bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-23 10:36 UTC
[Bug 453] New: REDIRECT broken in 2.6.16-rcX kernels
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=453 Summary: REDIRECT broken in 2.6.16-rcX kernels Product: netfilter/iptables Version: linux-2.6.x Platform: i386 OS/Version: Debian GNU/Linux Status: NEW Severity: normal Priority: P2 Component: NAT AssignedTo: laforge@netfilter.org ReportedBy: stephen_purcell@yahoo.com I use REDIRECT on a desktop machine to re-route outbound HTTP traffic to a Squid running on the same machine at port 3128. I use the following iptables rules to accomplish this: iptables -t nat -F iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --gid-owner proxy -j ACCEPT iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 This has worked fine for many kernel versions, but does not work since the x_tables merge in 2.6.16-rc1. The user-visible effect is that browsers report a "could not connect" error. I'm not an expert at analysing this kind of problem, but while the browser's request is pending, I get the following output from "netstat -tp": tcp 0 1 192.168.0.4:35013 66.249.93.104:www SYN_SENT 17080/konquerorni5O I was surprised to see that the browser had directly contacted the remote site. This feels like a bug to me, but it could also be that I'm doing something wrong/stupid. I tried replacing the REDIRECT with a DNAT to 127.0.0.1:3128, and got the same netstat output. In neither case is anything printed by tcpdump, apart from the initial DNS lookup, of course. Please let me know if I can provide further information. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-23 10:36 UTC
[Bug 453] New: REDIRECT broken in 2.6.16-rcX kernels
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=453 Summary: REDIRECT broken in 2.6.16-rcX kernels Product: netfilter/iptables Version: linux-2.6.x Platform: i386 OS/Version: Debian GNU/Linux Status: NEW Severity: normal Priority: P2 Component: NAT AssignedTo: laforge@netfilter.org ReportedBy: stephen_purcell@yahoo.com I use REDIRECT on a desktop machine to re-route outbound HTTP traffic to a Squid running on the same machine at port 3128. I use the following iptables rules to accomplish this: iptables -t nat -F iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --gid-owner proxy -j ACCEPT iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 This has worked fine for many kernel versions, but does not work since the x_tables merge in 2.6.16-rc1. The user-visible effect is that browsers report a "could not connect" error. I'm not an expert at analysing this kind of problem, but while the browser's request is pending, I get the following output from "netstat -tp": tcp 0 1 192.168.0.4:35013 66.249.93.104:www SYN_SENT 17080/konquerorni5O I was surprised to see that the browser had directly contacted the remote site. This feels like a bug to me, but it could also be that I'm doing something wrong/stupid. I tried replacing the REDIRECT with a DNAT to 127.0.0.1:3128, and got the same netstat output. In neither case is anything printed by tcpdump, apart from the initial DNS lookup, of course. Please let me know if I can provide further information. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.