22 06:31 MET ------- Per the request, here is the TCPDUMP output for REDIRECT (which fails) and DNAT (which succeeds) when I attempt to make a connection from an external host: Using REDIRECT (Connection refused): 21:11:56.367886 IP 67.172.153.238.49840 > 216.152.242.200.80: S 3934967357:3934967357(0) win 65535 <mss 1460,nop,wscale 3,nop,nop,sackOK> 21:11:56.367918 IP 216.152.242.200.80 > 67.172.153.238.49840: R 0:0(0) ack 3934967358 win 0 21:11:56.807008 IP 67.172.153.238.49840 > 216.152.242.200.80: S 3934967357:3934967357(0) win 65535 <mss 1460,nop,wscale 3,nop,nop,sackOK> 21:11:56.807030 IP 216.152.242.200.80 > 67.172.153.238.49840: R 0:0(0) ack 1 win 0 21:11:56.367886 IP 67.172.153.238.49840 > 216.152.242.200.80: S 3934967357:3934967357(0) win 65535 <mss 1460,nop,wscale 3,nop,nop,sackOK> 21:11:56.367918 IP 216.152.242.200.80 > 67.172.153.238.49840: R 0:0(0) ack 3934967358 win 0 21:11:56.807008 IP 67.172.153.238.49840 > 216.152.242.200.80: S 3934967357:3934967357(0) win 65535 <mss 1460,nop,wscale 3,nop,nop,sackOK> 21:11:56.807030 IP 216.152.242.200.80 > 67.172.153.238.49840: R 0:0(0) ack 1 win 0 Using DNAT (Connection accepted): 21:15:47.344162 IP 67.172.153.238.49911 > 216.152.242.200.80: S 4118844061:4118844061(0) win 65535 <mss 1460,nop,wscale 3,nop,nop,sackOK> 21:15:47.344209 IP 216.152.242.200.80 > 67.172.153.238.49911: S 1542935862:1542935862(0) ack 4118844062 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 2> 21:15:47.398702 IP 67.172.153.238.49911 > 216.152.242.200.80: . ack 1 win 64240 -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-22 06:31 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-22 06:31 MET ------- Per the request, here is the TCPDUMP output for REDIRECT (which fails) and DNAT (which succeeds) when I attempt to make a connection from an external host: Using REDIRECT (Connection refused): 21:11:56.367886 IP 67.172.153.238.49840 > 216.152.242.200.80: S 3934967357:3934967357(0) win 65535 <mss 1460,nop,wscale 3,nop,nop,sackOK> 21:11:56.367918 IP 216.152.242.200.80 > 67.172.153.238.49840: R 0:0(0) ack 3934967358 win 0 21:11:56.807008 IP 67.172.153.238.49840 > 216.152.242.200.80: S 3934967357:3934967357(0) win 65535 <mss 1460,nop,wscale 3,nop,nop,sackOK> 21:11:56.807030 IP 216.152.242.200.80 > 67.172.153.238.49840: R 0:0(0) ack 1 win 0 21:11:56.367886 IP 67.172.153.238.49840 > 216.152.242.200.80: S 3934967357:3934967357(0) win 65535 <mss 1460,nop,wscale 3,nop,nop,sackOK> 21:11:56.367918 IP 216.152.242.200.80 > 67.172.153.238.49840: R 0:0(0) ack 3934967358 win 0 21:11:56.807008 IP 67.172.153.238.49840 > 216.152.242.200.80: S 3934967357:3934967357(0) win 65535 <mss 1460,nop,wscale 3,nop,nop,sackOK> 21:11:56.807030 IP 216.152.242.200.80 > 67.172.153.238.49840: R 0:0(0) ack 1 win 0 Using DNAT (Connection accepted): 21:15:47.344162 IP 67.172.153.238.49911 > 216.152.242.200.80: S 4118844061:4118844061(0) win 65535 <mss 1460,nop,wscale 3,nop,nop,sackOK> 21:15:47.344209 IP 216.152.242.200.80 > 67.172.153.238.49911: S 1542935862:1542935862(0) ack 4118844062 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 2> 21:15:47.398702 IP 67.172.153.238.49911 > 216.152.242.200.80: . ack 1 win 64240 -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-22 06:31 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-22 06:31 MET ------- Per the request, here is the TCPDUMP output for REDIRECT (which fails) and DNAT (which succeeds) when I attempt to make a connection from an external host: Using REDIRECT (Connection refused): 21:11:56.367886 IP 67.172.153.238.49840 > 216.152.242.200.80: S 3934967357:3934967357(0) win 65535 <mss 1460,nop,wscale 3,nop,nop,sackOK> 21:11:56.367918 IP 216.152.242.200.80 > 67.172.153.238.49840: R 0:0(0) ack 3934967358 win 0 21:11:56.807008 IP 67.172.153.238.49840 > 216.152.242.200.80: S 3934967357:3934967357(0) win 65535 <mss 1460,nop,wscale 3,nop,nop,sackOK> 21:11:56.807030 IP 216.152.242.200.80 > 67.172.153.238.49840: