From: "Gonzalo Arana" <gonzalo.arana@gmail.com>
To: ptb@inv.it.uc3m.es
Cc: netfilter@vger.kernel.org
Subject: Re: [help] modern iptables rule for transproxy
Date: Sat, 12 Jan 2008 12:38:43 -0200 [thread overview]
Message-ID: <ca81c4b60801120638vb2ca6fepdd7f04c504f6fda8@mail.gmail.com> (raw)
In-Reply-To: <200801121059.m0CAxZdG008224@betty.it.uc3m.es>
On Jan 12, 2008 8:59 AM, Peter T. Breuer <ptb@inv.it.uc3m.es> wrote:
> Amos Jeffries wrote:
> > Peter T. Breuer wrote:
> > > I'd be much obliged if somebody could give me a modern iptables
> > > equivalent for this ipchains rule
> > >
> > > ipchains -A input -p tcp -d 0.0.0.0/0 80 -j REDIRECT 8081
> >
> > My auto-generated FW has this (with suitable replacements):
> >
> > iptables -t nat -A PREROUTING -i $LOCAL_IFACE -p tcp -s ! $PROXY_BOX \
> > --dport 80 -j REDIRECT --to-ports 8081
>
> Yes, thanks. I've been trying variants on that for some time, with no
> success. Stracing the tproxy daemon on port 8081 shows no sign of
> activity at all when I do a
>
> telnet news.bbc.co.uk 80
>
> for example. Is there a canonical way to debug iptables? I'm sure there
> must be. tcpdump shows nothing on port 8081 on any interface I can think
> of, but the telnet news.bbc.co.uk 80 gets through! It must be avoiding
> the REDIRECT somehow.
>
>
> The tproxy is clearly bound to port 8081
>
> bind(4, {sa_family=AF_INET, sin_port=htons(8081), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
> listen(4, 128) = 0
>
> and is stuck in an accept.
>
> iptables --t nat -L shows
>
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> REDIRECT tcp -- !<proxyhost> anywhere tcp dpt:www redir ports 8081
>
> and nothing else. The builtins' rules (INPUT, etc.) are all empty.
>
> When I try and talk to port 80 on a distant machine, I ought to be making a
> socket which is bound to it with a high local port number. I can see net
> traffic from distant port 80s to high ports on my machine with tcpdump,
> but no sign of anything stirring on port 8081.
Perhaps your are running 'telnet news.bbc.co.uk 80' on the same box as
tproxy is running. If that's the case, telnet's connection may be using
<proxyhost> as source IP address.
HTH,
--
Gonzalo A. Arana
next prev parent reply other threads:[~2008-01-12 14:38 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-01-12 10:59 [help] modern iptables rule for transproxy Peter T. Breuer
2008-01-12 14:38 ` Gonzalo Arana [this message]
2008-01-12 14:58 ` James Lay
-- strict thread matches above, loose matches on Subject: below --
2008-01-18 18:07 Peter T. Breuer
2008-01-18 18:59 ` Antonio Augusto (Mancha)
2008-01-21 0:48 ` Philip Craig
2008-01-15 19:33 Peter T. Breuer
2008-01-15 23:55 ` Philip Craig
2008-01-10 16:02 Peter T. Breuer
2008-01-11 3:30 ` Amos Jeffries
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ca81c4b60801120638vb2ca6fepdd7f04c504f6fda8@mail.gmail.com \
--to=gonzalo.arana@gmail.com \
--cc=netfilter@vger.kernel.org \
--cc=ptb@inv.it.uc3m.es \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox