a problem with nat table setting
Hi,
I am having a problem with the nat table configuration. I am using
2.6.8.1 kernel in a router and also added a http filter proxy which
uses port 8080.
Internet ------------ ROUTER(http filter proxy) ---------linux PC.
lan ip: 192.168.1.1
192.168.1.2
I have found that if there is a established connection exist between
linux PC and the webserver before I start the proxy, and added the
iptables nat rules, which can be checked use netstat, the outgoing
http packet will not be passed to the proxy, and it seems go out
directly. If I leave it untouched (no http activity), and after some
time later, that connection is gone, the outgoing http packet will be
passed to the proxy again.
Any one know how to solve this problem?
Thanks.
Yong
Here is the iptables configure:
1. only the one in nat PREROUTING REDIRECT are for the proxy)
2. ppp0 is wan interface br0 is lan interface. PC is attached to
br0.
# iptables -L -v
Chain INPUT (policy ACCEPT 3574 packets, 11M bytes)
pkts bytes target prot opt in out source
destination
22 7554 ACCEPT all -- ppp0 any anywhere
anywhere state RELATED,ESTABLISHED
0 0 ACCEPT udp -- ppp0 any anywhere
anywhere udp dpt:500
0 0 ACCEPT esp -- ppp0 any anywhere
anywhere
0 0 ACCEPT !esp -- ppp0 any anywhere
anywhere MARK match 0x10000000/0x10000000
0 0 LOG tcp -- ppp0 any anywhere
anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 6/hour burst
5 LOG level alert prefix `Intrusion -> '
0 0 DROP all -- ppp0 any anywhere
anywhere
Chain FORWARD (policy ACCEPT 43 packets, 13943 bytes)
pkts bytes target prot opt in out source
destination
37 15118 ACCEPT all -- ppp0 any anywhere
anywhere state RELATED,ESTABLISHED
0 0 ACCEPT !esp -- ppp0 any anywhere
anywhere MARK match 0x10000000/0x10000000
0 0 LOG tcp -- ppp0 any anywhere
anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 6/hour burst
5 LOG level alert prefix `Intrusion -> '
0 0 DROP all -- ppp0 any anywhere
anywhere
Chain OUTPUT (policy ACCEPT 3456 packets, 11M bytes)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- any ppp0 anywhere
239.255.255.250
# iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 84 packets, 5865 bytes)
pkts bytes target prot opt in out source
destination
2 120 REDIRECT tcp -- br0 any anywhere
!192.168.1.1 tcp dpt:www redir ports 8080
2 118 DNAT udp -- br0 any anywhere
192.168.1.1 udp dpt:domain to:10.250.1.10
Chain POSTROUTING (policy ACCEPT 28 packets, 1822 bytes)
pkts bytes target prot opt in out source
destination
3 178 MASQUERADE all -- any ppp0 192.168.1.0/24
anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
#
.
Relevant Pages
- a problem with nat table setting
... linux PC and the webserver before I start the proxy, ... http packet will not be passed to the proxy, ... Chain INPUT (policy ACCEPT 3574 packets, ...
(comp.os.linux.embedded) - a problem with nat table setting
... linux PC and the webserver before I start the proxy, ... http packet will not be passed to the proxy, ... Chain INPUT (policy ACCEPT 3574 packets, ...
(comp.os.linux.networking) - Re: Preventing tunnels through HTTPS proxies
... network as soon as there's an internal HTTPS proxy available. ... VPN will be distinguishable from a genuine HTTPS traffic - but how to ... "CONNECT" http proxy command as you said). ... The returning packets comes from http post responce... ...
(Security-Basics) - Re: Proxy vs. Firewall
... How many companies actually use proxy ... Routing,...so the original packets actully pass through the device after ... This is because the Proxy itself is the true destination of the ... Troubleshooting Client Authentication on Access Rules in ISA Server 2004 ...
(microsoft.public.isaserver) - Re: Update: UDP 770 Potential Worm
... > the network immediately after the 'attack', ... were no packets indicating some form of replication. ... I noticed that the UDP ... > of the UDP datagrams is the IP address of the proxy? ...
(Incidents) |
|