R 0:0(0) ack 1 win 0 21:11:56.367886 IP 67.172.153.238.49840 > 216.152.242.200.80: S 3934967357:3934967357(0) win 65535 <mss 1460,nop,wscale 3,nop,nop,sackOK> 21:11:56.367918 IP 216.152.242.200.80 > 67.172.153.238.49840: R 0:0(0) ack 3934967358 win 0 21:11:56.807008 IP 67.172.153.238.49840 > 216.152.242.200.80: S 3934967357:3934967357(0) win 65535 <mss 1460,nop,wscale 3,nop,nop,sackOK> 21:11:56.807030 IP 216.152.242.200.80 > 67.172.153.238.49840: R 0:0(0) ack 1 win 0 Using DNAT (Connection accepted): 21:15:47.344162 IP 67.172.153.238.49911 > 216.152.242.200.80: S 4118844061:4118844061(0) win 65535 <mss 1460,nop,wscale 3,nop,nop,sackOK> 21:15:47.344209 IP 216.152.242.200.80 > 67.172.153.238.49911: S 1542935862:1542935862(0) ack 4118844062 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 2> 21:15:47.398702 IP 67.172.153.238.49911 > 216.152.242.200.80: . ack 1 win 64240 -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-22 06:40 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-22 06:40 MET ------- I had not used TCPDUMP before. Now that I have read the man page for it, it does appear that what I thought was happening is happening. When I use REDIRECT, an attempt to connect to port 80 on the unique port nets a RESET response. When I use DNAT, I get the SYN+ACK/ACK TCP session startup sequence. Hurray! In neither case does TCPDUMP show the 9080 port (the port that port 80 is redirected to), even though I know it is working with the DNAT iptables version, because I have no service running on port 80. I assume that this is correct behavior. So... I am still clueless. Thanks! -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-22 06:40 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-22 06:40 MET ------- I had not used TCPDUMP before. Now that I have read the man page for it, it does appear that what I thought was happening is happening. When I use REDIRECT, an attempt to connect to port 80 on the unique port nets a RESET response. When I use DNAT, I get the SYN+ACK/ACK TCP session startup sequence. Hurray! In neither case does TCPDUMP show the 9080 port (the port that port 80 is redirected to), even though I know it is working with the DNAT iptables version, because I have no service running on port 80. I assume that this is correct behavior. So... I am still clueless. Thanks! -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-22 06:40 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-22 06:40 MET ------- I had not used TCPDUMP before. Now that I have read the man page for it, it does appear that what I thought was happening is happening. When I use REDIRECT, an attempt to connect to port 80 on the unique port nets a RESET response. When I use DNAT, I get the SYN+ACK/ACK TCP session startup sequence. Hurray! In neither case does TCPDUMP show the 9080 port (the port that port 80 is redirected to), even though I know it is working with the DNAT iptables version, because I have no service running on port 80. I assume that this is correct behavior. So... I am still clueless. Thanks! -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-22 06:41 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-22 06:41 MET ------- Sorry, I meant "on the unique IP" not "on the unique port" -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-22 06:41 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-22 06:41 MET ------- Sorry, I meant "on the unique IP" not "on the unique port" -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-22 06:41 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-22 06:41 MET ------- Sorry, I meant "on the unique IP" not "on the unique port" -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-23 03:13 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From netfilter@linuxace.com 2006-02-23 03:13 MET ------- You won't see the port you redirect to...only the 'fake' port -- so seeing 80 is ok. Please