From: Patrick McHardy <kaber@trash.net>
To: dkiba@yandex.ru
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: REDIRECT in kernel >= 2.6.15 broken???
Date: Wed, 25 Jan 2006 12:31:08 +0100 [thread overview]
Message-ID: <43D7617C.20102@trash.net> (raw)
In-Reply-To: <43D75B4A.000005.27248@mfront8.yandex.ru>
KdF wrote:
>>>Packets get forwarded as usual without any attempt to be redirected.
>
>
>>Works fine for me. Please post some details about your setup, the
>>exact rules you're using and what (if any) patches you've applied.
>
>
> My setup is following:
> Station with two interfaces, external interface is looking to the router, internal interface attached to LAN.
>
> Internal interface running pppoe-server, and pppoe-clients connect to it, spawning pppd processes and ppp interfaces.
> Internal ip-address is for example 192.168.0.19.
>
> To completely hide it from general ip-network, /proc/*/eth0/arp_ignore is set to 8. We tried to completely disable ARP on this interface, but REDIRECT doesn't work, because it tries to send packets on primary address of this interface, and there is no possibility to change it in our case.
>
> 192.168.0.19 is an address set on interface running pppoe, 10.1.1.1 is an server peer address for ppp clients spawned by pppoe-server, there is a www server, squid, frox and mail proxy accessible on it, and it is set on the same physical interface.
>
> Here is a part of firewall rules:
>
> $ipt -t nat -A PREROUTING -i ppp+ -d 10.1.1.1 -p tcp --dport 80 -j ACCEPT
> $ipt -t nat -A PREROUTING -i ppp+ -d ! 10.1.1.1 -p tcp --dport 21 -j REDIRECT --to-port 2121
> $ipt -t nat -A PREROUTING -i ppp+ -d ! 10.1.1.1 -p tcp --dport 25 -j REDIRECT --to-port 25
>
> #$ipt -t nat -A PREROUTING -i ppp+ -d ! 10.1.1.1 -p tcp --dport 25 -j DNAT --to-destination 10.1.1.1:25
>
> $ipt -t nat -A PREROUTING -i ppp+ -p tcp -m multiport --dport 80,81,82,83,88,8000,8001,8002,8080,8081 -j REDIRECT --to-port 111
> $ipt -t nat -A PREROUTING -i ppp+ -p tcp -m multiport --dport 8082,8083,8091,8100,8101,8102,8103,8888,3128,777 -j REDIRECT --to-port 111
>
> With specified kernels, REDIRECT and DNAT don't work for me :(
> I see on router behind this machine that packets are trying to go out with original sources and destinations, and they should be redirected.
>
> Even if problem in ARP, why they aren't simply dropped? :(
>
> Maybe trouble is in arp_ignore? Or something changed in processing redirected packets in newer kernels?
My guess is that its related to invalid hardware checksums.
Please check if you have hw checksumming enabled on the underlying
eth device, if so load the ipt_LOG module and execute
"echo 255 >/proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid"
next prev parent reply other threads:[~2006-01-25 11:31 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-01-25 9:57 REDIRECT in kernel >= 2.6.15 broken??? KdF
2006-01-25 10:05 ` Patrick McHardy
2006-01-25 11:04 ` KdF
2006-01-25 11:31 ` Patrick McHardy [this message]
2006-01-25 15:21 ` KdF
2006-01-26 11:19 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43D7617C.20102@trash.net \
--to=kaber@trash.net \
--cc=dkiba@yandex.ru \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.