bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-26 00:29 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From netfilter@linuxace.com 2006-02-26 00:29 MET ------- When you do this: netstat -an | grep LISTEN do you see 0.0.0.0:9080 or does the 9080 line list a specific IP? Also, is 216.152.242.200 the primary IP address of the incoming interface, or a secondary? -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-26 00:29 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From netfilter@linuxace.com 2006-02-26 00:29 MET ------- When you do this: netstat -an | grep LISTEN do you see 0.0.0.0:9080 or does the 9080 line list a specific IP? Also, is 216.152.242.200 the primary IP address of the incoming interface, or a secondary? -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-26 15:28 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-26 15:28 MET ------- netstat -an | grep LISTEN shows 216.152.242.200 either way that iptables is programmed (REDIRECT or DNAT). The special IP address is aliased to the first ethernet device (eth0:5 to be specific). I am not certain what is meant by "primary" or "secondary" - do you mean eth0 vs eth1? -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-26 15:28 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-26 15:28 MET ------- netstat -an | grep LISTEN shows 216.152.242.200 either way that iptables is programmed (REDIRECT or DNAT). The special IP address is aliased to the first ethernet device (eth0:5 to be specific). I am not certain what is meant by "primary" or "secondary" - do you mean eth0 vs eth1? -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-26 15:28 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-26 15:28 MET ------- netstat -an | grep LISTEN shows 216.152.242.200 either way that iptables is programmed (REDIRECT or DNAT). The special IP address is aliased to the first ethernet device (eth0:5 to be specific). I am not certain what is meant by "primary" or "secondary" - do you mean eth0 vs eth1? -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-26 15:30 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-26 15:30 MET ------- That is, netstat -an | grep LISTEN shows tcp 0 0 216.152.242.200:9443 0.0.0.0:* LISTEN tcp 0 0 216.152.242.200:9080 0.0.0.0:* LISTEN for both iptables configurations. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-26 15:30 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-26 15:30 MET ------- That is, netstat -an | grep LISTEN shows tcp 0 0 216.152.242.200:9443 0.0.0.0:* LISTEN tcp 0 0 216.152.242.200:9080 0.0.0.0:* LISTEN for both iptables configurations. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-26 15:30 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-26 15:30 MET ------- That is, netstat -an | grep LISTEN shows tcp 0 0 216.152.242.200:9443 0.0.0.0:* LISTEN tcp 0 0 216.152.242.200:9080 0.0.0.0:* LISTEN for both iptables configurations. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-26 15:33 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-26 15:33 MET ------- The netstat result is interesting, because in both cases you would think that the system was indeed listening on port 9080. But - it only works for the DNAT case - not for REDIRECT. That is, you can connect to <special ip>:9080 with DNAT but you get a reset with REDIRECT. To me... this appears to be a bug in either iptables or netfilter. Jim -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-26 15:33 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-26 15:33 MET ------- The netstat result is interesting, because in both cases you would think that the system was indeed listening on port 9080. But - it only works for the DNAT case - not for REDIRECT. That is, you can connect to <special ip>:9080 with DNAT but you get a reset with REDIRECT. To me... this appears to be a bug in either iptables or netfilter. Jim -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-26 15:33 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-26 15:33 MET ------- The netstat result is interesting, because in both cases you would think that the system was indeed listening on port 9080. But - it only works for the DNAT case - not for REDIRECT. That is, you can connect to <special ip>:9080 with DNAT but you get a reset with REDIRECT. To me... this appears to be a bug in either iptables or netfilter. Jim -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-26 19:07 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 netfilter@linuxace.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |INVALID ------- Additional Comments From netfilter@linuxace.com 2006-02-26 19:07 MET ------->From `man iptables`:"redirects the packet to the machine itself by changing the destination IP to the primary address of the incoming interface" Since 216.152.242.200 is not the primary address of the interface, _and_ since your application is only listening on those ports on IP 216.152.242.200, redirect will not work for you _BY DESIGN_. Closing - not a bug...user error. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-26 19:07 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 netfilter@linuxace.