configure the REDIRECT variant, reboot your box to clean out /proc/net/ip_conntrack, attempt a connect, then send the output from: iptables -t nat -nvL -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-23 03:13 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From netfilter@linuxace.com 2006-02-23 03:13 MET ------- You won't see the port you redirect to...only the 'fake' port -- so seeing 80 is ok. Please configure the REDIRECT variant, reboot your box to clean out /proc/net/ip_conntrack, attempt a connect, then send the output from: iptables -t nat -nvL -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-23 06:50 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-23 06:50 MET ------- For reference, here is the iptables -t nat -nvL output with dnat: Chain OUTPUT (policy ACCEPT 15919 packets, 1049K bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 216.152.242.200 tcp dpt:80 to:216.152.242.200:9080 0 0 DNAT tcp -- * * 0.0.0.0/0 216.152.242.200 tcp dpt:443 to:216.152.242.200:9443 60 3600 REDIRECT tcp -- * * 0.0.0.0/0 216.152.242.192/28 tcp dpt:80 redir ports 8080 51 3060 REDIRECT tcp -- * * 0.0.0.0/0 216.152.242.192/28 tcp dpt:443 redir ports 8443 Chain POSTROUTING (policy ACCEPT 16030 packets, 1055K bytes) pkts bytes target prot opt in out source destination Chain PREROUTING (policy ACCEPT 46112 packets, 2555K bytes) pkts bytes target prot opt in out source destination 6150 329K DNAT tcp -- * * 0.0.0.0/0 216.152.242.200 tcp dpt:80 to:216.152.242.200:9080 3933 219K DNAT tcp -- * * 0.0.0.0/0 216.152.242.200 tcp dpt:443 to:216.152.242.200:9443 2255 127K REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080 3 144 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports 8443 Here is the result after reconfiguring iptables to use REDIRECT, rebooting and attempting to connect to the special IP on port 80. Keep in mind that this is a working server so there is other traffic.... Chain OUTPUT (policy ACCEPT 39 packets, 3592 bytes) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp -- * * 0.0.0.0/0 216.152.242.200 tcp dpt:80 redir ports 9080 0 0 REDIRECT tcp -- * * 0.0.0.0/0 216.152.242.200 tcp dpt:443 redir ports 9443 0 0 REDIRECT tcp -- * * 0.0.0.0/0 216.152.242.192/28 tcp dpt:80 redir ports 8080 0 0 REDIRECT tcp -- * * 0.0.0.0/0 216.152.242.192/28 tcp dpt:443 redir ports 8443 Chain POSTROUTING (policy ACCEPT 39 packets, 3592 bytes) pkts bytes target prot opt in out source destination Chain PREROUTING (policy ACCEPT 216 packets, 69034 bytes) pkts bytes target prot opt in out source destination 81 4196 REDIRECT tcp -- * * 0.0.0.0/0 216.152.242.200 tcp dpt:80 redir ports 9080 48 23221 REDIRECT tcp -- * * 0.0.0.0/0 216.152.242.200 tcp dpt:443 redir ports 9443 3 180 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080 0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports 8443 All this looks normal to me. However, the dnat configuration works as I expected whereas the REDIRECT does not. I am still puzzled. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-23 06:50 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-23 06:50 MET ------- For reference, here is the iptables -t nat -nvL output with dnat: Chain OUTPUT (policy ACCEPT 15919 packets, 1049K bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 216.152.242.200 tcp dpt:80 to:216.152.242.200:9080 0 0 DNAT tcp -- * * 0.0.0.0/0 216.152.242.200 tcp dpt:443 to:216.152.242.200:9443 60 3600 REDIRECT tcp -- * * 0.0.0.0/0 216.152.242.192/28 tcp dpt:80 redir ports 8080 51 3060 REDIRECT tcp -- * * 0.0.0.0/0 216.152.242.192/28 tcp dpt:443 redir ports 8443 Chain POSTROUTING (policy ACCEPT 16030 packets, 1055K bytes) pkts bytes target prot opt in out source destination Chain PREROUTING (policy ACCEPT 46112 packets, 2555K bytes) pkts bytes target prot opt in out source destination 6150 329K DNAT tcp -- * * 0.0.0.0/0 216.152.242.200 tcp dpt:80 to:216.152.242.200:9080 3933 219K DNAT tcp -- * * 