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |INVALID ------- Additional Comments From netfilter@linuxace.com 2006-02-26 19:07 MET ------->From `man iptables`:"redirects the packet to the machine itself by changing the destination IP to the primary address of the incoming interface" Since 216.152.242.200 is not the primary address of the interface, _and_ since your application is only listening on those ports on IP 216.152.242.200, redirect will not work for you _BY DESIGN_. Closing - not a bug...user error. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-27 01:04 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 James.Schatzman@futurelabusa.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID | ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-27 01:04 MET ------- Thanks for the info. Sorry to be persistent. I found a solution and the only reason I have been documenting this issue is to help the community and future iptables users. I still feel that there is a problem, if nothing else, with the man page, various on-line help sources, and several books on the topic of iptables and netfilter. Here is what the man page for iptables v1.3.0 states for -REDIRECT: "It alters the destination IP address to send the packet to the machine itself (locally-generated packets are mapped to the 127.0.0.1 address)" Here is what the iptables tutorial says "The REDIRECT target is used to redirect packets and streams to the machine itself....Locally generated packets are mapped to the 127.0.0.1 address. " This does not say anything about which of the possibly many IP addresses it uses. My assumption was that if the target IP address is one of the host's IP addresses, it would be unchanged. The respondent says it uses the "Primary IP Address". Some experimentation indicates that this is indeed what is happening. THANK YOU SO MUCH FOR CLARIFYING WHAT IS GOING ON. Shouldn't the documentation be clearer on that point? It is apparently sufficiently unclear that several book authors seem to be confused on that point - Suehrng & Ziegler, Linux Firewalls - is as vague as the man page; same for Shinn & Shinn, Troubleshooting Linux Firewalls. Also, I would like to point out that there have been numerous queries on the Internet - people asking why REDIRECT doesn't work the way they expected. I tried that first - there were no answers that worked. Numerous sources suggest using REDIRECT to redirect ports, such as 80, to proxies or unprivileged ports (such as 8080). For example, manufacturers of various web servers make this recommendation. If the authors of these notes are aware that this works only when the real service is listening on the server's PRIMARY IP, they don't spell it out. I REALLY DO appreciate the help. Just would like to help the next person by getting the document to spell out a bit more clearly what REDIRECT does. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-27 01:04 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 James.Schatzman@futurelabusa.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID | ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-27 01:04 MET ------- Thanks for the info. Sorry to be persistent. I found a solution and the only reason I have been documenting this issue is to help the community and future iptables users. I still feel that there is a problem, if nothing else, with the man page, various on-line help sources, and several books on the topic of iptables and netfilter. Here is what the man page for iptables v1.3.0 states for -REDIRECT: "It alters the destination IP address to send the packet to the machine itself (locally-generated packets are mapped to the 127.0.0.1 address)" Here is what the iptables tutorial says "The REDIRECT target is used to redirect packets and streams to the machine itself....Locally generated packets are mapped to the 127.0.0.1 address. " This does not say anything about which of the possibly many IP addresses it uses. My assumption was that if the target IP address is one of the host's IP addresses, it would be unchanged. The respondent says it uses the "Primary IP Address". Some experimentation indicates that this is indeed what is happening. THANK YOU SO MUCH FOR CLARIFYING WHAT IS GOING ON. Shouldn't the documentation be clearer on that point? It is apparently sufficiently unclear that several book authors seem to be confused on that point - Suehrng & Ziegler, Linux Firewalls - is as vague as the man page; same for Shinn & Shinn, Troubleshooting Linux Firewalls. Also, I would like to point out that there have been numerous queries on the Internet - people asking why REDIRECT doesn't work the way they expected. I tried that first - there were no answers that worked. Numerous sources suggest using REDIRECT to redirect ports, such as 80, to proxies or unprivileged ports (such as 8080). For example, manufacturers of various web servers make this recommendation. If the authors of these notes are aware that this works only when the real service is listening on the server's PRIMARY IP, they don't spell it out. I REALLY DO appreciate the help. Just would like to help the next person by getting the document to spell out a bit more clearly what REDIRECT does. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-27 01:04 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 James.Schatzman@futurelabusa.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID | ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-27 01:04 MET ------- Thanks for the info. Sorry to be persistent. I found a solution and the only reason I have been documenting this issue is to help the community and future iptables users. I still feel that there is a problem, if nothing else, with the man page, various on-line help sources, and several books on the topic of iptables and netfilter. Here is what the man page for iptables v1.3.0 states for -REDIRECT: "It alters the destination IP address to send the packet to the machine itself (locally-generated packets are mapped to the 127.0.0.1 address)" Here is what the iptables tutorial says "The REDIRECT target is used to redirect packets and streams to the machine itself....Locally generated packets are mapped to the 127.0.0.1 address. " This does not say anything about which of the possibly many IP addresses it uses. My assumption was that if the target IP address is one of the host's IP addresses, it would be unchanged. The respondent says it uses the "Primary IP Address". Some experimentation indicates that this is indeed what is happening. THANK YOU SO MUCH FOR CLARIFYING WHAT IS GOING ON. Shouldn't the documentation be clearer on that point? It is apparently sufficiently unclear that several book authors seem to be confused on that point - Suehrng & Ziegler, Linux Firewalls - is as vague as the man page; same for Shinn & Shinn, Troubleshooting Linux Firewalls. Also, I would like to point out that there have been numerous queries on the Internet - people asking why REDIRECT doesn't work the way they expected. I tried that first - there were no answers that worked. Numerous sources suggest using REDIRECT to redirect ports, such as 80, to proxies or unprivileged ports (such as 8080). For example, manufacturers of various web servers make this recommendation. If the authors of these notes are aware that this works only when the real service is listening on the server's PRIMARY IP, they don't spell it out. I REALLY DO appreciate the help. Just would like to help the next person by getting the document to spell out a bit more clearly what REDIRECT does. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-27 01:09 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-27 01:09 MET ------- I would also like to point out that although the man page says "locally generated packets are mapped to the 127.0.0.1 address" - this does not address my situation. My case is that the packets are externally generated, and directed towards one of the IP addresses of the local host. Thanks! -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-27 01:09 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-27 01:09 MET ------- I would also like to point out that although the man page says "locally generated packets are mapped to the 127.0.0.1 address" - this does not address my situation. My case is that the packets are externally generated, and directed towards one of the IP addresses of the local host. Thanks! -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-27 01:09 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 ------- Additional Comments From James.Schatzman@futurelabusa.com 2006-02-27 01:09 MET ------- I would also like to point out that although the man page says "locally generated packets are mapped to the 127.0.0.1 address" - this does not address my situation. My case is that the packets are externally generated, and directed towards one of the IP addresses of the local host. Thanks! -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-27 06:56 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 netfilter@linuxace.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |INVALID ------- Additional Comments From netfilter@linuxace.com 2006-02-27 06:56 MET -------> Shouldn't the documentation be clearer on that point?It is. Please update to a more recent iptables version than 1.3.0, where you will find an updated man page: REDIRECT ... It redirects the packet to the machine itself by changing the destination IP to the primary address of the incoming interface (locally-generated packets are mapped to the 127.0.0.1 address). ... So the documentation has ALREADY been clarified. There is no bug here...please do not reopen this bug report. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-27 06:56 UTC
[Bug 429] -j REDIRECT does not appear to work correctly
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=429 netfilter@linuxace.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |INVALID ------- Additional Comments From netfilter@linuxace.com 2006-02-27 06:56 MET -------> Shouldn't the documentation be clearer on that point?It is. Please update to a more recent iptables version than 1.3.0, where you will find an updated man page: REDIRECT ... It redirects the packet to the machine itself by changing the destination IP to the primary address of the incoming interface (locally-generated packets are mapped to the 127.0.0.1 address). ... So the documentation has ALREADY been clarified. There is no bug here...please do not reopen this bug report. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
Reasonably Related Threads
- [Bug 429] -j REDIRECT does not appear to work correctly
- [Bug 498] RTP packets are not hitting NAT table
- [Bug 552] Strange DNAT behaviour... packet don't pass to PREROUTING and go directly in INPUT !!
- [Bug 850] New: DNAT applied even after deleting the IP Tables DNAT Rule
- [Bug 887] New: iptables.xslt wrong "match" -m handling