0.0.0.0/0 216.152.242.200 tcp dpt:443 to:216.152.242.200:9443 2255 127K REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080 3 144 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports 8443 Here is the result after reconfiguring iptables to use REDIRECT, rebooting and attempting to connect to the special IP on port 80. Keep in mind that this is a working server so there is other traffic.... Chain OUTPUT (policy ACCEPT 39 packets, 3592 bytes) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp -- * * 0.0.0.0/0 216.152.242.200 tcp dpt:80 redir ports 9080 0 0 REDIRECT tcp -- * * 0.0.0.0/0 216.152.242.200 tcp dpt:443 redir ports 9443 0 0 REDIRECT tcp -- * * 0.0.0.0/0 216.152.242.192/28 tcp dpt:80 redir ports 8080 0 0 REDIRECT tcp -- * * 0.0.0.0/0 216.152.242.192/28 tcp dpt:443 redir ports 8443 Chain POSTROUTING (policy ACCEPT 39 packets, 3592 bytes) pkts bytes target prot opt in out source destination Chain PREROUTING (policy ACCEPT 216 packets, 69034 bytes) pkts bytes target prot opt in out source destination 81 4196 REDIRECT tcp -- * * 0.0.0.0/0 216.152.242.200 tcp dpt:80 redir ports 9080 48 23221 REDIRECT tcp -- * * 0.0.0.0/0 216.152.242.200 tcp dpt:443 redir ports 9443 3 180 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080 0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports 8443 All this looks normal to me. However, the dnat configuration works as I expected whereas the REDIRECT does not. I am still puzzled. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-23 06:50 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-23 06:50 MET ------- For reference, here is the iptables -t nat -nvL output with dnat: Chain OUTPUT (policy ACCEPT 15919 packets, 1049K bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 216.152.242.200 tcp dpt:80 to:216.152.242.200:9080 0 0 DNAT tcp -- * * 0.0.0.0/0 216.152.242.200 tcp dpt:443 to:216.152.242.200:9443 60 3600 REDIRECT tcp -- * * 0.0.0.0/0 216.152.242.192/28 tcp dpt:80 redir ports 8080 51 3060 REDIRECT tcp -- * * 0.0.0.0/0 216.152.242.192/28 tcp dpt:443 redir ports 8443 Chain POSTROUTING (policy ACCEPT 16030 packets, 1055K bytes) pkts bytes target prot opt in out source destination Chain PREROUTING (policy ACCEPT 46112 packets, 2555K bytes) pkts bytes target prot opt in out source destination 6150 329K DNAT tcp -- * * 0.0.0.0/0 216.152.242.200 tcp dpt:80 to:216.152.242.200:9080 3933 219K DNAT tcp -- * * 0.0.0.0/0 216.152.242.200 tcp dpt:443 to:216.152.242.200:9443 2255 127K REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080 3 144 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports 8443 Here is the result after reconfiguring iptables to use REDIRECT, rebooting and attempting to connect to the special IP on port 80. Keep in mind that this is a working server so there is other traffic.... Chain OUTPUT (policy ACCEPT 39 packets, 3592 bytes) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp -- * * 0.0.0.0/0 216.152.242.200 tcp dpt:80 redir ports 9080 0 0 REDIRECT tcp -- * * 0.0.0.0/0 216.152.242.200 tcp dpt:443 redir ports 9443 0 0 REDIRECT tcp -- * * 0.0.0.0/0 216.152.242.192/28 tcp dpt:80 redir ports 8080 0 0 REDIRECT tcp -- * * 0.0.0.0/0 216.152.242.192/28 tcp dpt:443 redir ports 8443 Chain POSTROUTING (policy ACCEPT 39 packets, 3592 bytes) pkts bytes target prot opt in out source destination Chain PREROUTING (policy ACCEPT 216 packets, 69034 bytes) pkts bytes target prot opt in out source destination 81 4196 REDIRECT tcp -- * * 0.0.0.0/0 216.152.242.200 tcp dpt:80 redir ports 9080 48 23221 REDIRECT tcp -- * * 0.0.0.0/0 216.152.242.200 tcp dpt:443 redir ports 9443 3 180 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080 0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports 8443 All this looks normal to me. However, the dnat configuration works as I expected whereas the REDIRECT does not. I am still puzzled. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.